Play interactive tour

Edit tour

Analysis Report Fennec Pharma.xlsx

Overview

General Information

Sample Name:	Fennec Pharma.xlsx
Analysis ID:	321368
MD5:	a2315b66552273d966bdc8570a6a7208
SHA1:	ad82640b54ce17f43e9df68ebfa700de48df5ef0
SHA256:	8c3a18ce48dbab7971870da260421c03483e279795768bfdeb0ee7dd6079ec2b
Most interesting Screenshot:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Allocates a big amount of memory (probably used for heap spraying)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Classification

Startup

System is w10x64

EXCEL.EXE (PID: 2024 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)

iexplore.exe (PID: 4300 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6328 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4300 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: https://jamif-cdn3d.us-east-1.linodeobjects.com/dfce06801e1a85d6d06f1fdd4475dacd.html

SlashNext: Label: Fake Login Page type: Phishing & Social Engineering

Source: https://workflowy.com/login/?next=/s/this-document-is-too/Tdcv9KOl0AuohEPI	HTTP Parser: No <meta name="author".. found
Source: https://workflowy.com/login/?next=/s/this-document-is-too/Tdcv9KOl0AuohEPI	HTTP Parser: No <meta name="author".. found
Source: https://workflowy.com/signup/?next=/s/this-document-is-too/Tdcv9KOl0AuohEPI	HTTP Parser: No <meta name="author".. found
Source: https://workflowy.com/signup/?next=/s/this-document-is-too/Tdcv9KOl0AuohEPI	HTTP Parser: No <meta name="author".. found

Source: https://workflowy.com/login/?next=/s/this-document-is-too/Tdcv9KOl0AuohEPI	HTTP Parser: No <meta name="copyright".. found
Source: https://workflowy.com/login/?next=/s/this-document-is-too/Tdcv9KOl0AuohEPI	HTTP Parser: No <meta name="copyright".. found
Source: https://workflowy.com/signup/?next=/s/this-document-is-too/Tdcv9KOl0AuohEPI	HTTP Parser: No <meta name="copyright".. found
Source: https://workflowy.com/signup/?next=/s/this-document-is-too/Tdcv9KOl0AuohEPI	HTTP Parser: No <meta name="copyright".. found

Source: excel.exe

Memory has grown: Private usage: 1MB later: 75MB

Source: Joe Sandbox View

IP Address: 74.125.140.154 74.125.140.154

Source: Joe Sandbox View	JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: msapplication.xml0.16.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x8274125e,0x01d6bfe2</date><accdate>0x8274125e,0x01d6bfe2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.16.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x8274125e,0x01d6bfe2</date><accdate>0x8274125e,0x01d6bfe2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.16.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x8278d6fe,0x01d6bfe2</date><accdate>0x8278d6fe,0x01d6bfe2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.16.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x8278d6fe,0x01d6bfe2</date><accdate>0x8278d6fe,0x01d6bfe2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.16.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x827b3963,0x01d6bfe2</date><accdate>0x827b3963,0x01d6bfe2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.16.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x827b3963,0x01d6bfe2</date><accdate>0x827b3963,0x01d6bfe2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: document_view.min[1].js.17.dr	String found in binary or memory: re glad you like WorkFlowy. Please share it with your friends!"),!c.d()&&o.createElement(o.Fragment,null,o.createElement("div",{className:Object(l.e)({marginBottom:"24px",lineHeight:"20px",fontSize:"13px"})},o.createElement("strong",null,"When a friend signs up through your Facebook post, we'll give you"," ",s===d?"both "+s+" more monthly items.":s+" more monthly items."+(d?" They'll get "+d+" more items too.":""))," ","You currently have ",i," WorkFlowy items per month.")),o.createElement(a.b,{buttonStyle:a.a.Primary,onClick:function(){var e=f+"&utm_campaign=friend_recommendation_prompt_10_days&utm_medium=facebook&utm_source=wf";window.open("https://www.facebook.com/sharer/sharer.php?u="+e,"Share WorkFlowy","height=640,width=558,left=50,top=50"),_gaq.push(["_trackPageview","/virtual/friend_recommendation_prompt/10_days/facebook_share_button_clicked"])}},"Share WorkFlowy on Facebook")))}},t}return d(t,e),t.prototype.componentWillUnount=function(){_gaq.push(["_trackPageview","/virtual/friend_recommendation_prompt/10_days/rating_dialog_closed/"])},t.prototype.render=function(){return o.createElement(o.Fragment,null,o.createElement(u.b,null,"What do you think of WorkFlowy?"),o.createElement("div",{className:Object(l.e)({marginTop:"24px",marginBottom:"24px"})},"Please click a star to rate WorkFlowy."),o.createElement(p,{onChange:this.onRatingChange}),o.createElement("div",{className:Object(l.e)({marginTop:"24px",marginBottom:"12px",fontSize:"13px",lineHeight:"20px"})},"You equals www.facebook.com (Facebook)

Source: unknown

DNS traffic detected: queries for: workflowy.com

Source: document_view.min[1].js.17.dr	String found in binary or memory: http://getfirefox.com
Source: document_view.min[1].js.17.dr	String found in binary or memory: http://google.com/chrome
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: msapplication.xml.16.dr	String found in binary or memory: http://www.amazon.com/
Source: ga[1].js.17.dr	String found in binary or memory: http://www.google-analytics.com
Source: msapplication.xml1.16.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.16.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.16.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.16.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.16.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.16.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.16.dr	String found in binary or memory: http://www.youtube.com/
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://api.office.net
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://augloop.office.com
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://cdn.entity.
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://cortana.ai
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://cr.office.com
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://directory.services.
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://graph.windows.net
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: {AB2119CF-2BD5-11EB-90E4-ECF4BB862DED}.dat.16.dr	String found in binary or memory: https://jamif-cdn3d.us
Source: ~DF6B30D1274994D5C2.TMP.16.dr	String found in binary or memory: https://jamif-cdn3d.us-east-1.linodeobjects.com/dfce06801e1a85d6d06f1fdd4475dacd.html
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://login.windows.local
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://management.azure.com
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://management.azure.com/
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://ncus-000.contentsync.
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://ncus-000.pagecontentsync.
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://outlook.office.com
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://outlook.office365.com
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: ga[1].js.17.dr	String found in binary or memory: https://ssl.google-analytics.com
Source: Tdcv9KOl0AuohEPI[1].htm.17.dr	String found in binary or memory: https://ssl.google-analytics.com/ga.js
Source: ga[1].js.17.dr	String found in binary or memory: https://ssl.google-analytics.com/j/__utm.gif
Source: ga[1].js.17.dr	String found in binary or memory: https://stats.g.doubleclick.net/j/collect?
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://tasks.office.com
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: {AB2119CF-2BD5-11EB-90E4-ECF4BB862DED}.dat.16.dr	String found in binary or memory: https://workflowy-east-1.linodeobjects.com/dfce06801e1a85d6d06f1fdd4475dacd.htmlRoot
Source: {AB2119CF-2BD5-11EB-90E4-ECF4BB862DED}.dat.16.dr	String found in binary or memory: https://workflowy.com/
Source: login[1].htm0.17.dr, signup[1].htm0.17.dr	String found in binary or memory: https://workflowy.com/accounts/password_reset/
Source: ~DF6B30D1274994D5C2.TMP.16.dr	String found in binary or memory: https://workflowy.com/login/?next=/s/this-document-is-too/Tdcv9KOl0AuohEPI
Source: ~DF6B30D1274994D5C2.TMP.16.dr	String found in binary or memory: https://workflowy.com/login/?next=/s/this-document-is-too/Tdcv9KOl0AuohEPI&Log
Source: imagestore.dat.17.dr	String found in binary or memory: https://workflowy.com/media/i/favicon.ico
Source: imagestore.dat.17.dr	String found in binary or memory: https://workflowy.com/media/i/favicon.ico~
Source: document_view.min[1].js.17.dr	String found in binary or memory: https://workflowy.com/referrals/
Source: {AB2119CF-2BD5-11EB-90E4-ECF4BB862DED}.dat.16.dr	String found in binary or memory: https://workflowy.com/s/this-doRoot
Source: ~DF6B30D1274994D5C2.TMP.16.dr, {AB2119CF-2BD5-11EB-90E4-ECF4BB862DED}.dat.16.dr	String found in binary or memory: https://workflowy.com/s/this-document-is-too/Tdcv9KOl0AuohEPI
Source: ~DF6B30D1274994D5C2.TMP.16.dr	String found in binary or memory: https://workflowy.com/s/this-document-is-too/Tdcv9KOl0AuohEPI#/7686a5f8c6e6
Source: {AB2119CF-2BD5-11EB-90E4-ECF4BB862DED}.dat.16.dr	String found in binary or memory: https://workflowy.com/s/this-document-is-too/Tdcv9KOl0AuohEPIRoot
Source: ~DF6B30D1274994D5C2.TMP.16.dr	String found in binary or memory: https://workflowy.com/s/this-document-is-too/Tdcv9KOl0AuohEPInThis
Source: ~DF6B30D1274994D5C2.TMP.16.dr	String found in binary or memory: https://workflowy.com/signup/?next=/s/this-document-is-too/Tdcv9KOl0AuohEPI
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://wus2-000.contentsync.
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://wus2-000.pagecontentsync.
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: ga[1].js.17.dr	String found in binary or memory: https://www.google.%/ads/ga-audiences?
Source: ga[1].js.17.dr	String found in binary or memory: https://www.google.com/analytics/web/inpage/pub/inpage.js?
Source: 1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: classification engine

Classification label: mal48.winXLSX@4/46@5/2

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{EE9DC512-8BF2-4D04-B384-8C8BE8D048B8} - OProcSessId.dat

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4300 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4300 CREDAT:17410 /prefetch:2

