Loading ...

Play interactive tourEdit tour

Windows Analysis Report bDemJQO51z.xlsb

Overview

General Information

Sample Name:bDemJQO51z.xlsb
Analysis ID:445525
MD5:b53ed71b3c7a18f70d693a137b5adc5c
SHA1:a31f1a98ea227e331303ec0c6ee226a711427998
SHA256:9e05cd392d9c1334c404ceb8fe28d6bc179d9844569bced9d2d1c057de538dee
Tags:202106221GoziISFBUrsnifxlsbxlsx
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Multi AV Scanner detection for dropped file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
System process connects to network (likely due to code injection or exploit)
Yara detected Ursnif
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Office process drops PE file
Performs DNS queries to domains with low reputation
Sigma detected: Microsoft Office Product Spawning Windows Shell
Writes or reads registry keys via WMI
Writes registry values via WMI
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Registers a DLL
Tries to load missing DLLs
Yara detected Xls With Macro 4.0

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 6504 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • regsvr32.exe (PID: 6784 cmdline: regsvr32 -silent ..\tru.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
    • regsvr32.exe (PID: 2432 cmdline: regsvr32 -silent ..\tru.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
  • iexplore.exe (PID: 6756 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 2240 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6756 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
app.xmlJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000003.785587738.00000000061C0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000003.00000003.786351947.00000000061C0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000003.00000003.785490720.00000000061C0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000003.00000003.786471515.00000000061C0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            00000003.00000003.785914746.00000000061C0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
              Click to see the 29 entries

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
              Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -silent ..\tru.dll, CommandLine: regsvr32 -silent ..\tru.dll, CommandLine|base64offset|contains: ,, Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6504, ProcessCommandLine: regsvr32 -silent ..\tru.dll, ProcessId: 6784

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\upl[1].txtReversingLabs: Detection: 42%
              Source: C:\Users\user\tru.dllReversingLabs: Detection: 42%
              Source: 3.3.regsvr32.exe.115a1db.0.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
              Source: unknownHTTPS traffic detected: 184.175.93.196:443 -> 192.168.2.4:49734 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 45.153.230.139:443 -> 192.168.2.4:49753 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 45.153.230.139:443 -> 192.168.2.4:49754 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 45.153.230.139:443 -> 192.168.2.4:49760 version: TLS 1.2
              Source: Binary string: c:\Post\806_Blood\Question\animal\four.pdb source: upl[1].txt.0.dr

              Software Vulnerabilities:

              barindex
              Document exploit detected (creates forbidden files)Show sources
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\tru.dllJump to behavior
              Document exploit detected (drops PE files)Show sources
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: upl[1].txt.0.drJump to dropped file
              Document exploit detected (UrlDownloadToFile)Show sources
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileAJump to behavior
              Document exploit detected (process start blacklist hit)Show sources
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe

              Networking:

              barindex
              Performs DNS queries to domains with low reputationShow sources
              Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: bussipod.xyz
              Source: C:\Windows\SysWOW64\regsvr32.exeDNS query: bussipod.xyz
              Source: Joe Sandbox ViewASN Name: TEAM-HOSTASRU TEAM-HOSTASRU
              Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
              Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
              Source: msapplication.xml0.13.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x3abe3f20,0x01d77363</date><accdate>0x3abe3f20,0x01d77363</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
              Source: msapplication.xml0.13.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x3abe3f20,0x01d77363</date><accdate>0x3abe3f20,0x01d77363</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
              Source: msapplication.xml5.13.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x3ac5e040,0x01d77363</date><accdate>0x3ac5e040,0x01d77363</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
              Source: msapplication.xml5.13.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x3ac5e040,0x01d77363</date><accdate>0x3ac5e040,0x01d77363</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
              Source: msapplication.xml7.13.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x3ac5e040,0x01d77363</date><accdate>0x3ac5e040,0x01d77363</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
              Source: msapplication.xml7.13.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x3ac5e040,0x01d77363</date><accdate>0x3ac5e040,0x01d77363</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
              Source: unknownDNS traffic detected: queries for: promocioninmobiliaria.cl
              Source: regsvr32.exe, 00000003.00000003.786351947.00000000061C0000.00000004.00000040.sdmpString found in binary or memory: http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
              Source: msapplication.xml.13.drString found in binary or memory: http://www.amazon.com/
              Source: msapplication.xml1.13.drString found in binary or memory: http://www.google.com/
              Source: msapplication.xml2.13.drString found in binary or memory: http://www.live.com/
              Source: msapplication.xml3.13.drString found in binary or memory: http://www.nytimes.com/
              Source: msapplication.xml4.13.drString found in binary or memory: http://www.reddit.com/
              Source: msapplication.xml5.13.drString found in binary or memory: http://www.twitter.com/
              Source: msapplication.xml6.13.drString found in binary or memory: http://www.wikipedia.com/
              Source: msapplication.xml7.13.drString found in binary or memory: http://www.youtube.com/
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://api.aadrm.com/
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://api.cortana.ai
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://api.diagnostics.office.com
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://api.microsoftstream.com/api/
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://api.office.net
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://api.onedrive.com
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://apis.live.net/v5.0/
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://augloop.office.com
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://augloop.office.com/v2
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
              Source: regsvr32.exeString found in binary or memory: https://bussipod.xyz
              Source: ~DF5838B134AEB34B2C.TMP.13.drString found in binary or memory: https://bussipod.xyz/index.htm
              Source: {643AD4E3-DF56-11EB-90EB-ECF4BBEA1588}.dat.13.drString found in binary or memory: https://bussipod.xyz/index.htmRoot
              Source: {643AD4E3-DF56-11EB-90EB-ECF4BBEA1588}.dat.13.drString found in binary or memory: https://bussipod.xyz/index.htmndex.htm
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://cdn.entity.
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://clients.config.office.net/
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://config.edge.skype.com
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://cortana.ai
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://cortana.ai/api
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://cr.office.com
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://dataservice.o365filtering.com
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://dataservice.o365filtering.com/
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://dev.cortana.ai
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://devnull.onenote.com
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://directory.services.
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://enrichment.osi.office.net/
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://graph.ppe.windows.net
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://graph.ppe.windows.net/
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://graph.windows.net
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://graph.windows.net/
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&amp;premium=1
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://incidents.diagnostics.office.com
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://lifecycle.office.com
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://login.microsoftonline.com/
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://login.windows.local
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://management.azure.com
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://management.azure.com/
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://messaging.office.com/
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://ncus.contentsync.
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://ncus.pagecontentsync.
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://officeapps.live.com
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://onedrive.live.com
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://onedrive.live.com/embed?
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://osi.office.net
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://outlook.office.com/
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://outlook.office365.com/
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://pages.store.office.com/review/query
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://powerlift.acompli.net
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://settings.outlook.com
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://shell.suite.office.com:1443
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://skyapi.live.net/Activity/
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://staging.cortana.ai
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://store.office.cn/addinstemplate
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://store.office.com/addinstemplate
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://store.office.de/addinstemplate
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://tasks.office.com
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://templatelogging.office.com/client/log
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://web.microsoftstream.com/video/
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://webshell.suite.office.com
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://wus2.contentsync.
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://wus2.pagecontentsync.
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
              Source: E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drString found in binary or memory: https://www.odwebp.svc.ms
              Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
              Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
              Source: unknownHTTPS traffic detected: 184.175.93.196:443 -> 192.168.2.4:49734 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 45.153.230.139:443 -> 192.168.2.4:49753 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 45.153.230.139:443 -> 192.168.2.4:49754 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 45.153.230.139:443 -> 192.168.2.4:49760 version: TLS 1.2

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000003.00000003.785587738.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786351947.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785490720.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786471515.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785914746.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786046396.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785681429.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785395370.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786832498.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786290579.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786111301.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786598638.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786404919.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786951850.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786858058.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786925101.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786757271.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786687841.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786643583.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786530397.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786910689.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786941081.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786803854.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786882909.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786722388.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785763994.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785197460.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.793270555.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786173982.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785302233.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785981820.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785845872.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786231862.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6784, type: MEMORY