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Fennec Pharma.xlsx

Initial sample: OLE zip file path = xl/media/image1.png

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	File and Directory Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Extra Window Memory Injection1	Process Injection1	LSASS Memory	System Information Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Extra Window Memory Injection1	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Fennec Pharma.xlsx	0%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
bam-cell.nr-data.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://jamif-cdn3d.us-east-1.linodeobjects.com/dfce06801e1a85d6d06f1fdd4475dacd.html	100%	SlashNext	Fake Login Page type: Phishing & Social Engineering
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://wus2-000.contentsync.	0%	URL Reputation	safe
https://wus2-000.contentsync.	0%	URL Reputation	safe
https://wus2-000.contentsync.	0%	URL Reputation	safe
https://wus2-000.contentsync.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Virustotal		Browse
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Avira URL Cloud	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	Virustotal		Browse
https://officeci.azurewebsites.net/api/	0%	Avira URL Cloud	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://workflowy-east-1.linodeobjects.com/dfce06801e1a85d6d06f1fdd4475dacd.htmlRoot	0%	Avira URL Cloud	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	Avira URL Cloud	safe
https://www.google.%/ads/ga-audiences?	0%	URL Reputation	safe
https://www.google.%/ads/ga-audiences?	0%	URL Reputation	safe
https://www.google.%/ads/ga-audiences?	0%	URL Reputation	safe
https://ncus-000.contentsync.	0%	URL Reputation	safe
https://ncus-000.contentsync.	0%	URL Reputation	safe
https://ncus-000.contentsync.	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
workflowy.com	54.84.56.113	true	false		high
stats.l.doubleclick.net	74.125.140.154	true	false		high
js-agent.newrelic.com	unknown	unknown	false		high
bam-cell.nr-data.net	unknown	unknown	false	0%, Virustotal, Browse	unknown
stats.g.doubleclick.net	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://jamif-cdn3d.us-east-1.linodeobjects.com/dfce06801e1a85d6d06f1fdd4475dacd.html	true	SlashNext: Fake Login Page type: Phishing & Social Engineering	unknown
https://workflowy.com/login/?next=/s/this-document-is-too/Tdcv9KOl0AuohEPI	false		high
https://workflowy.com/signup/?next=/s/this-document-is-too/Tdcv9KOl0AuohEPI	false		high
https://workflowy.com/s/this-document-is-too/Tdcv9KOl0AuohEPI#/7686a5f8c6e6	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://workflowy.com/referrals/	document_view.min[1].js.17.dr	false		high
https://login.microsoftonline.com/	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://shell.suite.office.com:1443	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://cdn.entity.	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://wus2-000.contentsync.	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/tenantassociationkey	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://powerlift.acompli.net	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://cortana.ai	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://api.aadrm.com/	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://workflowy.com/	{AB2119CF-2BD5-11EB-90E4-ECF4BB862DED}.dat.16.dr	false		high
https://ofcrecsvcapi-int.azurewebsites.net/	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://workflowy.com/s/this-document-is-too/Tdcv9KOl0AuohEPI	~DF6B30D1274994D5C2.TMP.16.dr, {AB2119CF-2BD5-11EB-90E4-ECF4BB862DED}.dat.16.dr	false		high
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://api.microsoftstream.com/api/	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://cr.office.com	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://workflowy.com/login/?next=/s/this-document-is-too/Tdcv9KOl0AuohEPI&Log	~DF6B30D1274994D5C2.TMP.16.dr	false		high
https://workflowy.com/accounts/password_reset/	login[1].htm0.17.dr, signup[1].htm0.17.dr	false		high
https://portal.office.com/account/?ref=ClientMeControl	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
http://www.reddit.com/	msapplication.xml4.16.dr	false		high
https://ecs.office.com/config/v2/Office	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://graph.ppe.windows.net	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://tasks.office.com	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://officeci.azurewebsites.net/api/	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://store.office.cn/addinstemplate	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://workflowy.com/s/this-document-is-too/Tdcv9KOl0AuohEPI#/7686a5f8c6e6	~DF6B30D1274994D5C2.TMP.16.dr	false		high
https://wus2-000.pagecontentsync.	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://globaldisco.crm.dynamics.com	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://store.officeppe.com/addinstemplate	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev0-api.acompli.net/autodetect	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://jamif-cdn3d.us-east-1.linodeobjects.com/dfce06801e1a85d6d06f1fdd4475dacd.html	~DF6B30D1274994D5C2.TMP.16.dr	true	SlashNext: Fake Login Page type: Phishing & Social Engineering	unknown
https://www.odwebp.svc.ms	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://web.microsoftstream.com/video/	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://graph.windows.net	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://workflowy-east-1.linodeobjects.com/dfce06801e1a85d6d06f1fdd4475dacd.htmlRoot	{AB2119CF-2BD5-11EB-90E4-ECF4BB862DED}.dat.16.dr	false	Avira URL Cloud: safe	unknown
https://dataservice.o365filtering.com/	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://stats.g.doubleclick.net/j/collect?	ga[1].js.17.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
http://www.youtube.com/	msapplication.xml7.16.dr	false		high
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
http://weather.service.msn.com/data.aspx	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://apis.live.net/v5.0/	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://management.azure.com	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://outlook.office365.com	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://incidents.diagnostics.office.com	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://clients.config.office.net/user/v1.0/ios	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://insertmedia.bing.office.net/odc/insertmedia	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://workflowy.com/s/this-document-is-too/Tdcv9KOl0AuohEPIRoot	{AB2119CF-2BD5-11EB-90E4-ECF4BB862DED}.dat.16.dr	false		high
https://workflowy.com/media/i/favicon.ico	imagestore.dat.17.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://api.office.net	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://incidents.diagnosticssdf.office.com	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://asgsmsproxyapi.azurewebsites.net/	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false	Avira URL Cloud: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
http://www.amazon.com/	msapplication.xml.16.dr	false		high
https://workflowy.com/s/this-document-is-too/Tdcv9KOl0AuohEPInThis	~DF6B30D1274994D5C2.TMP.16.dr	false		high
https://entitlement.diagnostics.office.com	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://workflowy.com/login/?next=/s/this-document-is-too/Tdcv9KOl0AuohEPI	~DF6B30D1274994D5C2.TMP.16.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
http://www.twitter.com/	msapplication.xml5.16.dr	false		high
https://autodiscover-s.outlook.com	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://templatelogging.office.com/client/log	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://www.google.%/ads/ga-audiences?	ga[1].js.17.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://management.azure.com/	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false		high
https://ncus-000.contentsync.	1DB54918-1914-409E-A82A-9E287AC43C12.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
74.125.140.154	unknown	United States		15169	GOOGLEUS	false
54.84.56.113	unknown	United States		14618	AMAZON-AESUS	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	321368
Start date:	21.11.2020
Start time:	00:41:58
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 23s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Fennec Pharma.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.winXLSX@4/46@5/2
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Browse link: https://workflowy.com/s/this-document-is-too/Tdcv9KOl0AuohEPI Scroll down Close Viewer Browsing link: https://workflowy.com/signup?next=/s/this-document-is-too/Tdcv9KOl0AuohEPI Browsing link: https://workflowy.com/login?next=/s/this-document-is-too/Tdcv9KOl0AuohEPI Browsing link: https://workflowy.com/s/this-document-is-too/Tdcv9KOl0AuohEPI#/7686a5f8c6e6 Browsing link: https://jamif-cdn3d.us-east-1.linodeobjects.com/dfce06801e1a85d6d06f1fdd4475dacd.html
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 52.109.32.27, 52.109.8.22, 52.109.8.25, 104.43.139.144, 51.104.139.180, 52.147.198.201, 92.122.144.200, 20.54.26.129, 2.20.142.210, 2.20.142.209, 92.122.213.194, 92.122.213.247, 88.221.62.148, 216.58.212.168, 151.101.2.110, 151.101.66.110, 151.101.130.110, 151.101.194.110, 162.247.243.147, 162.247.243.146, 51.104.144.132, 152.199.19.161 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, prod-w.nexus.live.com.akadns.net, arc.msn.com.nsatc.net, tls12.newrelic.com.cdn.cloudflare.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, audownload.windowsupdate.nsatc.net, nexus.officeapps.live.com, ssl-google-analytics.l.google.com, officeclient.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, fs.microsoft.com, ie9comview.vo.msecnd.net, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, f4.shared.global.fastly.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, ssl.google-analytics.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, europe.configsvc1.live.com.akadns.net, cs9.wpc.v0cdn.net Report size getting too big, too many NtDeviceIoControlFile calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
74.125.140.154	Fennec Pharma.xlsx	Get hash	malicious	Browse
	http://www.openair.com	Get hash	malicious	Browse
	http://reporter.phishmetraining.co.uk/24e453/4630e9ea-a48b-4895-a43e-b63730e122ce/?test=1	Get hash	malicious	Browse
	https://microsoftoffice365online.typeform.com/to/xdXVf9Ct	Get hash	malicious	Browse
	https://www.canva.com/design/DAEJ8KLYNag/QtkcZ9ERBF8gvmK5sR_W_A/view?utm_content=DAEJ8KLYNag&utm_campaign=designshare&utm_medium=link&utm_source=homepage_design_menu	Get hash	malicious	Browse
	http://friendstamilmp3.in/	Get hash	malicious	Browse
	https://www.canva.com/design/DAEJRw-Cekg/yqHz7lRXkcf0H9s6UXEU-Q/view?utm_content=DAEJRw-Cekg&utm_campaign=designshare&utm_medium=link&utm_source=sharebutton	Get hash	malicious	Browse
	https://www.canva.com/design/DAEJRw-Cekg/yqHz7lRXkcf0H9s6UXEU-Q/view?utm_content=DAEJRw-Cekg&utm_campaign=designshare&utm_medium=link&utm_source=sharebutton	Get hash	malicious	Browse
	http://hollywoodmeasurements.com	Get hash	malicious	Browse
	https://www.canva.com/design/DAEJKbafGCE/fHPnxhih9GgyFXoG9r1tew/view?utm_content=DAEJKbafGCE&utm_campaign=designshare&utm_medium=link&utm_source=sharebutton	Get hash	malicious	Browse
	https://help-deskserv.000webhostapp.com/	Get hash	malicious	Browse
	https://www.joesandbox.com	Get hash	malicious	Browse
	https://l.facebook.com/l.php?u=https%3A%2F%2Ftinyurl.com%2Fy3da9xbq%3Ffbclid%3DIwAR11jNtpFJqmHsfB6MuN4oB-gl7-RlVZqSgYIbmZW4ycJwtQ-tC85PzgLO4&h=AT1i9PU8X_itDVqe5yg4Afn5zFPp0KVwni5sQg-Oc5Yor7a-8EWrOl11b-y21X_Oi92_H_jMhPiEjm3aKUnMEib9p96Fuptgd9vraABiOS8AO8X86OxcPZyET7VlHYnKBg&__tn__=H-R&c[0]=AT26jLdBW-b9efDmUD2-IVQDmvnfjC8zMcJVpGrmXtfU07ZmaRqvjC3hcq86tiO8rGqmY2DrakboCaPRMLQtsl2m1yZfExawqplv_zZwazNNYlc2wsoaV6LvzXDEPrWYoMbJFnx7l8Qm7vznPPnkddWEuQ	Get hash	malicious	Browse
	https://link.zixcentral.com/u/978d75d5/3kJl2Df-6hG7clLXhnsoMg?u=https%3A%2F%2Flink.fishbowlcommunity.com%2Fhr%2F	Get hash	malicious	Browse
	https://info.virtualization-online.org/l/O0Hgqz--392KVPQgwkE7h30f1DAbuHUM4WGQhNI7XHU	Get hash	malicious	Browse
	http://communicatoremail.com/In/248026654/0/U_iN_NpFmSlm9AlJ1msNeMcX1KYFN_5UtYbjMi~Nnrg/	Get hash	malicious	Browse
	https://avecassurance.typeform.com/to/Mfo29tYj	Get hash	malicious	Browse
	https://redbooth.com/n/2db32188f3c9f025/icfluid-power-inc	Get hash	malicious	Browse
	4524754_tgp.docx	Get hash	malicious	Browse
	https://extraheberg.com/6747373696b6b656d614070656c6c612e636f6d	Get hash	malicious	Browse
54.84.56.113	Fennec Pharma.xlsx	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
stats.l.doubleclick.net	Fennec Pharma.xlsx	Get hash	malicious	Browse	74.125.140.154
	http://www.openair.com	Get hash	malicious	Browse	74.125.140.154
	https://largemail.r1.rpost.net/files/7xU97qcFgCvB3Uv1wDC4qvS2ZriLfublohKWA5V3/ln/en-us	Get hash	malicious	Browse	108.177.15.155
	http://s1022.t.en25.com/e/er?s=1022&lid=2184&elqTrackId=BEDFF87609C7D9DEAD041308DD8FFFB8&lb_email=bkirwer%40farbestfoods.com&elq=b095bd096fb54161953a2cf8316b5d13&elqaid=3115&elqat=1	Get hash	malicious	Browse	108.177.15.155
	http://global.krx.co.kr/board/GLB0205020100/bbs#view=649	Get hash	malicious	Browse	108.177.15.155
	https://www.canva.com/design/DAEN9RlD8Vk/acBvt6UoL-DafjXmQk38pA/view?utm_content=DAEN9RlD8Vk&utm_campaign=designshare&utm_medium=link&utm_source=publishsharelink	Get hash	malicious	Browse	108.177.15.156
	http://WWW.ALYSSA-J-MILANO.COM	Get hash	malicious	Browse	108.177.15.156
	http://www.marcusevans.com	Get hash	malicious	Browse	108.177.15.154
	http://septterror.tripod.com/the911basics.html	Get hash	malicious	Browse	108.177.15.155
	https://tgcdevgroup-my.sharepoint.com/:b:/g/personal/jmoore_tgcgroup_net/EcgJdwLEdb9OriDBRaw9slAB4_8AMjn68ZCbL_ahHtwjIA?e=4%3a8pEDtO&at=9	Get hash	malicious	Browse	108.177.15.157
	http://45.95.168.116	Get hash	malicious	Browse	108.177.15.156
	https://www.canva.com/design/DAEN3YdYVHw/zaVHWoDx-9G9l20JXWSBtg/view?utm_content=DAEN3YdYVHw&utm_campaign=designshare&utm_medium=link&utm_source=sharebutton	Get hash	malicious	Browse	108.177.15.155
	https://www.canva.com/design/DAENqED8UzU/0m_RcAQIILTwa79MyPG8KA/view?utm_content=DAENqED8UzU&utm_campaign=designshare&utm_medium=link&utm_source=sharebutton	Get hash	malicious	Browse	108.177.119.155
	http://www.ericbess.com/ericblog/2008/03/03/wp-codebox/#examples	Get hash	malicious	Browse	108.177.119.154
	https://www.vedansha.com/doc/office/LatestLOGOOfficeEncoded/LatestLOGOOfficeEncoded/RedirectPage/marc.loney@navitas.com	Get hash	malicious	Browse	108.177.119.154
	https://olhonabrasa.com.br/secure/zimbra/access/zimbra/index.php	Get hash	malicious	Browse	108.177.15.154
	https://www.canva.com/design/DAEN4Gk1aAs/uErgK6sn3gPozGMXWtYgqA/view?utm_content=DAEN4Gk1aAs&utm_campaign=designshare&utm_medium=link&utm_source=sharebutton	Get hash	malicious	Browse	108.177.15.157
	https://soprapaludo.it/	Get hash	malicious	Browse	108.177.15.157
	http://cricketventures.com	Get hash	malicious	Browse	108.177.15.157
	https://www.chm-endurance.com/	Get hash	malicious	Browse	108.177.15.156

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-AESUS	Fennec Pharma.xlsx	Get hash	malicious	Browse	54.84.56.113
	https://albanesebros.sendx.io/lp/shared-doc.html	Get hash	malicious	Browse	3.213.165.33
	http://www.openair.com	Get hash	malicious	Browse	34.202.206.65
	https://faxfax.zizera.com/remittanceadvice	Get hash	malicious	Browse	184.73.218.177
	http://webnavigator.co	Get hash	malicious	Browse	34.235.7.64
	https://mcmms.typeform.com/to/Vtnb9OBC	Get hash	malicious	Browse	34.200.62.85
	yQDGREHA9h.exe	Get hash	malicious	Browse	54.235.83.248
	mcsrXx9lfD.exe	Get hash	malicious	Browse	54.235.83.248
	SecuriteInfo.com.Trojan.PackedNET.461.20928.exe	Get hash	malicious	Browse	23.21.42.25
	Defender-update-kit-x86x64.exe	Get hash	malicious	Browse	54.225.153.147
	https://largemail.r1.rpost.net/files/7xU97qcFgCvB3Uv1wDC4qvS2ZriLfublohKWA5V3/ln/en-us	Get hash	malicious	Browse	54.225.66.103
	ORDER.exe	Get hash	malicious	Browse	54.235.142.93
	http://s1022.t.en25.com/e/er?s=1022&lid=2184&elqTrackId=BEDFF87609C7D9DEAD041308DD8FFFB8&lb_email=bkirwer%40farbestfoods.com&elq=b095bd096fb54161953a2cf8316b5d13&elqaid=3115&elqat=1	Get hash	malicious	Browse	52.1.99.77
	Bill # 2.xlsx	Get hash	malicious	Browse	23.21.42.25
	https://ubereats.app.link/cwmLFZfMz5?%243p=a_custom_354088&%24deeplink_path=promo%2Fapply%3FpromoCode%3DRECONFORT7&%24desktop_url=tracking.spectrumemp.com/el?aid=8feeb968-bdd0-11e8-b27f-22000be0a14e&rid=50048635&pid=285843&cid=513&dest=overlordscan.com/cmV0by5tZXR6bGVyQGlzb2x1dGlvbnMuY2g=%23#kkowfocjoyuynaip#	Get hash	malicious	Browse	35.170.181.205
	BANK ACCOUNT INFO!.exe	Get hash	malicious	Browse	107.22.223.163
	PO1.xlsx	Get hash	malicious	Browse	174.129.214.20
	https://rebrand.ly/zkp0y	Get hash	malicious	Browse	54.227.164.140
	AccountStatements.html	Get hash	malicious	Browse	18.209.113.162
	a7UZzCVWKO.exe	Get hash	malicious	Browse	54.204.14.42
GOOGLEUS	Fennec Pharma.xlsx	Get hash	malicious	Browse	74.125.140.154
	https://elharless.github.io/stamapdevmo/tak.html?bbre=oadfis48sd	Get hash	malicious	Browse	172.217.21.193
	http://www.openair.com	Get hash	malicious	Browse	172.217.16.194
	https://faxfax.zizera.com/remittanceadvice	Get hash	malicious	Browse	142.250.74.194
	http://ec.autohonda.it	Get hash	malicious	Browse	172.217.23.161
	ING.apk	Get hash	malicious	Browse	172.217.23.170
	bot.apk	Get hash	malicious	Browse	216.58.212.174
	ING_.apk	Get hash	malicious	Browse	216.58.212.174
	https://mcmms.typeform.com/to/Vtnb9OBC	Get hash	malicious	Browse	172.217.22.34
	NQQWym075C.exe	Get hash	malicious	Browse	34.102.136.180
	vOKMFxiCYt.exe	Get hash	malicious	Browse	34.102.136.180
	com.fdhgkjhrtjkjbx.model.apk	Get hash	malicious	Browse	216.58.212.163
	http://www.portal.office.com.s3-website.us-east-2.amazonaws.com#p.steinberger@wafra.com	Get hash	malicious	Browse	172.217.16.193
	https://storage.googleapis.com/storesll0f4bb6d9b7f964569155d2bb42628/a83416219a20d87f4dabde9f057f93b5.html#p.steinberger@wafra.com	Get hash	malicious	Browse	172.217.16.193
	https://docs.google.com/document/d/e/2PACX-1vS19QxlBmfgZPBsUyM3LjkhvVA-TJ0Z_P3J8f_cqg7VN4_zRcrthLeTjZzAubcBh9YWnC0ty3FtmofH/pub	Get hash	malicious	Browse	172.217.16.193
	https://sites.google.com/site/id500800931/googledrive/share/downloads/storage?FID=6937265496484	Get hash	malicious	Browse	172.217.16.193
	https://docs.google.com/document/d/e/2PACX-1vSF_0NxJ4W_JaHZNaHV7imTfN6FtP563leR3WEEVqre35gDV9YM55P9l-6Y-B1gmL7J7GW--QSF89LQ/pub	Get hash	malicious	Browse	172.217.16.193
	https://largemail.r1.rpost.net/files/7xU97qcFgCvB3Uv1wDC4qvS2ZriLfublohKWA5V3/ln/en-us	Get hash	malicious	Browse	172.217.23.161
	http://s1022.t.en25.com/e/er?s=1022&lid=2184&elqTrackId=BEDFF87609C7D9DEAD041308DD8FFFB8&lb_email=bkirwer%40farbestfoods.com&elq=b095bd096fb54161953a2cf8316b5d13&elqaid=3115&elqat=1	Get hash	malicious	Browse	172.217.21.195
	https://bit.ly/35MTO80	Get hash	malicious	Browse	172.217.23.161

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
9e10692f1b7f78228b2d4e424db3a98c	https://albanesebros.sendx.io/lp/shared-doc.html	Get hash	malicious	Browse	54.84.56.113 74.125.140.154
	https://xerox879784379923.azureedge.net??#ZGluYS5qb25nZWtyeWdAYWxhc2thYWlyLmNvbQ	Get hash	malicious	Browse	54.84.56.113 74.125.140.154
	https://flyboyfurnishings.com/firstam/RD-FITT	Get hash	malicious	Browse	54.84.56.113 74.125.140.154
	http://ec.autohonda.it	Get hash	malicious	Browse	54.84.56.113 74.125.140.154
	http://webnavigator.co	Get hash	malicious	Browse	54.84.56.113 74.125.140.154
	http://www.947947.mirramodaintima.com.br/#aHR0cHM6Ly9lbXl0dXJrLmNvbS9zZC9JSy9vZjEvRmlkZWwuVG9ycmVzQHNlYXJzaGMuY29t	Get hash	malicious	Browse	54.84.56.113 74.125.140.154
	https://t.e.vailresorts.com/r/?id=hda0e43a,3501a2a,3501f68&VRI_v73=c2F1bWlsLnNoYWhAYXJtLmNvbQ==&cmpid=EML_SNOWALRT_OTHR_000_NW_00_00000_000000_000000_20200110_v01&p1=www.snow.com%40g-em.xyz	Get hash	malicious	Browse	54.84.56.113 74.125.140.154
	http://microsoftonlineofficeteam.weebly.com	Get hash	malicious	Browse	54.84.56.113 74.125.140.154
	ACH & WlRE REMlTTANCE ADVlCE.xlsx	Get hash	malicious	Browse	54.84.56.113 74.125.140.154
	SecuriteInfo.com.Trojan.GenericKD.35280757.18070.dll	Get hash	malicious	Browse	54.84.56.113 74.125.140.154
	https://docs.google.com/document/d/e/2PACX-1vS19QxlBmfgZPBsUyM3LjkhvVA-TJ0Z_P3J8f_cqg7VN4_zRcrthLeTjZzAubcBh9YWnC0ty3FtmofH/pub	Get hash	malicious	Browse	54.84.56.113 74.125.140.154
	http://rwiqipwvnklaqkuu.ltiliqhting.com/asci/SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20=	Get hash	malicious	Browse	54.84.56.113 74.125.140.154
	http://37.1.220.206/bTcpkT?subacc=manualen2015&subacc2=m.inmanuals.com&subacc3=inmanuals.com&keyword=Fall%20Trivia%20Questions%20And%20Answers&site=	Get hash	malicious	Browse	54.84.56.113 74.125.140.154
	https://bakrisoil.com/wp-content/cd.php?e=gjeffries@hughesellard.com	Get hash	malicious	Browse	54.84.56.113 74.125.140.154
	Payment conflict- aptiv 082920134110.htm	Get hash	malicious	Browse	54.84.56.113 74.125.140.154
	https://aanqylta.com/42/ac/7f/42ac7faefbb3c959ec74f8c07898a6eb.js	Get hash	malicious	Browse	54.84.56.113 74.125.140.154
	https://docs.google.com/document/d/e/2PACX-1vSF_0NxJ4W_JaHZNaHV7imTfN6FtP563leR3WEEVqre35gDV9YM55P9l-6Y-B1gmL7J7GW--QSF89LQ/pub	Get hash	malicious	Browse	54.84.56.113 74.125.140.154
	https://t.e.vailresorts.com	Get hash	malicious	Browse	54.84.56.113 74.125.140.154
	https://eagleeyeproduce-my.sharepoint.com/:o:/p/mckrayp/EtopxtQDn3pOqhvY4g_gG3ABKX9ornSoGNhGOLlXyaU89Q?e=Ee0wW2	Get hash	malicious	Browse	54.84.56.113 74.125.140.154
	https://t.e.vailresorts.com/r/?id=hda0e43a,3501a2a,3501f68&VRI_v73=YnJlbmRhLmNvcGVsYW5kQHN0ZXViZW50cnVzdC5jb20=&cmpid=EML_SNOWALRT_OTHR_000_NW_00_00000_000000_000000_20200110_v01&p1=www.snow.com%40h-is.xyz	Get hash	malicious	Browse	54.84.56.113 74.125.140.154
37f463bf4616ecd445d4a1937da06e19	https://elharless.github.io/stamapdevmo/tak.html?bbre=oadfis48sd	Get hash	malicious	Browse	54.84.56.113
	https://albanesebros.sendx.io/lp/shared-doc.html	Get hash	malicious	Browse	54.84.56.113
	https://faxfax.zizera.com/remittanceadvice	Get hash	malicious	Browse	54.84.56.113
	https://flyboyfurnishings.com/firstam/RD-FITT	Get hash	malicious	Browse	54.84.56.113
	http://webnavigator.co	Get hash	malicious	Browse	54.84.56.113
	http://www.947947.mirramodaintima.com.br/#aHR0cHM6Ly9lbXl0dXJrLmNvbS9zZC9JSy9vZjEvRmlkZWwuVG9ycmVzQHNlYXJzaGMuY29t	Get hash	malicious	Browse	54.84.56.113
	http://microsoftonlineofficeteam.weebly.com	Get hash	malicious	Browse	54.84.56.113
	ACH & WlRE REMlTTANCE ADVlCE.xlsx	Get hash	malicious	Browse	54.84.56.113
	http://rwiqipwvnklaqkuu.ltiliqhting.com/asci/SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20=	Get hash	malicious	Browse	54.84.56.113
	Payment conflict- aptiv 082920134110.htm	Get hash	malicious	Browse	54.84.56.113
	https://largemail.r1.rpost.net/files/7xU97qcFgCvB3Uv1wDC4qvS2ZriLfublohKWA5V3/ln/en-us	Get hash	malicious	Browse	54.84.56.113
	https://eagleeyeproduce-my.sharepoint.com/:o:/p/mckrayp/EtopxtQDn3pOqhvY4g_gG3ABKX9ornSoGNhGOLlXyaU89Q?e=Ee0wW2	Get hash	malicious	Browse	54.84.56.113
	https://coralcliffs.com.do/review/	Get hash	malicious	Browse	54.84.56.113
	http://s1022.t.en25.com/e/er?s=1022&lid=2184&elqTrackId=BEDFF87609C7D9DEAD041308DD8FFFB8&lb_email=bkirwer%40farbestfoods.com&elq=b095bd096fb54161953a2cf8316b5d13&elqaid=3115&elqat=1	Get hash	malicious	Browse	54.84.56.113
	https://hastebin.com/raw/xatuvoxixa	Get hash	malicious	Browse	54.84.56.113
	https://rebrand.ly/zkp0y	Get hash	malicious	Browse	54.84.56.113
	USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE	Get hash	malicious	Browse	54.84.56.113
	Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Get hash	malicious	Browse	54.84.56.113
	https://u19114248.ct.sendgrid.net/ls/click?upn=1kMFt-2Foese19BdzKqBBNxmUiDNiO3l4ozyKR3JHYHjGXyXtR1YgfLizwybC7hwFoy4wlb-2FUZczInc9Ssmzz4dQ-3D-3DuU6r_TCf26aIMQHFUMJSqtVnzlcWBqfQpkiFxCOBj9heiSevnqRkiapxQjkatt3r5u5xw-2FNDgXhA220pIRwcKmyMneET98pBkuhL-2FUwJCaSrvE5mZhnMBtJdZf9Opljklq5t7Y-2BINqElPIJU8bjYLY27qV6L-2FSwA36husfmMqwKagSwOgE04FdniEmY9uEbym50XNhqKw9lgczv6HrSrYNm6ouXnIayW-2FSBLzGYxoTYKe6OA-3D	Get hash	malicious	Browse	54.84.56.113
	https://rugbysacele.ro/zz/IK/of1/nhctfwp4x278qkbusvijl6z39y5ema1o0gdr597irqhw4x0fk3uevzlaoj12bdmpsnt8g6yce40h6iv7bprsowxd3z2nmu8kal5gcj1yf9qt?data=dmluY2VudC5kdXNvcmRldEBpbWQub3Jn#aHR0cHM6Ly9ydWdieXNhY2VsZS5yby96ei9JSy9vZjEvNDUzMjY3NzY4JmVtYWlsPXZpbmNlbnQuZHVzb3JkZXRAaW1kLm9yZw==	Get hash	malicious	Browse	54.84.56.113

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\E9SUMB4W\workflowy[1].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	4886
Entropy (8bit):	5.084942187299671
Encrypted:	false
SSDEEP:	96:OT81T8g4Kw1T8g4KwGI1T8g4KwGI61T8g4KwGI10hNg4KwGI10hNg4vwfI10hNg5:OioI/IamP
MD5:	2CF52AD9EA4BAFD7F3B960CF24E67E9D
SHA1:	77E3DBD8CA9BDCDC8F75BFD06EAF13AE1D8D2B4F
SHA-256:	53964BBA3FAC50397C6C4B1AA44328654B182E817FB680650F4AF758E76994CC
SHA-512:	B1517E764539275E813FABC06B0EB5C10BDB27AB6B50905D7DDACB057CDA51C444DCC7B841A58059C109C90D0B98720F9C2E05577917FE4A68D4ACBA6FAA3CD7
Malicious:	false
Reputation:	low
Preview:	<root></root><root><item name="mostRecentlyOpenedWindowId" value="1605948232295-0.7645524765947365" ltime="1886507568" htime="30851042" /></root><root><item name="mostRecentlyOpenedWindowId" value="1605948232295-0.7645524765947365" ltime="1886507568" htime="30851042" /><item name="userstorage.user_id" value="-1" ltime="1889297568" htime="30851042" /><item name="userstorage.format_version" value="3" ltime="1889297568" htime="30851042" /><item name="userstorage.appcache_id" value="2020-11-20 23:43:49.809624" ltime="1889297568" htime="30851042" /><item name="userstorage.settings" value="{"font_size":19}" ltime="1889407568" htime="30851042" /></root><root><item name="mostRecentlyOpenedWindowId" value="1605948232295-0.7645524765947365" ltime="1886507568" htime="30851042" /><item name="userstorage.user_id" value="-1" ltime="1889297568" htime="30851042" /><item name="userstorage.format_version" value="3" ltime="1889297568" htime="30851042" /><item name="userstorage.appcache_id" valu