              E-Banking Fraud:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000003.00000003.785587738.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786351947.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785490720.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786471515.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785914746.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786046396.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785681429.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785395370.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786832498.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786290579.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786111301.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786598638.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786404919.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786951850.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786858058.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786925101.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786757271.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786687841.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786643583.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786530397.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786910689.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786941081.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786803854.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786882909.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786722388.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785763994.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785197460.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.793270555.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786173982.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785302233.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785981820.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785845872.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786231862.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6784, type: MEMORY

              System Summary:

              barindex
              Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
              Source: Screenshot number: 4Screenshot OCR: Enable editing" to unlock the editing document downloaded from the inte'""""" "7 ' , , 0PTotected
              Source: Screenshot number: 4Screenshot OCR: Enable content" to perform Microsoft Word Decryption Core to start the decryption of the document.
              Source: Screenshot number: 8Screenshot OCR: Enable editing" to unlock the editing document downloaded from the internetg 0Protected View This f
              Source: Screenshot number: 8Screenshot OCR: Enable content" to perform Microsoft Word Decryption Core to start the decryption of the document.
              Office process drops PE fileShow sources
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\tru.dllJump to dropped file
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\upl[1].txtJump to dropped file
              Writes or reads registry keys via WMIShow sources
              Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetDWORDValue
              Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
              Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
              Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
              Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
              Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
              Writes registry values via WMIShow sources
              Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
              Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
              Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
              Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
              Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
              Source: C:\Windows\SysWOW64\regsvr32.exeProcess Stats: CPU usage > 98%
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
              Source: classification engineClassification label: mal100.troj.expl.evad.winXLSB@7/28@3/2
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{779663F1-8CAD-43C2-9721-65D7EF787176} - OProcSessId.datJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from win32_process
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -silent ..\tru.dll
              Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
              Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6756 CREDAT:17410 /prefetch:2
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -silent ..\tru.dll
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -silent ..\tru.dllJump to behavior
              Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6756 CREDAT:17410 /prefetch:2Jump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: bDemJQO51z.xlsbInitial sample: OLE zip file path = xl/media/image1.png
              Source: bDemJQO51z.xlsbInitial sample: OLE zip file path = xl/media/image2.png
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
              Source: Binary string: c:\Post\806_Blood\Question\animal\four.pdb source: upl[1].txt.0.dr
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -silent ..\tru.dll
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\tru.dllJump to dropped file
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\upl[1].txtJump to dropped file
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\tru.dllJump to dropped file
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\upl[1].txtJump to dropped file

              Boot Survival:

              barindex
              Drops PE files to the user root directoryShow sources
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\tru.dllJump to dropped file

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000003.00000003.785587738.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786351947.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785490720.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786471515.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785914746.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786046396.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785681429.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785395370.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786832498.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786290579.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786111301.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786598638.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786404919.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786951850.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786858058.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786925101.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786757271.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786687841.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786643583.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786530397.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786910689.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786941081.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786803854.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786882909.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786722388.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785763994.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785197460.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.793270555.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786173982.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785302233.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785981820.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785845872.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786231862.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6784, type: MEMORY
              Source: C:\Windows\SysWOW64\regsvr32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\upl[1].txtJump to dropped file

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              System process connects to network (likely due to code injection or exploit)Show sources
              Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: bussipod.xyz
              Source: Yara matchFile source: app.xml, type: SAMPLE
              Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antispywareproduct

              Stealing of Sensitive Information:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000003.00000003.785587738.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786351947.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785490720.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786471515.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785914746.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786046396.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785681429.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785395370.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786832498.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786290579.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786111301.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786598638.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786404919.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786951850.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786858058.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786925101.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786757271.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786687841.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786643583.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786530397.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786910689.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786941081.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786803854.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786882909.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786722388.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785763994.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785197460.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.793270555.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786173982.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785302233.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785981820.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785845872.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786231862.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6784, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000003.00000003.785587738.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786351947.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785490720.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786471515.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785914746.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786046396.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785681429.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785395370.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786832498.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786290579.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786111301.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786598638.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786404919.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786951850.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786858058.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786925101.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786757271.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786687841.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786643583.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786530397.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786910689.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786941081.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786803854.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786882909.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786722388.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785763994.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785197460.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.793270555.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786173982.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785302233.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785981820.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.785845872.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.786231862.00000000061C0000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6784, type: MEMORY

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation211DLL Side-Loading1Process Injection11Masquerading121OS Credential DumpingQuery Registry1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsExploitation for Client Execution4Boot or Logon Initialization ScriptsDLL Side-Loading1Disable or Modify Tools1LSASS MemorySecurity Software Discovery11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Regsvr321NTDSSystem Information Discovery4Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              bDemJQO51z.xlsb2%ReversingLabs

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\upl[1].txt43%ReversingLabsWin32.Trojan.Ursnif
              C:\Users\user\tru.dll43%ReversingLabsWin32.Trojan.Ursnif

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              3.3.regsvr32.exe.115a1db.0.unpack100%AviraTR/Patched.Ren.GenDownload File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://cdn.entity.0%URL Reputationsafe
              https://cdn.entity.0%URL Reputationsafe
              https://cdn.entity.0%URL Reputationsafe
              https://powerlift.acompli.net0%URL Reputationsafe
              https://powerlift.acompli.net0%URL Reputationsafe
              https://powerlift.acompli.net0%URL Reputationsafe
              https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
              https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
              https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
              https://cortana.ai0%URL Reputationsafe
              https://cortana.ai0%URL Reputationsafe
              https://cortana.ai0%URL Reputationsafe
              https://api.aadrm.com/0%URL Reputationsafe
              https://api.aadrm.com/0%URL Reputationsafe
              https://api.aadrm.com/0%URL Reputationsafe
              https://ofcrecsvcapi-int.azurewebsites.net/0%Avira URL Cloudsafe
              https://bussipod.xyz/index.htm0%Avira URL Cloudsafe
              https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
              https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
              https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
              https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
              https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
              https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
              https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
              https://store.office.cn/addinstemplate0%URL Reputationsafe
              https://store.office.cn/addinstemplate0%URL Reputationsafe
              https://store.office.cn/addinstemplate0%URL Reputationsafe
              https://bussipod.xyz/index.htmRoot0%Avira URL Cloudsafe
              https://store.officeppe.com/addinstemplate0%URL Reputationsafe
              https://store.officeppe.com/addinstemplate0%URL Reputationsafe
              https://store.officeppe.com/addinstemplate0%URL Reputationsafe
              https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
              https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
              https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
              https://www.odwebp.svc.ms0%URL Reputationsafe
              https://www.odwebp.svc.ms0%URL Reputationsafe
              https://www.odwebp.svc.ms0%URL Reputationsafe
              https://dataservice.o365filtering.com/0%URL Reputationsafe
              https://dataservice.o365filtering.com/0%URL Reputationsafe
              https://dataservice.o365filtering.com/0%URL Reputationsafe
              https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
              https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
              https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
              https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
              https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
              https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
              https://ncus.contentsync.0%URL Reputationsafe
              https://ncus.contentsync.0%URL Reputationsafe
              https://ncus.contentsync.0%URL Reputationsafe
              https://apis.live.net/v5.0/0%URL Reputationsafe
              https://apis.live.net/v5.0/0%URL Reputationsafe
              https://apis.live.net/v5.0/0%URL Reputationsafe
              https://bussipod.xyz/index.htmndex.htm0%Avira URL Cloudsafe
              https://wus2.contentsync.0%URL Reputationsafe
              https://wus2.contentsync.0%URL Reputationsafe
              https://wus2.contentsync.0%URL Reputationsafe
              http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;0%Avira URL Cloudsafe
              https://asgsmsproxyapi.azurewebsites.net/0%Avira URL Cloudsafe
              https://bussipod.xyz0%Avira URL Cloudsafe
              https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
              https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
              https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
              https://ncus.pagecontentsync.0%URL Reputationsafe
              https://ncus.pagecontentsync.0%URL Reputationsafe
              https://ncus.pagecontentsync.0%URL Reputationsafe
              https://skyapi.live.net/Activity/0%URL Reputationsafe
              https://skyapi.live.net/Activity/0%URL Reputationsafe
              https://skyapi.live.net/Activity/0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              bussipod.xyz
              45.153.230.139
              truetrue
                unknown
                promocioninmobiliaria.cl
                184.175.93.196
                truefalse
                  unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://api.diagnosticssdf.office.comE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                    high
                    https://login.microsoftonline.com/E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                      high
                      https://shell.suite.office.com:1443E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                        high
                        https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorizeE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                          high
                          https://autodiscover-s.outlook.com/E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                            high
                            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                              high
                              https://cdn.entity.E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              https://api.addins.omex.office.net/appinfo/queryE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                high
                                https://clients.config.office.net/user/v1.0/tenantassociationkeyE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                  high
                                  https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                    high
                                    https://powerlift.acompli.netE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    https://rpsticket.partnerservices.getmicrosoftkey.comE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    https://lookup.onenote.com/lookup/geolocation/v1E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                      high
                                      https://cortana.aiE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                        high
                                        https://cloudfiles.onenote.com/upload.aspxE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                          high
                                          https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                            high
                                            https://entitlement.diagnosticssdf.office.comE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                              high
                                              https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                high
                                                https://api.aadrm.com/E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                https://ofcrecsvcapi-int.azurewebsites.net/E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                  high
                                                  https://api.microsoftstream.com/api/E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                    high
                                                    https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=ImmersiveE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                      high
                                                      https://bussipod.xyz/index.htm~DF5838B134AEB34B2C.TMP.13.drfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      https://cr.office.comE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                        high