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{AB2119CD-2BD5-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	33368
Entropy (8bit):	1.8775748656755615
Encrypted:	false
SSDEEP:	96:rhZCZ42R9WXPtX7fX2lMXbX1XfX5tXeC3:rhZCZ42R9WftrfmlMLFPJtOC3
MD5:	58BB42E48EB0FB0DA8D8649249F403F0
SHA1:	E451A8BD84A34EAC239DFEA9FA153DD6B9CF5395
SHA-256:	21A3367170541DF1F3FEFF4E7735C9F9E1F9F84BDE1DC4B689CEDB0460E4461D
SHA-512:	4D198E5139C89A94F82875E366887896D5039DAC150FE88602A9595C138AAA2101305BF282ED9AD8B41F0EC759223D518E2E92AED580BA24289A4DD2372E8820
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{AB2119CF-2BD5-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	86526
Entropy (8bit):	2.3886572834294633
Encrypted:	false
SSDEEP:	384:rDvCidhUM7p2oMH4SMy5HeQBMd9joKA8iJ/MCM3bktybJBvDZUdbHWs4qhKEeZ8X:p6EXlTaArKyhU5hD5IHJY0tY
MD5:	6EB80177472F08CCD0D65825CDE8E622
SHA1:	968F68A661F211CFC7D2E90A5EF375C92B7F1F45
SHA-256:	AA683721EF15A902EFD271E0941C8E93BCF3C253CB5CC49C2668C92A1719FE3D
SHA-512:	19B5DECBADC8D73FDB350DB90C4FE149AF524225A315BD1D389554AF0144F3811EE7BCAE9E1AB2DC94C8FAC22EF08D1E70ABE7B8A39B8895DA5D7ED5A5B99558
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{BCF5FF47-2BD5-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	16984
Entropy (8bit):	1.565400018512696
Encrypted:	false
SSDEEP:	48:IweGcprvGwpaCG4pQSGrapbSJrGQpK2G7HpResTGIpG:rCZZQy6UBSJFAhTe4A
MD5:	FEE5A57593CDF81ABD2D5B3BCE279480
SHA1:	6D77B2EDD462A583E07F5921D740D57890DD09DB
SHA-256:	F6DB71730890F2D200C1EB30918589D629E2A001D5151606AE3791390E36A81C
SHA-512:	FC71A36C955C69051B0058B6D25ECCEE296ECB1547E06BC53F318B4FB613D63D90B4029779195B896CD0A4E2F2C0F8EF6ACA3D03054DC1824D38D4D2E131CF2D
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.099301151456237
Encrypted:	false
SSDEEP:	12:TMHdNMNxOEu333wnWimI002EtM3MHdNMNxOEu333wnWimI00ObVbkEtMb:2d6NxORHASZHKd6NxORHASZ76b
MD5:	2F1FA83A963FEC4C5353F19A9C5E123A
SHA1:	9162FCFA97D69397E5D670FD2F6EF7DD92552C6C
SHA-256:	CF884F5D57CC978768518E71F26D468DE7E2A9768E7DC8DA9DE9DC024CE28CC1
SHA-512:	B054696347B9A5B559721074385DAA82EC7948DA3ADEC85A5D6CE56BBDF95C5185256E904B57E866F3D25B4D223CEF155154C872A5D8126E2826F8317FE889A2
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x8278d6fe,0x01d6bfe2</date><accdate>0x8278d6fe,0x01d6bfe2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x8278d6fe,0x01d6bfe2</date><accdate>0x8278d6fe,0x01d6bfe2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.115532552519856
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2kaO0OpnWimI002EtM3MHdNMNxe2kaO0OpnWimI00Obkak6EtMb:2d6NxrE9pSZHKd6NxrE9pSZ7Aa7b
MD5:	640FCD7698BD45764FB83D8E50634AB1
SHA1:	1B33F94C07F07037AFC6B7744FC238F11D1A4689
SHA-256:	D967C9C650E80AF3F7F4B57B6489AAE9EF06F53F9164A6A09773E2423AD03A40
SHA-512:	46BA330D94D6F7EF950DEE809C5D3F0D981AD16B922FC90008925F754DADEF1D4836AD6D8C4BBB933563C8EAE4D301B4AFA393DF71D6EF12B3FBEFEC28ABE720
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x8271b002,0x01d6bfe2</date><accdate>0x8271b002,0x01d6bfe2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x8271b002,0x01d6bfe2</date><accdate>0x8271b002,0x01d6bfe2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	662
Entropy (8bit):	5.156741033241884
Encrypted:	false
SSDEEP:	12:TMHdNMNxvL7nWimI002EtM3MHdNMNxvL7nWimI00ObmZEtMb:2d6Nxv3SZHKd6Nxv3SZ7mb
MD5:	C08C03F413F7E8674E84BBC1699F6E5D
SHA1:	97B4AC795489D6E4FD4E503718D99B02F53A8134
SHA-256:	5A87E1FC366CC60BAEAED8D6F678A54F8D7D60C49A3DEE4D5CFA82340003158C
SHA-512:	CABA75A4D41091B0BC65DA8DFF7BB569613C1B0A89069C1AB1CC27FE6D2A53026CAEE3C43FEEBC61C1E578514DFEE0ADB219D469FD63ED08F473774ACEB60C94
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x827b3963,0x01d6bfe2</date><accdate>0x827b3963,0x01d6bfe2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x827b3963,0x01d6bfe2</date><accdate>0x827b3963,0x01d6bfe2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	647
Entropy (8bit):	5.135209069321534
Encrypted:	false
SSDEEP:	12:TMHdNMNxip4SnWimI002EtM3MHdNMNxip93wnWimI00Obd5EtMb:2d6NxK4SSZHKd6NxK9ASZ7Jjb
MD5:	08DF1CADD3C1B5C598BAF5DEA660E804
SHA1:	D678757750B71D285D2BF27715E052A8976BD75B
SHA-256:	3330DF13369EA58840A1527A812BB5D34E4C26BDAD82B623CFB25BE41546F114
SHA-512:	534D74E4339B896B88409860370886DBCD5808032025E7D3F74DFF0225DA6BD5D8EF2381D0D79EA67A3207C4322B4CA2EF3584C824E188E18DEC76346597B308
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x827674da,0x01d6bfe2</date><accdate>0x827674da,0x01d6bfe2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x827674da,0x01d6bfe2</date><accdate>0x8278d6fe,0x01d6bfe2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.165892273802671
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGw7nWimI002EtM3MHdNMNxhGw7nWimI00Ob8K075EtMb:2d6NxQuSZHKd6NxQuSZ7YKajb
MD5:	BE9D925CFF23FFFAD9C5EF3D76019C49
SHA1:	6F70DF7DC7087821672C7B54CCE5515203CC3DD3
SHA-256:	B7933556E74D4759BF26C1F330B162239BD9D3BBFE51569E4378735DDC18E90F
SHA-512:	2071E26FBECB0FF5252A166B775EFBF6E1A36888CC4DEFC9B13ACEEB8BFDD8CB98236115F17788DBDDB618198FC80478E813A54F43A48474682CF8A65F8C97D2
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x827b3963,0x01d6bfe2</date><accdate>0x827b3963,0x01d6bfe2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x827b3963,0x01d6bfe2</date><accdate>0x827b3963,0x01d6bfe2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.100062527705872
Encrypted:	false
SSDEEP:	12:TMHdNMNx0nu333wnWimI002EtM3MHdNMNx0nu333wnWimI00ObxEtMb:2d6Nx0uHASZHKd6Nx0uHASZ7nb
MD5:	559A4FCF80B64F828E13235F890007C3
SHA1:	45CD214BA265FDD9D1B9C4C86B282E94B08DAE50
SHA-256:	F4C2DF66D516BE78F1D03DC0A580545FC2435C42EDD159082FCFE8DAF19FD6F6
SHA-512:	9EB4CB603B0EBF92F8E82EF41E9EE6F28516C88F0C5733A990657F4ACC30614080D022B76FE952786FAA22FE2808E7787937B79612CB5CF127055F68C29AF2B3
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x8278d6fe,0x01d6bfe2</date><accdate>0x8278d6fe,0x01d6bfe2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x8278d6fe,0x01d6bfe2</date><accdate>0x8278d6fe,0x01d6bfe2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.139724852726935
Encrypted:	false
SSDEEP:	12:TMHdNMNxxu333wnWimI002EtM3MHdNMNxxu333wnWimI00Ob6Kq5EtMb:2d6Nx0HASZHKd6Nx0HASZ7ob
MD5:	C9DC5AD8F722341B6216CF7913F77AF0
SHA1:	019515C61B32B5D292BA29A54EF1ABB5F58D8D63
SHA-256:	D5709249813875B472C7E20F95128D18DE195E4898ACFC49C960D37F4C5A173E
SHA-512:	5F4CD3782A9111FCB2AE42ACF12F9C6D9D0C3978294CFCE04B0EDFB762537E1BBA1E368851A2561B195A3D9B212D77B6F04498AEAA601FE02765F0B619698D77
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x8278d6fe,0x01d6bfe2</date><accdate>0x8278d6fe,0x01d6bfe2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x8278d6fe,0x01d6bfe2</date><accdate>0x8278d6fe,0x01d6bfe2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	659
Entropy (8bit):	5.140709199167545
Encrypted:	false
SSDEEP:	12:TMHdNMNxcbbbnWimI002EtM3MHdNMNxcbbbnWimI00ObVEtMb:2d6NxMbbSZHKd6NxMbbSZ7Db
MD5:	6F67FB05D3F7DA53E524A5075B866244
SHA1:	DA0D9C6B86F6DC7634BAA7DDAF9F86D48D7C1094
SHA-256:	4880485B3A356562FE96C6CA56E57BB9C6FA4779E7C921DEBF5DBDBFCC305ABD
SHA-512:	62D58A579F06D99588B8B413C365C0703A0D88218A6E7365BDB28CEC3C34E88B21F25A6838C552FBEB494CF57C967F766EBCE397D542BA8E4E1EC78D2FCA55BC
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x8274125e,0x01d6bfe2</date><accdate>0x8274125e,0x01d6bfe2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x8274125e,0x01d6bfe2</date><accdate>0x8274125e,0x01d6bfe2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.127715009991347
Encrypted:	false
SSDEEP:	12:TMHdNMNxfnbbbnWimI002EtM3MHdNMNxfnbpSnWimI00Obe5EtMb:2d6NxjbbSZHKd6NxjpSSZ7ijb
MD5:	C9C19D01C9C45B6A3992182C593CB096
SHA1:	C0FBCFFFE2FDF082D5AEC6E28F96546377CF7BCD
SHA-256:	C6F76D69A1225C296E2657239557F5BA12A35E0C3B17BDACBC24AC6DC7F1D05A
SHA-512:	496762ABE053F988A012CF259B0D5CFB5A0D69D0294C2FD9FFBBF036097A8022DDEE7E0092160F66BCF083AEA9B2D3B667ABBF52A83145419DE1478DFFEC3917
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x8274125e,0x01d6bfe2</date><accdate>0x8274125e,0x01d6bfe2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x8274125e,0x01d6bfe2</date><accdate>0x827674da,0x01d6bfe2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\ynfz0jx\imagestore.dat Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	370820
Entropy (8bit):	4.811841738378212
Encrypted:	false
SSDEEP:	1536:UD48rp0/IBXhIyu0/7rbkQblJ0AAhNPqIpu:P8e/IBXjPATSIpu
MD5:	537D2268C3F3DA4AA3A6DB18001CCB26
SHA1:	B6AE47DF699871E2E3D9FEBACA878E3944591974
SHA-256:	1DF8D24E165D805EDF0784D81B48766B602CD2A5A2980B36FE0E2FB6FDC3223A
SHA-512:	7239924F9B556845CEBC8282F4FD086CD55878FC163CB9054FFE103C1B3888F1108A501C06CDEFB5284E73F497184562F60B9B357A0391CD9307BBEA1CEB101F
Malicious:	false
Reputation:	low
Preview:	).h.t.t.p.s.:././.w.o.r.k.f.l.o.w.y...c.o.m./.m.e.d.i.a./.i./.f.a.v.i.c.o.n...i.c.o.> .............. .( ......(............. ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\1DB54918-1914-409E-A82A-9E287AC43C12 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	129952
Entropy (8bit):	5.378321144265729
Encrypted:	false
SSDEEP:	1536:qcQceNWiA3gZwLpQ9DQW+zAUH34ZldpKWXboOilXPErLL8TT:gmQ9DQW+zBX8u
MD5:	7D464EDE312AC98BDD68313923C08C72
SHA1:	15345D325765AEC2F81951C47E4E1404F13E180D
SHA-256:	B88DEA0BBAFF192F381CB1B01D59AABF5949780024CCA38F3F7DA4AD36E0232F
SHA-512:	A9E0D8E5A8CEDDCDA0A918CB85DC2762A6144CD5B168C3FD3B1CB4599BC42F940B327E4D70A82FD1C5F213730CDF71EA48363F9F37CFFB648D5348BFD87AE455
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2020-11-20T23:42:53">.. Build: 16.0.13518.30530-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\AAF7DF3E.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 1420 x 1525, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	73822
Entropy (8bit):	7.804116579593595
Encrypted:	false
SSDEEP:	1536:YwbNcsRF6RFBn2Sc9IQDwsQiaFghujpHC:bNcc6RFBxQDzQaujpi
MD5:	4DD10B6F17BC84B07109F3DDE525362E
SHA1:	D0FB1D7E063D58D71DBFDEE083AE6F181D96DB3E
SHA-256:	D98B1F1E9A3B3703D9B1AF00D0D6DA248E13861F821AC347DC01AF67699B8E6B
SHA-512:	A317327433E0202CD79C9A63C5033EAE738BBF5498AFFFE54658F328389DA548F1DF4275758CEBA12F8CD490BDE9544ABB12DECCDC9BC4DD84BA1C9C3368EBF1
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........+......IDATx^....\.Y .+.H....M...&....\.a.a..K..NXr..s. @...@l..8.fk...k6..z..-Y..5...}.z..._.9.tt..UG].....{.t.........:g.........3_..xw.3..0..)....T+..oMl....;..0;.)....vW..W..T..J'...E........K&.,)..Dul(..0;.).....z]...M.]Zz..t..Q.......UY{ku....+..Uv?.L..=....@^u.`e.''.......r...EaJ:.`.(R...g...(m.{b....7.V]....]..R:.`.(R......._.X.V(B.X..."..0..)...S...oL>..T...rai...-.\|.Y.H.................:z"].`6)R......w-..\.+..Mt/)=..t..Y.H...LT.....UV/.V(&..k.Vv.K...e.....\|W=.....j...G.m....U..J...e......6r.....k..*..Mt-......P.$.,S.......p...f.8.m.k.....tQ..H....W.r...N.Y.}.G.Mt/..y:].`.)R....T.....G...r......G..f."...<.Uv>^].d..QS.HZ.kqi.=...t...H....;....]...V(B.X...b.ZM...}......R=........f[y.....:.sB.....G.C.K.>>.]..V].h......t5.9.H.........{&..B..D...._H...+......P)....Ks...m.e......."...<.T.....KJ+....VY....zlW...\Q....._e...............>9Q.MW..+....p....+w/+.Z.+F

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\dnserror[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	2997
Entropy (8bit):	4.4885437940628465
Encrypted:	false
SSDEEP:	48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
MD5:	2DC61EB461DA1436F5D22BCE51425660
SHA1:	E1B79BCAB0F073868079D807FAEC669596DC46C1
SHA-256:	ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
SHA-512:	A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
Malicious:	false
IE Cache URL:	res://ieframe.dll/dnserror.htm?ErrorStatus=0x800C0005&DNSError=1460
Preview:	.<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can’t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can’t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\eaeea54ab7[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.459147917027245
Encrypted:	false
SSDEEP:	3:CUXJ/lH:Dl
MD5:	BC32ED98D624ACB4008F986349A20D26
SHA1:	2D3DF8C11D2168CE2C27E0937421D11D85016361
SHA-256:	0C9CF152A0AD00D4F102C93C613C104914BE5517AC8F8E0831727F8BFBE8B300
SHA-512:	71ACC6DA78D5D5BF0EEA30E2EE0AC5C992B00EFEC959077DFE0AB769F1DBBD9AF12D5C5C155046283D5416BEB606A9EF323FB410E903768B1569B69F37075B4E
Malicious:	false
Preview:	GIF89a.......,..........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\favicon[1].ico Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	MS Windows icon resource - 6 icons, 256x256, 32 bits/pixel, 128x128, 32 bits/pixel
Category:	downloaded
Size (bytes):	370070
Entropy (8bit):	4.80845072778125
Encrypted:	false
SSDEEP:	1536:ZD48rp0/IBXhIyuy/7rbkQblJ0AA/NPwITv:28e/IBXjxA1IITv
MD5:	F411E7E8A5B13EB1DE3974675C0D8CFC
SHA1:	86E1C2A83787FF51333BA6CF512A7C125DE16429
SHA-256:	D183C18DB92DD74B44320182C14B12A627B9F0A836776A7E0C263BE8D2792995
SHA-512:	2B5371D4A7539CD1F142B62BCA89CC806A6A7CE98851BC8AAA103BFD2CF2862F1680A513E0AB65783B88DCA84525B251DFC026172D553F76796D7F4A16C74268
Malicious:	false
IE Cache URL:	https://workflowy.com/media/i/favicon.ico
Preview:	............ .( ..f......... .(.... ..@@.... .(B...(..00.... ..%...j.. .... ............... .h.......(............. ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\httpErrorPagesScripts[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	12105
Entropy (8bit):	5.451485481468043
Encrypted:	false
SSDEEP:	192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
MD5:	9234071287E637F85D721463C488704C
SHA1:	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
SHA-256:	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
SHA-512:	87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
Malicious:	false
IE Cache URL:	res://ieframe.dll/httpErrorPagesScripts.js
Preview:	...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)\|ftp\|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\login[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	downloaded
Size (bytes):	7301
Entropy (8bit):	5.357066025426497
Encrypted:	false
SSDEEP:	96:Awj4cNN8Afppuu5EVJSWhGUUkIkKyOd0JbAWAbEbaxx33GNNqkUka6WqyZ4bEm9d:ADu5S5YUudwkNL33GXbgqNt
MD5:	5462057035E108135972ABB914FB85A8
SHA1:	580BDFA18401421EC757AA11F6138BE4DE233D6B
SHA-256:	357F8DC902E87B5F314CBCC917B670FE608B3284BE46ED5AD083A64D9126FF99
SHA-512:	E8429B1EA465EAE47132E08149EA7976176A63CF1A72E55918DC8A6C107B3EC270B838902492DF8E78640DC96BF434CC943AEDE9D5E78CE88DA28D4400661734
Malicious:	false
IE Cache URL:	https://workflowy.com/login/?next=/s/this-document-is-too/Tdcv9KOl0AuohEPI
Preview:	<!doctype html><html><head><title>Log in to WorkFlowy</title><meta http-equiv="X-UA-Compatible" content="chrome=1"/><link href="https://fonts.googleapis.com/css?family=Open+Sans:300,400,700,800" rel="stylesheet" type="text/css"/><meta name="ahrefs-site-verification" content="1e02598fc87129fdd8624212a90901b5a29fe287c590c9740af3c21f34784f42"/><link rel="shortcut icon" type="image/x-icon" href="/media/i/favicon.ico"/><link rel="apple-touch-icon" href="/media/i/icon-57x57.png"/><link rel="apple-touch-icon" sizes="72x72" href="/media/i/icon-72x72.png"/><link rel="apple-touch-icon" sizes="114x114" href="/media/i/icon-114x114.png"/><link rel="apple-touch-startup-image" sizes="768x1004" href="/media/i/workflowy-startup-image-ipad.png"/><link rel="apple-touch-startup-image" href="/media/i/workflowy-startup-image.png"/><meta name="apple-mobile-web-app-status-bar-style" content="black"/><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0"/><met

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\nr-1184.min[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	27995
Entropy (8bit):	5.315806784478887
Encrypted:	false
SSDEEP:	384:yZevj5JLnX8Rfz4cNc4esZt2mwUyAH77jx+zaTgEgi2bikgHIvxYocboatVFKFJb:yZUrW13Zt2A7pFFIpYo8ltqWE5
MD5:	3D7F312BE60D08A2568E311E4762F3AF
SHA1:	EDC028ACC27FB8DC6E2106A071A03AE7F93DC3B4
SHA-256:	780861F2AB29C0144055244696561FB0306C8CB3CB7F548F9105C763B0E91F77
SHA-512:	01507CB531465D496E475994A901D2E54E654810BDADE13BEB0480E9CA75FC92B0E4A5689646CC17FC2B10F93F00C1B000CD5B7C9B024F4A7A60F97905C1658B
Malicious:	false
IE Cache URL:	https://js-agent.newrelic.com/nr-1184.min.js
Preview:	!function(n,e,t){function r(t,i){if(!e[t]){if(!n[t]){var a="function"==typeof __nr_require&&__nr_require;if(!i&&a)return a(t,!0);if(o)return o(t,!0);throw new Error("Cannot find module '"+t+"'")}var u=e[t]={exports:{}};n[t][0].call(u.exports,function(e){var o=n[t][1][e];return r(o\|\|e)},u,u.exports)}return e[t].exports}for(var o="function"==typeof __nr_require&&__nr_require,i=0;i<t.length;i++)r(t[i]);return r}({1:[function(n,e,t){e.exports=function(n,e){return"addEventListener"in window?window.addEventListener(n,e,!1):"attachEvent"in window?window.attachEvent("on"+n,e):void 0}},{}],2:[function(n,e,t){function r(n,e,t,r,i){l[n]\|\|(l[n]={});var a=l[n][e];return a\|\|(a=l[n][e]={params:t\|\|{}},i&&(a.custom=i)),a.metrics=o(r,a.metrics),a}function o(n,e){return e\|\|(e={count:0}),e.count+=1,f(n,function(n,t){e[n]=i(t,e[n])}),e}function i(n,e){return e?(e&&!e.c&&(e={t:e.t,min:e.t,max:e.t,sos:e.te.t,c:1}),e.c+=1,e.t+=n,e.sos+=nn,n>e.max&&(e.max=n),n<e.min&&(e.min=n),e):{t:n}}function a(n,e){return

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\Tdcv9KOl0AuohEPI[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	15359
Entropy (8bit):	5.42785637413621
Encrypted:	false
SSDEEP:	384:doPdCvSS/yNrbLXTkc4SRzKeO0bT9GVYlTrcgUn0Y0aOuPgl5YGm3TF9:doPNwcDPDbT/tQgUnCaOPmGm3Tv
MD5:	A72739C9324B44232D961C868F84DCA6
SHA1:	0FB7487EE474F3970815C9334BD47D1F3E3979DF
SHA-256:	B17D1688FEF5D45A92176BE69C4598F593D94B84627D038CA53F1A34D4717F6C
SHA-512:	F2FAE92CF0F068A606193D2C1B9BD391C65995E33FE3B73CE56FF76B4D540B07A17EFEDA65A82B0F247FBA8308AD04AB2A9DA9EBEC62E2412AB3A69C8C2C6BCD
Malicious:	false
Preview:	<!DOCTYPE html>...<html>. <head>. <meta charset="utf-8">. <meta http-equiv="X-UA-Compatible" content="chrome=1"><script type="text/javascript">(window.NREUM\|\|(NREUM={})).loader_config={licenseKey:"eaeea54ab7",applicationID:"61695248"};window.NREUM\|\|(NREUM={}),__nr_require=function(e,t,n){function r(n){if(!t[n]){var i=t[n]={exports:{}};e[n][0].call(i.exports,function(t){var i=e[n][1][t];return r(i\|\|t)},i,i.exports)}return t[n].exports}if("function"==typeof __nr_require)return __nr_require;for(var i=0;i<n.length;i++)r(n[i]);return r}({1:[function(e,t,n){function r(){}function i(e,t,n){return function(){return o(e,[u.now()].concat(c(arguments)),t?null:this,n),t?void 0:this}}var o=e("handle"),a=e(6),c=e(7),f=e("ee").get("tracer"),u=e("loader"),s=NREUM;"undefined"==typeof window.newrelic&&(newrelic=s);var d=["setPageViewName","setCustomAttribute","setErrorHandler","finished","addToTrace","inlineHit","addRelease"],p="api-",l=p+"ixn-";a(d,function(e,t){s[t]=i(p+t,!0,"api")}),s.addPageA

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\document_view.min[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with NEL line terminators
Category:	downloaded
Size (bytes):	2273519
Entropy (8bit):	5.559905400521439
Encrypted:	false
SSDEEP:	49152:SNx768bLt7j4KWF38OHZ4tkGSNiiul1ElI:StA6iBI
MD5:	4178D793497614CBF5B74C0C8979754F
SHA1:	700184FFA5B57AF2316B37DF357E02BA2346352B
SHA-256:	AA3D1A96BF8F4EED52C33D311D1CEDE1A735C7595E567BF81E9397480B7E4D48
SHA-512:	C18F6431A04794ACC19209530CDF60AF5E6CE77115D5BC9A65C83B243F1FA5530D06431CDC8652DF4D7A1EC27D7F76DF4E0B6F6139E01EA75ED746B6655653D1
Malicious:	false
IE Cache URL:	https://workflowy.com/media/js/document_view.min.js?v=610982d
Preview:	!function(e){var t={};function n(r){if(t[r])return t[r].exports;var o=t[r]={i:r,l:!1,exports:{}};return e[r].call(o.exports,o,o.exports,n),o.l=!0,o.exports}n.m=e,n.c=t,n.d=function(e,t,r){n.o(e,t)\|\|Object.defineProperty(e,t,{enumerable:!0,get:r})},n.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},n.t=function(e,t){if(1&t&&(e=n(e)),8&t)return e;if(4&t&&"object"==typeof e&&e&&e.__esModule)return e;var r=Object.create(null);if(n.r(r),Object.defineProperty(r,"default",{enumerable:!0,value:e}),2&t&&"string"!=typeof e)for(var o in e)n.d(r,o,function(t){return e[t]}.bind(null,o));return r},n.n=function(e){var t=e&&e.__esModule?function(){return e.default}:function(){return e};return n.d(t,"a",t),t},n.o=function(e,t){return Object.prototype.hasOwnProperty.call(e,t)},n.p="/media/js/",n(n.s=885)}([function(e,t,n){"use strict";e.exports=n(438)},function(e,t,n){"use strict";

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\eaeea54ab7[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	57
Entropy (8bit):	4.31817604175005
Encrypted:	false
SSDEEP:	3:U3KTDWuvMiqVkMWVrfUh:HnNukMWVr8h
MD5:	79F2D634CE67570918939DF10A075576
SHA1:	BA47B7DACB11250F9B1B3974B34954B188E3ECAD
SHA-256:	D10C94B6CDB747904BAEE9070F003BB45849DA46F8100B1320F286C21CBCAAA1
SHA-512:	155FAB1EC68F300DDCB948D024995539C721A2AB0FD89C220F0EFFA68C3863507CBEF806F087F5C84EAB38D4C53DA94BC893894E8FC9DED388DACFE3244E182E
Malicious:	false
Preview:	NREUM.setToken({'stn':1,'err':1,'ins':1,'cap':0,'spa':1})

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\errorPageStrings[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	4720
Entropy (8bit):	5.164796203267696
Encrypted:	false
SSDEEP:	96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
MD5:	D65EC06F21C379C87040B83CC1ABAC6B
SHA1:	208D0A0BB775661758394BE7E4AFB18357E46C8B
SHA-256:	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
SHA-512:	8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
Malicious:	false
IE Cache URL:	res://ieframe.dll/errorPageStrings.js
Preview:	.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\ga[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	downloaded
Size (bytes):	46274
Entropy (8bit):	5.48786904450865
Encrypted:	false
SSDEEP:	768:aqNVrKn0VGhn+K7U1r2p/Y60fyy3/g3OMZht1z1prkfw1+9NZ5VA:RHrLVGhnpIwp/Y7cnz1RkLL5m
MD5:	E9372F0EBBCF71F851E3D321EF2A8E5A
SHA1:	2C7D19D1AF7D97085C977D1B69DCB8B84483D87C
SHA-256:	1259EA99BD76596239BFD3102C679EB0A5052578DC526B0452F4D42F8BCDD45F
SHA-512:	C3A1C74AC968FC2FA366D9C25442162773DB9AF1289ADFB165FC71E7750A7E62BD22F424F241730F3C2427AFFF8A540C214B3B97219A360A231D4875E6DDEE6F
Malicious:	false
IE Cache URL:	https://ssl.google-analytics.com/ga.js
Preview:	(function(){var E;var g=window,n=document,p=function(a){var b=g._gaUserPrefs;if(b&&b.ioo&&b.ioo()\|\|a&&!0===g["ga-disable-"+a])return!0;try{var c=g.external;if(c&&c._gaUserPrefs&&"oo"==c._gaUserPrefs)return!0}catch(f){}a=[];b=n.cookie.split(";");c=/^\sAMP_TOKEN=\s(.?)\s$/;for(var d=0;d<b.length;d++){var e=b[d].match(c);e&&a.push(e[1])}for(b=0;b<a.length;b++)if("$OPT_OUT"==decodeURIComponent(a[b]))return!0;return!1};var q=function(a){return encodeURIComponent?encodeURIComponent(a).replace(/$/g,"%28").replace(/$/g,"%29"):a},r=/^(www\.)?google(\.com?)?(\.[a-z]{2})?$/,u=/(^\|\.)doubleclick\.net$/i;function Aa(a,b){switch(b){case 0:return""+a;case 1:return 1a;case 2:return!!a;case 3:return 1E3a}return a}function Ba(a){return"function"==typeof a}function Ca(a){return void 0!=a&&-1<(a.constructor+"").indexOf("String")}function F(a,b){return void 0==a\|\|"-"==a&&!b\|\|""==a}function Da(a){if(!a\|\|""==a)return"";for(;a&&-1<" \n\r\t".indexOf(a.charAt(0));)a=a.substring(1);for(;a&&-1<" \n\r\t".i

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\logo-bullet-lines-blue[1].svg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	SVG Scalable Vector Graphics image
Category:	downloaded
Size (bytes):	589
Entropy (8bit):	4.972593672152842
Encrypted:	false
SSDEEP:	12:trZ9/MKuCoYUddWAbkLbcJfC4PbHTZL+xKC4nPHvoLrMltEulatEmZCtE+:tV9/MKuNT4sCGbHTZbC0oXw5WhAP
MD5:	7C6542F8D09ED039CEAD9A46BA912E53
SHA1:	45BECA1B83D4B72F79D1A10C6210ACDFF355C23B
SHA-256:	1255B7A53BEFBB4A3C4031F9582FE1936B8D124DE5B8B693B03358CB3E492071
SHA-512:	3900389574C26E5EAE008CC91F369C5346FC5C0501D9B773AFFF4FAFEC9F690A257B795742AB80980F025E645B5DC581AC1B26E42ECA6E51400C84EEBDC018F5
Malicious:	false
IE Cache URL:	https://workflowy.com/media/i/logo-bullet-lines-blue.svg
Preview:	<svg width="579" height="580" viewBox="0 0 579 580" fill="none" xmlns="http://www.w3.org/2000/svg">.<path d="M116 35H531C557.51 35 579 56.4903 579 83V83C579 109.51 557.51 131 531 131H116V35Z" fill="#B2CADB"/>.<path d="M218 242H531C557.51 242 579 263.49 579 290V290C579 316.51 557.51 338 531 338H218V242Z" fill="#B2CADB"/>.<path d="M116 449H531C557.51 449 579 470.49 579 497V497C579 523.51 557.51 545 531 545H116V449Z" fill="#B2CADB"/>.<circle cx="83" cy="83" r="83" fill="#47525B"/>.<circle cx="235" cy="290" r="83" fill="#47525B"/>.<circle cx="83" cy="497" r="83" fill="#47525B"/>.</svg>.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\site.min[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with LF, NEL line terminators
Category:	downloaded
Size (bytes):	344855
Entropy (8bit):	5.299148755710273
Encrypted:	false
SSDEEP:	6144:AxSzp/o/iitbtNUaeRjLSuE4kIOFAweV0AAF:Ak1ottxNUNjLStrfeV07
MD5:	D06B9C7BBDB584E891AF7470C540373F
SHA1:	9E09177E303D5EC1876E1183842BFE60D4BCBC17
SHA-256:	1D96DED3CBB2E05D247CA03185BA021F790DBE8AABDD03DF56BBC27AB84BD7D6
SHA-512:	C53D4C04BA93098544DC3C9EDA61CA61D72153F3B871E36786F5961CBB6E6BB8FB567D215D8B04B487825535E4313A313DDB4F0D38CCFB6E7EFB45DE5900C96E
Malicious:	false
IE Cache URL:	https://workflowy.com/media/js/site.min.js
Preview:	!function(e){function t(t){for(var n,o,i=t[0],a=t[1],u=0,c=[];u<i.length;u++)o=i[u],r[o]&&c.push(r[o][0]),r[o]=0;for(n in a)Object.prototype.hasOwnProperty.call(a,n)&&(e[n]=a[n]);for(l&&l(t);c.length;)c.shift()()}var n={},r={17:0};function o(t){if(n[t])return n[t].exports;var r=n[t]={i:t,l:!1,exports:{}};return e[t].call(r.exports,r,r.exports,o),r.l=!0,r.exports}o.e=function(e){var t=[],n=r[e];if(0!==n)if(n)t.push(n[2]);else{var i=new Promise(function(t,o){n=r[e]=[t,o]});t.push(n[2]=i);var a,u=document.createElement("script");u.charset="utf-8",u.timeout=120,o.nc&&u.setAttribute("nonce",o.nc),u.src=function(e){return o.p+""+{0:"6f0b670eddaac85c5e4a",1:"8503ebe23bbb553931eb",2:"691a58eec3574cfa110c",3:"b27f856295365a42f064",4:"8c28c7d27117534a86a4",5:"1524dae43e7dbf404f3f",6:"65247b01f18ac82607ac",7:"9ca9fbac43f0e272661a",8:"e42577a28f6c3e306a7f",9:"5ba570c48ff05a4b5218",10:"7fb5d00134d0d26577a6",11:"adf9fc155506e2fa3fbf",12:"f216138f9312c91eee7d",13:"018fa7a115dcad40b512"}[e]+".js"}(e);