                                                        https://portal.office.com/account/?ref=ClientMeControlE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                          high
                                                          http://www.reddit.com/msapplication.xml4.13.drfalse
                                                            high
                                                            https://graph.ppe.windows.netE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                              high
                                                              https://res.getmicrosoftkey.com/api/redemptioneventsE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://powerlift-frontdesk.acompli.netE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://tasks.office.comE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                high
                                                                https://officeci.azurewebsites.net/api/E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                • Avira URL Cloud: safe
                                                                unknown
                                                                https://sr.outlook.office.net/ws/speech/recognize/assistant/workE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                  high
                                                                  https://store.office.cn/addinstemplateE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  https://bussipod.xyz/index.htmRoot{643AD4E3-DF56-11EB-90EB-ECF4BBEA1588}.dat.13.drfalse
                                                                  • Avira URL Cloud: safe
                                                                  unknown
                                                                  https://outlook.office.com/autosuggest/api/v1/init?cvid=E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                    high
                                                                    https://globaldisco.crm.dynamics.comE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                      high
                                                                      https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                        high
                                                                        https://store.officeppe.com/addinstemplateE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        https://dev0-api.acompli.net/autodetectE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        https://www.odwebp.svc.msE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        https://api.powerbi.com/v1.0/myorg/groupsE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                          high
                                                                          https://web.microsoftstream.com/video/E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                            high
                                                                            https://graph.windows.netE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                              high
                                                                              https://dataservice.o365filtering.com/E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              unknown
                                                                              https://officesetup.getmicrosoftkey.comE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              unknown
                                                                              https://analysis.windows.net/powerbi/apiE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                high
                                                                                https://prod-global-autodetect.acompli.net/autodetectE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                unknown
                                                                                https://outlook.office365.com/autodiscover/autodiscover.jsonE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                  high
                                                                                  https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-iosE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                    high
                                                                                    https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                      high
                                                                                      https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                        high
                                                                                        http://www.youtube.com/msapplication.xml7.13.drfalse
                                                                                          high
                                                                                          https://ncus.contentsync.E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          unknown
                                                                                          https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                            high
                                                                                            https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                              high
                                                                                              http://weather.service.msn.com/data.aspxE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                                high
                                                                                                https://apis.live.net/v5.0/E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                unknown
                                                                                                https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                                  high
                                                                                                  https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                                    high
                                                                                                    https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                                      high
                                                                                                      https://bussipod.xyz/index.htmndex.htm{643AD4E3-DF56-11EB-90EB-ECF4BBEA1588}.dat.13.drfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      unknown
                                                                                                      https://management.azure.comE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                                        high
                                                                                                        https://wus2.contentsync.E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                                        • URL Reputation: safe
                                                                                                        • URL Reputation: safe
                                                                                                        • URL Reputation: safe
                                                                                                        unknown
                                                                                                        https://incidents.diagnostics.office.comE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                                          high
                                                                                                          https://clients.config.office.net/user/v1.0/iosE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                                            high
                                                                                                            http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;regsvr32.exe, 00000003.00000003.786351947.00000000061C0000.00000004.00000040.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            low
                                                                                                            https://insertmedia.bing.office.net/odc/insertmediaE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                                              high
                                                                                                              https://o365auditrealtimeingestion.manage.office.comE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                                                high