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\6f0b670eddaac85c5e4a[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines
Category:	downloaded
Size (bytes):	48788
Entropy (8bit):	5.359595203167086
Encrypted:	false
SSDEEP:	384:NA+C8e79Ye4hXZFCaWhz4EYrquM5FX4PV2YER6tTDf4z+l2PtmAucSOrxFqw66MG:74B4hWaOGrMhaTza/k6BG+7r
MD5:	8AFD3E7AEF0EF52C3EC7F4647F443AE4
SHA1:	21B6CC97A07DE5C5E62A5A0BEE624DE2B8033A23
SHA-256:	FA8372A7BFB9536773A97EF134BD77AAA88295B10382F5885C70C639C51EB5B3
SHA-512:	07131B6D036AD0475B406DD79747589A461AAA9C16477C3209E20E0333270A320F23E0EF6BF18D4899F2854569F95966C8F2FC9AD5CB57B08DE27B7AD2FBEBE2
Malicious:	false
IE Cache URL:	https://workflowy.com/media/js/6f0b670eddaac85c5e4a.js
Preview:	(window.webpackJsonp=window.webpackJsonp\|\|[]).push([[0],{10:function(e,r,t){"use strict";t.d(r,"c",function(){return g}),t.d(r,"d",function(){return h}),t.d(r,"e",function(){return y}),t.d(r,"b",function(){return v}),t.d(r,"a",function(){return x}),t.d(r,"f",function(){return w});var n,o=t(0),a=t(9),i=t(2),u=function(){return(u=Object.assign\|\|function(e){for(var r,t=1,n=arguments.length;t<n;t++)for(var o in r=arguments[t])Object.prototype.hasOwnProperty.call(r,o)&&(e[o]=r[o]);return e}).apply(this,arguments)},c={gray1:a.g,gray2:a.f,gray3:a.n,gray4:a.k,gray5:a.l,gray6:a.m,gray7:a.b,gray8:a.s,sharing:a.r,accent:a.a,overlay:a.s},l={gray1:"#ffffff",gray2:"#d9dbdb",gray3:"#9ea1a2",gray4:"#7c7f81",gray5:"#5c6062",gray6:"#42484b",gray7:"#353c3f",gray8:"#2a3135",sharing:"#367",accent:"#367",overlay:"#2a3135"},s=function(e){return void 0===e&&(e=c),u(u({},e),{arrowColor:e.gray2,background:e.gray8,backgroundImage:null,backgroundImageSet:null,bulletColor:e.gray2,bulletHalo:e.gray5,bulletHaloHover

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\NewErrorPageTemplate[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	1612
Entropy (8bit):	4.869554560514657
Encrypted:	false
SSDEEP:	24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
MD5:	DFEABDE84792228093A5A270352395B6
SHA1:	E41258C9576721025926326F76063C2305586F76
SHA-256:	77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
SHA-512:	E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
Malicious:	false
IE Cache URL:	res://ieframe.dll/NewErrorPageTemplate.css
Preview:	.body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\adf9fc155506e2fa3fbf[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	downloaded
Size (bytes):	6865
Entropy (8bit):	5.310715814564055
Encrypted:	false
SSDEEP:	192:276Udb4Zz7Gf3XmkhlmClBRQ/IaAeLKKd5ceK:M60SGfrhplBRQ/IheLKKQ
MD5:	B0CCC823DF717416D5EAA426AAC6BA86
SHA1:	6984D4F8B021EC07E4EEB338F9F6F8431C6C18EB
SHA-256:	53BDF5DAE2A46EE74470051D7AF9FB93BEAF8659D193322D4916EB758FE87294
SHA-512:	49298181F084D342B04993DB1D59A443933D153C6B2D378E2AF4B95769785CC13053E2213473800EF8F0AD0E240E98DBE93DAB1805272BEEAC8E0A1D90AD93B8
Malicious:	false
IE Cache URL:	https://workflowy.com/media/js/adf9fc155506e2fa3fbf.js
Preview:	(window.webpackJsonp=window.webpackJsonp\|\|[]).push([[11],{921:function(e,t,n){"use strict";var a=n(0),r=n(3),i=function(){return(i=Object.assign\|\|function(e){for(var t,n=1,a=arguments.length;n<a;n++)for(var r in t=arguments[n])Object.prototype.hasOwnProperty.call(t,r)&&(e[r]=t[r]);return e}).apply(this,arguments)};function o(e){return JSON.stringify(e).replace(/\u2028/g,"\\u2028").replace(/\u2029/g,"\\u2029").replace(/<\//g,"<\\/")}var l=a.memo(function(e){var t=e.title,n=e.description,l=e.style,c=e.children,s=e.context;return a.useEffect(function(){document.title=t},[t]),Object(r.g)("html",{margin:0,padding:0,height:"100%"}),Object(r.g)("body",i({margin:0,padding:0,height:"100%"},l)),Object(r.g)("#page",{height:"100%"}),s.pageOnly?c:a.createElement("html",null,a.createElement("head",null,a.createElement("title",null,t),n&&a.createElement("meta",{name:"description",content:n}),a.createElement("meta",{httpEquiv:"X-UA-Compatible",content:"chrome=1"}),a.createElement("link",{href:"https:/

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\down[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 15 x 15, 8-bit colormap, non-interlaced
Category:	downloaded
Size (bytes):	748
Entropy (8bit):	7.249606135668305
Encrypted:	false
SSDEEP:	12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
MD5:	C4F558C4C8B56858F15C09037CD6625A
SHA1:	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
SHA-256:	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
SHA-512:	D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
Malicious:	false
IE Cache URL:	res://ieframe.dll/down.png
Preview:	.PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?\|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\eaeea54ab7[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	57
Entropy (8bit):	4.31817604175005
Encrypted:	false
SSDEEP:	3:U3KTDWuvMiqVkMWVrfUh:HnNukMWVr8h
MD5:	79F2D634CE67570918939DF10A075576
SHA1:	BA47B7DACB11250F9B1B3974B34954B188E3ECAD
SHA-256:	D10C94B6CDB747904BAEE9070F003BB45849DA46F8100B1320F286C21CBCAAA1
SHA-512:	155FAB1EC68F300DDCB948D024995539C721A2AB0FD89C220F0EFFA68C3863507CBEF806F087F5C84EAB38D4C53DA94BC893894E8FC9DED388DACFE3244E182E
Malicious:	false
Preview:	NREUM.setToken({'stn':1,'err':1,'ins':1,'cap':0,'spa':1})

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\signup[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	169
Entropy (8bit):	4.534640683711167
Encrypted:	false
SSDEEP:	3:qVoB3tUROGclXqyvXboAcMBXqWSZUXqXlIVLLPbCXqwcWWGu:q43tISl6kXiMIWSU6XlI5LPJpfGu
MD5:	7B4F513528A3D65397F0E7F6DEF7AD4A
SHA1:	5DA8E55D7F30D9530BDEFB6FD670C273FF9DDD66
SHA-256:	5075788CBBDF48D111B4882949D3E50856C81CA87630A85D7C8DD1E600CDC691
SHA-512:	1EAAE52797DDC5ECC686D6351BFB152DB1276C644E33DAFE9ACA9B81EE9AA75D29FA04A12A64B3B281E0163C318E9832861D9553C67A984D3958E90EF57FE59C
Malicious:	false
Preview:	<html>..<head><title>301 Moved Permanently</title></head>..<body>..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/1.19.4</center>..</body>..</html>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\Tdcv9KOl0AuohEPI[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	15359
Entropy (8bit):	5.428089592566283
Encrypted:	false
SSDEEP:	384:doPdCvSS/yNrbLXTkc4SRzKeO0bT9GVYlTrcSUn0p0aOuPgl5YGm3TF9:doPNwcDPDbT/tQSUnzaOPmGm3Tv
MD5:	B27A37FA54101A835222FA065FE96FA8
SHA1:	B4D0987B1A0AAA2A60D60D190B708E11DED48DAB
SHA-256:	C678B315628D9DEA721E754F9EC9950D6B9F394C3F97BE9860DEA276F7583AB9
SHA-512:	6FEB4B09170C025FF0958095CAFC43D0985915BDAAC6EC4240F80A3DC2E9BA841FB8F468E0A0F3ABAE872D46FBF4D625FB35BF9286550035C43ACC5D61D97B5E
Malicious:	false
Preview:	<!DOCTYPE html>...<html>. <head>. <meta charset="utf-8">. <meta http-equiv="X-UA-Compatible" content="chrome=1"><script type="text/javascript">(window.NREUM\|\|(NREUM={})).loader_config={licenseKey:"eaeea54ab7",applicationID:"61695248"};window.NREUM\|\|(NREUM={}),__nr_require=function(e,t,n){function r(n){if(!t[n]){var i=t[n]={exports:{}};e[n][0].call(i.exports,function(t){var i=e[n][1][t];return r(i\|\|t)},i,i.exports)}return t[n].exports}if("function"==typeof __nr_require)return __nr_require;for(var i=0;i<n.length;i++)r(n[i]);return r}({1:[function(e,t,n){function r(){}function i(e,t,n){return function(){return o(e,[u.now()].concat(c(arguments)),t?null:this,n),t?void 0:this}}var o=e("handle"),a=e(6),c=e(7),f=e("ee").get("tracer"),u=e("loader"),s=NREUM;"undefined"==typeof window.newrelic&&(newrelic=s);var d=["setPageViewName","setCustomAttribute","setErrorHandler","finished","addToTrace","inlineHit","addRelease"],p="api-",l=p+"ixn-";a(d,function(e,t){s[t]=i(p+t,!0,"api")}),s.addPageA

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\e42577a28f6c3e306a7f[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	downloaded
Size (bytes):	6932
Entropy (8bit):	5.314316385992555
Encrypted:	false
SSDEEP:	192:q76Udb4Zz7Gf3XmkhlmClBRQ/IaAjL5d5P1n1:g60SGfrhplBRQ/IhjL5T
MD5:	AD5D37EB59C3360ECE2973696A3520D4
SHA1:	74E94926731088E2CCD62DD065CDB1B7316FF1AA
SHA-256:	1463EEA0C3698C8760F805F7720FC1A8195AF56227DF0D22CCEB1955C2858646
SHA-512:	BAE6B49423CA1AB5EB8120E63B1ACE31DB57CE5C830749A3F86FF219733B8B90F2E2C1D54D616B4FB9B8DA6699499FFBFBD978F0EE13EA20E94A017B39CC9856
Malicious:	false
IE Cache URL:	https://workflowy.com/media/js/e42577a28f6c3e306a7f.js
Preview:	(window.webpackJsonp=window.webpackJsonp\|\|[]).push([[8],{921:function(e,t,n){"use strict";var a=n(0),r=n(3),i=function(){return(i=Object.assign\|\|function(e){for(var t,n=1,a=arguments.length;n<a;n++)for(var r in t=arguments[n])Object.prototype.hasOwnProperty.call(t,r)&&(e[r]=t[r]);return e}).apply(this,arguments)};function o(e){return JSON.stringify(e).replace(/\u2028/g,"\\u2028").replace(/\u2029/g,"\\u2029").replace(/<\//g,"<\\/")}var l=a.memo(function(e){var t=e.title,n=e.description,l=e.style,c=e.children,s=e.context;return a.useEffect(function(){document.title=t},[t]),Object(r.g)("html",{margin:0,padding:0,height:"100%"}),Object(r.g)("body",i({margin:0,padding:0,height:"100%"},l)),Object(r.g)("#page",{height:"100%"}),s.pageOnly?c:a.createElement("html",null,a.createElement("head",null,a.createElement("title",null,t),n&&a.createElement("meta",{name:"description",content:n}),a.createElement("meta",{httpEquiv:"X-UA-Compatible",content:"chrome=1"}),a.createElement("link",{href:"https://