                                                                                                                https://outlook.office365.com/api/v1.0/me/ActivitiesE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                                                  high
                                                                                                                  https://api.office.netE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                                                    high
                                                                                                                    https://incidents.diagnosticssdf.office.comE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                                                      high
                                                                                                                      https://asgsmsproxyapi.azurewebsites.net/E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      unknown
                                                                                                                      https://bussipod.xyzregsvr32.exefalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      unknown
                                                                                                                      https://clients.config.office.net/user/v1.0/android/policiesE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                                                        high
                                                                                                                        http://www.amazon.com/msapplication.xml.13.drfalse
                                                                                                                          high
                                                                                                                          https://entitlement.diagnostics.office.comE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                                                            high
                                                                                                                            https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                                                              high
                                                                                                                              http://www.twitter.com/msapplication.xml5.13.drfalse
                                                                                                                                high
                                                                                                                                https://substrate.office.com/search/api/v2/initE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                                                                  high
                                                                                                                                  https://outlook.office.com/E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                                                                    high
                                                                                                                                    https://storage.live.com/clientlogs/uploadlocationE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                                                                      high
                                                                                                                                      https://templatelogging.office.com/client/logE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                                                                        high
                                                                                                                                        https://outlook.office365.com/E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                                                                          high
                                                                                                                                          https://webshell.suite.office.comE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                                                                            high
                                                                                                                                            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDriveE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                                                                              high
                                                                                                                                              https://management.azure.com/E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                                                                                high
                                                                                                                                                https://login.windows.net/common/oauth2/authorizeE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                                                                                  high
                                                                                                                                                  https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  unknown
                                                                                                                                                  https://graph.windows.net/E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                                                                                    high
                                                                                                                                                    https://api.powerbi.com/beta/myorg/importsE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                                                                                      high
                                                                                                                                                      https://devnull.onenote.comE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                                                                                        high
                                                                                                                                                        https://ncus.pagecontentsync.E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        unknown
                                                                                                                                                        https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.jsonE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                                                                                          high
                                                                                                                                                          https://messaging.office.com/E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                                                                                            high
                                                                                                                                                            https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                                                                                              high
                                                                                                                                                              https://augloop.office.com/v2E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                                                                                                high
                                                                                                                                                                https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=BingE3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                                                                                                  high
                                                                                                                                                                  https://skyapi.live.net/Activity/E3EB9BFB-9A3C-4BB8-990C-FB40D6108524.0.drfalse
                                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                                  unknown