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\eaeea54ab7[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.459147917027245
Encrypted:	false
SSDEEP:	3:CUXJ/lH:Dl
MD5:	BC32ED98D624ACB4008F986349A20D26
SHA1:	2D3DF8C11D2168CE2C27E0937421D11D85016361
SHA-256:	0C9CF152A0AD00D4F102C93C613C104914BE5517AC8F8E0831727F8BFBE8B300
SHA-512:	71ACC6DA78D5D5BF0EEA30E2EE0AC5C992B00EFEC959077DFE0AB769F1DBBD9AF12D5C5C155046283D5416BEB606A9EF323FB410E903768B1569B69F37075B4E
Malicious:	false
Preview:	GIF89a.......,..........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\login[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	169
Entropy (8bit):	4.534640683711167
Encrypted:	false
SSDEEP:	3:qVoB3tUROGclXqyvXboAcMBXqWSZUXqXlIVLLPbCXqwcWWGu:q43tISl6kXiMIWSU6XlI5LPJpfGu
MD5:	7B4F513528A3D65397F0E7F6DEF7AD4A
SHA1:	5DA8E55D7F30D9530BDEFB6FD670C273FF9DDD66
SHA-256:	5075788CBBDF48D111B4882949D3E50856C81CA87630A85D7C8DD1E600CDC691
SHA-512:	1EAAE52797DDC5ECC686D6351BFB152DB1276C644E33DAFE9ACA9B81EE9AA75D29FA04A12A64B3B281E0163C318E9832861D9553C67A984D3958E90EF57FE59C
Malicious:	false
Preview:	<html>..<head><title>301 Moved Permanently</title></head>..<body>..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/1.19.4</center>..</body>..</html>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\print[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	1316
Entropy (8bit):	4.5361774193775695
Encrypted:	false
SSDEEP:	24:Ev7iax0Ra6+G0EBxLCKrqwjtRiRRl/H+VEgTKwubs:Ev7ia6sG0E/CIJI56qo
MD5:	7471DC37D85CB2B6BAAC70B6A9312DB4
SHA1:	D4775C3D288899890AA0874D3F9AC33843680119
SHA-256:	858EBBB77D7504548FED0FB9088D90B774945E88B0464D42A44C4829A84B972D
SHA-512:	062806344E9E5904BF3A0DBAB95E4272C0D84DD654DD29BDCC95BC5FDBED6436B4D8C079425C94282FCDE57801D3B5B16820EA010A829624191A2CC4D771FC98
Malicious:	false
IE Cache URL:	https://workflowy.com/media/css/print.css
Preview:	.leftBar {. display: none;.}..body {. padding-left: 0 !important;.}...page {. border: none !important;.. /* Add space at top of page so there is some margin. /. margin-top: 0 !important;. margin-bottom: 0 !important;.. min-height: 10px !important;. box-shadow: none !important;.. / Style the page width and margins so that they adjust dynamically. depending on width used for printing (and turn off the. transform that is normally used for this). We need to use pure. CSS for positioning the page when printing (rather than the JS. that adjusts things on 'resize' events normally) because we. don't know what the print width will be. */. width: auto !important;. max-width: 700px !important;. margin-left: auto !important;. margin-right: auto !important;. left: 0 !important;.. transform: none !important;. -webkit-transform: none !important;. -moz-transform: none !important;. -ms-transform: none !important;.}...mainTreeRoot {. min-height: 0px !im

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\reset[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	928
Entropy (8bit):	4.754464678335133
Encrypted:	false
SSDEEP:	24:LFc0a1DMd2Uhsq1wJjtqQqvAQbCFD+FW9N3/s:xLzhsJVtf/F3X0
MD5:	11B989919D8B8857A3700B00F4E8F184
SHA1:	0D909DA6DE2B0157D07D0FCB721221F5D49688C0
SHA-256:	20B1C4B5D2BE0EED0ABB524023534E08D98D34D82C01D60CEB40D9B387EB8AC5
SHA-512:	BA320F903E0EDEF9E65861F931F4711E8556723560EAD36D46935BB126BAF4CEFDC08A14A1F5AA9F517AD5EF79CE67213391B0BA1ABC46A9F34F841A3BADC2A7
Malicious:	false
IE Cache URL:	https://workflowy.com/media/css/reset.css
Preview:	html, body, div, span, applet, object, iframe,.h1, h2, h3, h4, h5, h6, p, blockquote, pre,.a, abbr, acronym, address, big, cite, code,.del, dfn, em, font, img, ins, kbd, q, s, samp,.small, strike, strong, sub, sup, tt, var,.b, u, i, center,.dl, dt, dd, ol, ul, li,.fieldset, form, label, legend,.table, caption, tbody, tfoot, thead, tr, th, td {.margin: 0;.padding: 0;.border: 0;.outline: 0;.font-size: 100%;.vertical-align: baseline;.background: transparent;.}.body {.line-height: 1;.}.ol, ul {.list-style: none;.}.blockquote, q {.quotes: none;.}.blockquote:before, blockquote:after,.q:before, q:after {.content: '';.content: none;.}../* remember to define focus styles! /.:focus {.outline: 0;.}../ remember to highlight inserts somehow! /.ins {.text-decoration: none;.}.del {.text-decoration: line-through;.}../ tables still need 'cellspacing="0"' in the markup */.table {.border-collapse: collapse;.border-spacing: 0;.}..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\signup[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	downloaded
Size (bytes):	7312
Entropy (8bit):	5.357545787870613
Encrypted:	false
SSDEEP:	96:jwj4cNN8AfppuL5EVJSWhGUUkIkKyOd0JbAWAbEbaxx33GNNqkUka6WqyZXOREmi:jDL5S5YUudwkNL33GXbgevDPO
MD5:	8A0730731A4463EAF1E9C6057B1CE100
SHA1:	C654D4BC0F4FE542744603F4478A6EDAE4A4ED3E
SHA-256:	38DFDE1431EE46C01C9F41C1DF70DBEE7415BBE0C0C83787F2736330DEB59F48
SHA-512:	1E4B55AD170093209A66BC73A53BAC3A780761C02D35BA42E9A31B8FE3F97F7E201B07DB92C944E46A7181C06A4EC96CE2946FD8828A7A15D719F389AF18A883
Malicious:	false
IE Cache URL:	https://workflowy.com/signup/?next=/s/this-document-is-too/Tdcv9KOl0AuohEPI
Preview:	<!doctype html><html><head><title>Sign up for WorkFlowy</title><meta http-equiv="X-UA-Compatible" content="chrome=1"/><link href="https://fonts.googleapis.com/css?family=Open+Sans:300,400,700,800" rel="stylesheet" type="text/css"/><meta name="ahrefs-site-verification" content="1e02598fc87129fdd8624212a90901b5a29fe287c590c9740af3c21f34784f42"/><link rel="shortcut icon" type="image/x-icon" href="/media/i/favicon.ico"/><link rel="apple-touch-icon" href="/media/i/icon-57x57.png"/><link rel="apple-touch-icon" sizes="72x72" href="/media/i/icon-72x72.png"/><link rel="apple-touch-icon" sizes="114x114" href="/media/i/icon-114x114.png"/><link rel="apple-touch-startup-image" sizes="768x1004" href="/media/i/workflowy-startup-image-ipad.png"/><link rel="apple-touch-startup-image" href="/media/i/workflowy-startup-image.png"/><meta name="apple-mobile-web-app-status-bar-style" content="black"/><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0"/><m

C:\Users\user\AppData\Local\Temp\~DF6B30D1274994D5C2.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	80229
Entropy (8bit):	1.0983391941539027
Encrypted:	false
SSDEEP:	384:kBqoxKAuqR+w2st2dMH4nH4+/f9ArK8Vs8OybJgHKeZikYeJjGv:ICTy
MD5:	2518CF788F431216981725BB386F4BA7
SHA1:	1BC8F6822D1A43EF51D5CCBBA9CA0ACA93FBB7C9
SHA-256:	F8EA8E1FEF0D4EAA57D32F44D36B9A8FD64D5919CAD5439BF543695B6753AAE7
SHA-512:	D0276830A6E41FA5FCAAD0CBDD917AD258646C95FEC552F6BD06513FDAEA54505B7D1211934855F7CC1DCF1490B5E80DE81EE72DC0A892000071816B715B1752
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFC45A6DE1E45FCB38.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	13077
Entropy (8bit):	0.5146612842717769
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loitF9loin9lWiDJk+tOJkf4xkffkf+yoOy7:kBqoI1j3QHHUUv
MD5:	974F165017DBA1D2928EB7974C500399
SHA1:	EDFDC72A019E7C19ECD9C8E415CB13AAF0F18EAD
SHA-256:	40EAFB2DA6879672B5FB246DB75634CBA4ECADB44694C0FA7AB0287620555631
SHA-512:	B0954E6C2DF3CD0B7FB2038B2023F60A09AA8DB4830F27B50E453B99A262452EB8CCAE4E5638251E898C5E731EDAC7C83B1E9315B272B27D26BA9F52B9B9BF01
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFE7F7DFF84D3203B8.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	25441
Entropy (8bit):	0.27918767598683664
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRx/9lRJ9lTb9lTb9lSSU9lSSU9laAa/9laA:kBqoxxJhHWSVSEab
MD5:	AB889A32AB9ACD33E816C2422337C69A
SHA1:	1190C6B34DED2D295827C2A88310D10A8B90B59B
SHA-256:	4D6EC54B8D244E63B0F04FBE2B97402A3DF722560AD12F218665BA440F4CEFDA
SHA-512:	BD250855747BB4CEC61814D0E44F810156D390E3E9F120A12935EFDF80ACA33C4777AD66257CCA4E4003FEF0741692894980B9298F01C4CDD2D8A9C7BB522FB6
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$Fennec Pharma.xlsx Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.6081032063576088
Encrypted:	false
SSDEEP:	3:RFXI6dtt:RJ1
MD5:	7AB76C81182111AC93ACF915CA8331D5
SHA1:	68B94B5D4C83A6FB415C8026AF61F3F8745E2559
SHA-256:	6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
SHA-512:	A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7
Malicious:	false
Preview:	.pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General
File type:	Microsoft Excel 2007+
Entropy (8bit):	7.724791075038105
TrID:	Excel Microsoft Office Open XML Format document (40004/1) 83.33% ZIP compressed archive (8000/1) 16.67%
File name:	Fennec Pharma.xlsx
File size:	83695
MD5:	a2315b66552273d966bdc8570a6a7208
SHA1:	ad82640b54ce17f43e9df68ebfa700de48df5ef0
SHA256:	8c3a18ce48dbab7971870da260421c03483e279795768bfdeb0ee7dd6079ec2b
SHA512:	37a4eea1568b2477fd32c62ec4d8d96f32ba986818ebf140f64997987acca3c4c342e8516ae0c2f7fd36a7ced3fd53c1482de1a5b0feafd85a2c55e9057e840b
SSDEEP:	1536:kITxWDwbNcsRF6RFBn2Sc9IQDwsQiaFghujpHqG:LTrNcc6RFBxQDzQaujpKG
File Content Preview:	PK..........!.....i...........[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	74ecd0d2d6d6d0dc

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2020 00:43:49.473449945 CET	49738	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:49.473490953 CET	49739	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:49.576152086 CET	443	49738	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:49.576299906 CET	49738	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:49.576361895 CET	443	49739	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:49.576436996 CET	49739	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:49.582822084 CET	49738	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:49.582849026 CET	49739	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:49.685487986 CET	443	49738	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:49.685564995 CET	443	49739	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:49.687828064 CET	443	49738	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:49.687880993 CET	443	49738	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:49.687918901 CET	443	49738	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:49.687958956 CET	443	49738	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:49.687958002 CET	49738	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:49.687985897 CET	49738	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:49.687992096 CET	49738	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:49.687998056 CET	443	49739	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:49.688011885 CET	49738	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:49.688045979 CET	443	49739	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:49.688057899 CET	49739	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:49.688091993 CET	443	49739	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:49.688096046 CET	49739	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:49.688132048 CET	443	49739	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:49.688148975 CET	49739	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:49.688190937 CET	49739	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:49.720383883 CET	49738	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:49.720527887 CET	49739	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:49.731240988 CET	49738	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:49.731401920 CET	49738	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:49.731709003 CET	49739	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:49.823632002 CET	443	49738	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:49.823683023 CET	443	49738	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:49.823715925 CET	443	49739	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:49.823743105 CET	443	49739	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:49.823745966 CET	49738	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:49.823797941 CET	49738	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:49.823807955 CET	49739	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:49.823838949 CET	49739	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:49.824373007 CET	49738	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:49.824459076 CET	49739	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:49.834054947 CET	443	49738	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:49.834095955 CET	443	49738	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:49.834173918 CET	49738	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:49.834462881 CET	443	49739	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:49.834541082 CET	49739	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:49.873146057 CET	443	49738	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:49.873199940 CET	443	49738	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:49.873238087 CET	443	49738	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:49.873276949 CET	443	49738	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:49.873280048 CET	49738	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:49.873307943 CET	49738	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:49.873312950 CET	49738	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:49.873315096 CET	443	49738	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:49.873317957 CET	49738	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:49.873363018 CET	443	49738	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:49.873378992 CET	49738	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:49.873437881 CET	49738	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:49.873437881 CET	443	49738	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:49.873500109 CET	49738	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:49.926489115 CET	443	49738	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:49.926547050 CET	443	49738	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:49.926589012 CET	443	49738	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:49.926629066 CET	443	49738	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:49.926640034 CET	49738	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:49.926687956 CET	49738	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:49.926786900 CET	49738	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:49.936868906 CET	443	49738	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:49.936950922 CET	49738	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:49.969446898 CET	443	49739	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:49.994864941 CET	49738	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:49.995114088 CET	49738	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:49.996900082 CET	49738	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:50.097912073 CET	443	49738	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:50.098521948 CET	443	49738	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:50.098557949 CET	443	49738	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:50.098642111 CET	49738	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:50.099085093 CET	443	49738	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:50.099113941 CET	443	49738	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:50.099147081 CET	49738	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:50.099150896 CET	443	49738	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:50.099160910 CET	49738	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:50.099184990 CET	49738	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:50.099201918 CET	49738	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:50.100771904 CET	443	49738	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:50.100810051 CET	443	49738	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:50.100850105 CET	443	49738	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:50.100851059 CET	49738	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:50.100862980 CET	49738	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:50.100888014 CET	443	49738	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:50.100907087 CET	49738	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:50.100924969 CET	443	49738	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:50.100941896 CET	49738	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:50.100963116 CET	443	49738	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:50.100982904 CET	49738	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:50.101000071 CET	443	49738	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:50.101020098 CET	49738	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:50.101047039 CET	443	49738	54.84.56.113	192.168.2.3
Nov 21, 2020 00:43:50.101063013 CET	49738	443	192.168.2.3	54.84.56.113
Nov 21, 2020 00:43:50.101088047 CET	443	49738	54.84.56.113	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2020 00:42:53.223582983 CET	64185	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:42:53.265031099 CET	53	64185	8.8.8.8	192.168.2.3
Nov 21, 2020 00:42:53.535516977 CET	65110	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:42:53.590559959 CET	53	65110	8.8.8.8	192.168.2.3
Nov 21, 2020 00:42:54.541918993 CET	65110	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:42:54.577686071 CET	53	65110	8.8.8.8	192.168.2.3
Nov 21, 2020 00:42:55.541960001 CET	65110	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:42:55.590146065 CET	53	65110	8.8.8.8	192.168.2.3
Nov 21, 2020 00:42:57.542498112 CET	65110	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:42:57.569761038 CET	53	65110	8.8.8.8	192.168.2.3
Nov 21, 2020 00:43:01.566458941 CET	65110	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:43:01.602247953 CET	53	65110	8.8.8.8	192.168.2.3
Nov 21, 2020 00:43:08.258397102 CET	58361	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:43:08.285738945 CET	53	58361	8.8.8.8	192.168.2.3
Nov 21, 2020 00:43:08.781840086 CET	63492	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:43:08.809674025 CET	53	63492	8.8.8.8	192.168.2.3
Nov 21, 2020 00:43:09.175076008 CET	60831	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:43:09.203488111 CET	53	60831	8.8.8.8	192.168.2.3
Nov 21, 2020 00:43:09.976304054 CET	60100	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:43:10.014054060 CET	53	60100	8.8.8.8	192.168.2.3
Nov 21, 2020 00:43:10.803133965 CET	53195	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:43:10.830259085 CET	53	53195	8.8.8.8	192.168.2.3
Nov 21, 2020 00:43:11.595843077 CET	50141	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:43:11.631705046 CET	53	50141	8.8.8.8	192.168.2.3
Nov 21, 2020 00:43:12.379771948 CET	53023	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:43:12.415539026 CET	53	53023	8.8.8.8	192.168.2.3
Nov 21, 2020 00:43:13.266586065 CET	49563	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:43:13.293834925 CET	53	49563	8.8.8.8	192.168.2.3
Nov 21, 2020 00:43:14.128935099 CET	51352	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:43:14.187591076 CET	53	51352	8.8.8.8	192.168.2.3
Nov 21, 2020 00:43:14.832262039 CET	59349	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:43:14.859416008 CET	53	59349	8.8.8.8	192.168.2.3
Nov 21, 2020 00:43:15.422054052 CET	57084	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:43:15.459034920 CET	53	57084	8.8.8.8	192.168.2.3
Nov 21, 2020 00:43:15.650541067 CET	58823	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:43:15.677666903 CET	53	58823	8.8.8.8	192.168.2.3
Nov 21, 2020 00:43:16.429929018 CET	57568	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:43:16.457212925 CET	53	57568	8.8.8.8	192.168.2.3
Nov 21, 2020 00:43:18.099004984 CET	50540	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:43:18.126615047 CET	53	50540	8.8.8.8	192.168.2.3
Nov 21, 2020 00:43:18.777410984 CET	54366	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:43:18.804723024 CET	53	54366	8.8.8.8	192.168.2.3
Nov 21, 2020 00:43:19.611820936 CET	53034	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:43:19.638972044 CET	53	53034	8.8.8.8	192.168.2.3
Nov 21, 2020 00:43:20.271809101 CET	57762	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:43:20.309767008 CET	53	57762	8.8.8.8	192.168.2.3
Nov 21, 2020 00:43:22.509326935 CET	55435	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:43:22.553159952 CET	53	55435	8.8.8.8	192.168.2.3
Nov 21, 2020 00:43:31.947287083 CET	50713	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:43:31.993290901 CET	53	50713	8.8.8.8	192.168.2.3
Nov 21, 2020 00:43:42.843096972 CET	56132	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:43:42.870354891 CET	53	56132	8.8.8.8	192.168.2.3
Nov 21, 2020 00:43:46.143652916 CET	58987	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:43:46.180490971 CET	53	58987	8.8.8.8	192.168.2.3
Nov 21, 2020 00:43:48.071952105 CET	56579	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:43:48.109222889 CET	53	56579	8.8.8.8	192.168.2.3
Nov 21, 2020 00:43:49.406404972 CET	60633	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:43:49.452807903 CET	53	60633	8.8.8.8	192.168.2.3
Nov 21, 2020 00:43:50.164338112 CET	61292	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:43:50.208117962 CET	53	61292	8.8.8.8	192.168.2.3
Nov 21, 2020 00:43:50.439810038 CET	63619	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:43:50.475500107 CET	53	63619	8.8.8.8	192.168.2.3
Nov 21, 2020 00:43:53.219419956 CET	64938	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:43:53.257539034 CET	53	64938	8.8.8.8	192.168.2.3
Nov 21, 2020 00:43:53.904326916 CET	61946	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:43:53.933566093 CET	53	61946	8.8.8.8	192.168.2.3
Nov 21, 2020 00:44:17.525377989 CET	64910	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:44:17.552561998 CET	53	64910	8.8.8.8	192.168.2.3
Nov 21, 2020 00:44:18.039601088 CET	52123	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:44:18.078587055 CET	53	52123	8.8.8.8	192.168.2.3
Nov 21, 2020 00:44:18.855551004 CET	56130	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:44:18.891179085 CET	53	56130	8.8.8.8	192.168.2.3
Nov 21, 2020 00:44:19.044619083 CET	52123	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:44:19.080331087 CET	53	52123	8.8.8.8	192.168.2.3
Nov 21, 2020 00:44:19.376327991 CET	56338	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:44:19.420078993 CET	53	56338	8.8.8.8	192.168.2.3
Nov 21, 2020 00:44:19.840481043 CET	56130	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:44:19.876399994 CET	53	56130	8.8.8.8	192.168.2.3
Nov 21, 2020 00:44:20.046986103 CET	52123	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:44:20.075398922 CET	53	52123	8.8.8.8	192.168.2.3
Nov 21, 2020 00:44:20.856493950 CET	56130	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:44:20.893460035 CET	53	56130	8.8.8.8	192.168.2.3
Nov 21, 2020 00:44:22.044533968 CET	52123	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:44:22.072020054 CET	53	52123	8.8.8.8	192.168.2.3
Nov 21, 2020 00:44:22.872003078 CET	56130	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:44:22.907798052 CET	53	56130	8.8.8.8	192.168.2.3
Nov 21, 2020 00:44:26.057037115 CET	52123	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:44:26.084237099 CET	53	52123	8.8.8.8	192.168.2.3
Nov 21, 2020 00:44:26.885046959 CET	56130	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:44:26.920645952 CET	53	56130	8.8.8.8	192.168.2.3
Nov 21, 2020 00:44:45.389441967 CET	59420	53	192.168.2.3	8.8.8.8
Nov 21, 2020 00:44:45.425132036 CET	53	59420	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 21, 2020 00:43:49.406404972 CET	192.168.2.3	8.8.8.8	0xd3fa	Standard query (0)	workflowy.com	A (IP address)	IN (0x0001)
Nov 21, 2020 00:43:50.439810038 CET	192.168.2.3	8.8.8.8	0xf9b0	Standard query (0)	stats.g.doubleclick.net	A (IP address)	IN (0x0001)
Nov 21, 2020 00:43:53.219419956 CET	192.168.2.3	8.8.8.8	0xae02	Standard query (0)	js-agent.newrelic.com	A (IP address)	IN (0x0001)
Nov 21, 2020 00:43:53.904326916 CET	192.168.2.3	8.8.8.8	0x7848	Standard query (0)	bam-cell.nr-data.net	A (IP address)	IN (0x0001)
Nov 21, 2020 00:44:45.389441967 CET	192.168.2.3	8.8.8.8	0xda08	Standard query (0)	workflowy.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 21, 2020 00:43:49.452807903 CET	8.8.8.8	192.168.2.3	0xd3fa	No error (0)	workflowy.com		54.84.56.113	A (IP address)	IN (0x0001)
Nov 21, 2020 00:43:49.452807903 CET	8.8.8.8	192.168.2.3	0xd3fa	No error (0)	workflowy.com		107.23.99.91	A (IP address)	IN (0x0001)
Nov 21, 2020 00:43:49.452807903 CET	8.8.8.8	192.168.2.3	0xd3fa	No error (0)	workflowy.com		54.164.228.73	A (IP address)	IN (0x0001)
Nov 21, 2020 00:43:50.475500107 CET	8.8.8.8	192.168.2.3	0xf9b0	No error (0)	stats.g.doubleclick.net	stats.l.doubleclick.net		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 00:43:50.475500107 CET	8.8.8.8	192.168.2.3	0xf9b0	No error (0)	stats.l.doubleclick.net		74.125.140.154	A (IP address)	IN (0x0001)
Nov 21, 2020 00:43:50.475500107 CET	8.8.8.8	192.168.2.3	0xf9b0	No error (0)	stats.l.doubleclick.net		74.125.140.155	A (IP address)	IN (0x0001)
Nov 21, 2020 00:43:50.475500107 CET	8.8.8.8	192.168.2.3	0xf9b0	No error (0)	stats.l.doubleclick.net		74.125.140.157	A (IP address)	IN (0x0001)
Nov 21, 2020 00:43:50.475500107 CET	8.8.8.8	192.168.2.3	0xf9b0	No error (0)	stats.l.doubleclick.net		74.125.140.156	A (IP address)	IN (0x0001)
Nov 21, 2020 00:43:53.257539034 CET	8.8.8.8	192.168.2.3	0xae02	No error (0)	js-agent.newrelic.com	f4.shared.global.fastly.net		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 00:43:53.933566093 CET	8.8.8.8	192.168.2.3	0x7848	No error (0)	bam-cell.nr-data.net	tls12.newrelic.com.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 00:44:45.425132036 CET	8.8.8.8	192.168.2.3	0xda08	No error (0)	workflowy.com		54.84.56.113	A (IP address)	IN (0x0001)
Nov 21, 2020 00:44:45.425132036 CET	8.8.8.8	192.168.2.3	0xda08	No error (0)	workflowy.com		107.23.99.91	A (IP address)	IN (0x0001)
Nov 21, 2020 00:44:45.425132036 CET	8.8.8.8	192.168.2.3	0xda08	No error (0)	workflowy.com		54.164.228.73	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Nov 21, 2020 00:43:49.687958956 CET	54.84.56.113	443	192.168.2.3	49738	CN=*.workflowy.com CN=Amazon, OU=Server CA 1B, O=Amazon, C=US CN=Amazon Root CA 1, O=Amazon, C=US CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Amazon, OU=Server CA 1B, O=Amazon, C=US CN=Amazon Root CA 1, O=Amazon, C=US CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US	Sun Oct 25 02:00:00 CEST 2020 Thu Oct 22 02:00:00 CEST 2015 Mon May 25 14:00:00 CEST 2015 Wed Sep 02 02:00:00 CEST 2009	Thu Nov 25 00:59:59 CET 2021 Sun Oct 19 02:00:00 CEST 2025 Thu Dec 31 02:00:00 CET 2037 Wed Jun 28 19:39:16 CEST 2034	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
					CN=Amazon, OU=Server CA 1B, O=Amazon, C=US	CN=Amazon Root CA 1, O=Amazon, C=US	Thu Oct 22 02:00:00 CEST 2015	Sun Oct 19 02:00:00 CEST 2025
					CN=Amazon Root CA 1, O=Amazon, C=US	CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US	Mon May 25 14:00:00 CEST 2015	Thu Dec 31 02:00:00 CET 2037
					CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US	OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US	Wed Sep 02 02:00:00 CEST 2009	Wed Jun 28 19:39:16 CEST 2034
Nov 21, 2020 00:43:49.688132048 CET	54.84.56.113	443	192.168.2.3	49739	CN=*.workflowy.com CN=Amazon, OU=Server CA 1B, O=Amazon, C=US CN=Amazon Root CA 1, O=Amazon, C=US CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Amazon, OU=Server CA 1B, O=Amazon, C=US CN=Amazon Root CA 1, O=Amazon, C=US CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US	Sun Oct 25 02:00:00 CEST 2020 Thu Oct 22 02:00:00 CEST 2015 Mon May 25 14:00:00 CEST 2015 Wed Sep 02 02:00:00 CEST 2009	Thu Nov 25 00:59:59 CET 2021 Sun Oct 19 02:00:00 CEST 2025 Thu Dec 31 02:00:00 CET 2037 Wed Jun 28 19:39:16 CEST 2034	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
					CN=Amazon, OU=Server CA 1B, O=Amazon, C=US	CN=Amazon Root CA 1, O=Amazon, C=US	Thu Oct 22 02:00:00 CEST 2015	Sun Oct 19 02:00:00 CEST 2025
					CN=Amazon Root CA 1, O=Amazon, C=US	CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US	Mon May 25 14:00:00 CEST 2015	Thu Dec 31 02:00:00 CET 2037
					CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US	OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US	Wed Sep 02 02:00:00 CEST 2009	Wed Jun 28 19:39:16 CEST 2034
Nov 21, 2020 00:43:50.532900095 CET	74.125.140.154	443	192.168.2.3	49742	CN=*.g.doubleclick.net, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Tue Nov 03 08:33:42 CET 2020 Thu Jun 15 02:00:42 CEST 2017	Tue Jan 26 08:33:42 CET 2021 Wed Dec 15 01:00:42 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Nov 21, 2020 00:43:50.532900095 CET	74.125.140.154	443	192.168.2.3	49742	CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Thu Jun 15 02:00:42 CEST 2017	Wed Dec 15 01:00:42 CET 2021		9e10692f1b7f78228b2d4e424db3a98c
Nov 21, 2020 00:43:50.534833908 CET	74.125.140.154	443	192.168.2.3	49743	CN=*.g.doubleclick.net, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Tue Nov 03 08:33:42 CET 2020 Thu Jun 15 02:00:42 CEST 2017	Tue Jan 26 08:33:42 CET 2021 Wed Dec 15 01:00:42 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Nov 21, 2020 00:43:50.534833908 CET	74.125.140.154	443	192.168.2.3	49743	CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Thu Jun 15 02:00:42 CEST 2017	Wed Dec 15 01:00:42 CET 2021		9e10692f1b7f78228b2d4e424db3a98c
Nov 21, 2020 00:44:45.639421940 CET	54.84.56.113	443	192.168.2.3	49750	CN=*.workflowy.com CN=Amazon, OU=Server CA 1B, O=Amazon, C=US CN=Amazon Root CA 1, O=Amazon, C=US CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Amazon, OU=Server CA 1B, O=Amazon, C=US CN=Amazon Root CA 1, O=Amazon, C=US CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US	Sun Oct 25 02:00:00 CEST 2020 Thu Oct 22 02:00:00 CEST 2015 Mon May 25 14:00:00 CEST 2015 Wed Sep 02 02:00:00 CEST 2009	Thu Nov 25 00:59:59 CET 2021 Sun Oct 19 02:00:00 CEST 2025 Thu Dec 31 02:00:00 CET 2037 Wed Jun 28 19:39:16 CEST 2034	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
					CN=Amazon, OU=Server CA 1B, O=Amazon, C=US	CN=Amazon Root CA 1, O=Amazon, C=US	Thu Oct 22 02:00:00 CEST 2015	Sun Oct 19 02:00:00 CEST 2025
					CN=Amazon Root CA 1, O=Amazon, C=US	CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US	Mon May 25 14:00:00 CEST 2015	Thu Dec 31 02:00:00 CET 2037
					CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US	OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US	Wed Sep 02 02:00:00 CEST 2009	Wed Jun 28 19:39:16 CEST 2034

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2024 Parent PID: 792

General

Start time:	00:42:51
Start date:	21/11/2020
Path:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13c0000
File size:	27110184 bytes
MD5 hash:	5D6638F2C8F8571C593999C58866007E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 4300 Parent PID: 792

General

Start time:	00:43:47
Start date:	21/11/2020
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff6de4e0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 6328 Parent PID: 4300

General

Start time:	00:43:47
Start date:	21/11/2020
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4300 CREDAT:17410 /prefetch:2
Imagebase:	0xeb0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Fennec Pharma.xlsx

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Phishing:

Software Vulnerabilities:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: EXCEL.EXE PID: 2024 Parent PID: 792

General

Analysis Process: iexplore.exe PID: 4300 Parent PID: 792

General

Analysis Process: iexplore.exe PID: 6328 Parent PID: 4300

General

Disassembly