                                                                                                                                                                  Contacted IPs

                                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                                  Public

                                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                  184.175.93.196
                                                                                                                                                                  promocioninmobiliaria.clUnited States
                                                                                                                                                                  7393CYBERCONUSfalse
                                                                                                                                                                  45.153.230.139
                                                                                                                                                                  bussipod.xyzRussian Federation
                                                                                                                                                                  202984TEAM-HOSTASRUtrue

                                                                                                                                                                  General Information

                                                                                                                                                                  Joe Sandbox Version:32.0.0 Black Diamond
                                                                                                                                                                  Analysis ID:445525
                                                                                                                                                                  Start date:07.07.2021
                                                                                                                                                                  Start time:21:04:14
                                                                                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                                                                                  Overall analysis duration:0h 7m 52s
                                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                                  Report type:full
                                                                                                                                                                  Sample file name:bDemJQO51z.xlsb
                                                                                                                                                                  Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                                  Number of analysed new started processes analysed:22
                                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                                  Technologies:
                                                                                                                                                                  • HCA enabled
                                                                                                                                                                  • EGA enabled
                                                                                                                                                                  • HDC enabled
                                                                                                                                                                  • AMSI enabled
                                                                                                                                                                  Analysis Mode:default
                                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                                  Detection:MAL
                                                                                                                                                                  Classification:mal100.troj.expl.evad.winXLSB@7/28@3/2
                                                                                                                                                                  EGA Information:Failed
                                                                                                                                                                  HDC Information:Failed
                                                                                                                                                                  HCA Information:
                                                                                                                                                                  • Successful, ratio: 100%
                                                                                                                                                                  • Number of executed functions: 0
                                                                                                                                                                  • Number of non-executed functions: 0
                                                                                                                                                                  Cookbook Comments:
                                                                                                                                                                  • Adjust boot time
                                                                                                                                                                  • Enable AMSI
                                                                                                                                                                  • Found application associated with file extension: .xlsb
                                                                                                                                                                  • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                                  • Attach to Office via COM
                                                                                                                                                                  Warnings:
                                                                                                                                                                  Show All
                                                                                                                                                                  • Max analysis timeout: 220s exceeded, the analysis took too long
                                                                                                                                                                  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 23.40.125.232, 92.122.145.220, 204.79.197.200, 13.107.21.200, 40.88.32.150, 13.88.21.125, 52.109.88.177, 52.109.8.24, 168.61.161.212, 20.82.209.183, 52.255.188.83, 213.155.157.67, 213.155.157.80, 23.203.80.193, 213.155.157.112, 213.155.157.106, 20.72.88.19, 40.112.88.60, 152.199.19.161
                                                                                                                                                                  • Excluded domains from analysis (whitelisted): e11290.dspg.akamaiedge.net, eus2-consumerrp-displaycatalog-aks2aks-useast.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, officeclient.microsoft.com, watson.telemetry.microsoft.com, au-bg-shim.trafficmanager.net, www.bing.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, europe.configsvc1.live.com.akadns.net, cs9.wpc.v0cdn.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, au.download.windowsupdate.com.edgesuite.net, prod-w.nexus.live.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, iecvlist.microsoft.com, e12564.dspb.akamaiedge.net, go.microsoft.com, nexus.officeapps.live.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, storeedgefd.dsx.mp.microsoft.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, ie9comview.vo.msecnd.net, prod.configsvc1.live.com.akadns.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, a767.dscg3.akamai.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, config.officeapps.live.com, go.microsoft.com.edgekey.net, e16646.dscg.akamaiedge.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                  • VT rate limit hit for: /opt/package/joesandbox/database/analysis/445525/sample/bDemJQO51z.xlsb

                                                                                                                                                                  Simulations

                                                                                                                                                                  Behavior and APIs

                                                                                                                                                                  TimeTypeDescription
                                                                                                                                                                  21:06:28API Interceptor2x Sleep call for process: regsvr32.exe modified

                                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                                  IPs

                                                                                                                                                                  No context

                                                                                                                                                                  Domains

                                                                                                                                                                  No context

                                                                                                                                                                  ASN

                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                  CYBERCONUS5t2CmTUhKc.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 184.175.83.64
                                                                                                                                                                  sample.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 184.175.106.113
                                                                                                                                                                  tS9P6wPz9x.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 184.175.106.113
                                                                                                                                                                  ransomware.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 184.175.106.113
                                                                                                                                                                  ransomware.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 184.175.106.113
                                                                                                                                                                  gc79a7rUNV.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 184.175.106.113
                                                                                                                                                                  CONSTANTINE.xlsxGet hashmaliciousBrowse
                                                                                                                                                                  • 216.15.213.195
                                                                                                                                                                  08142020_1463075702.docGet hashmaliciousBrowse
                                                                                                                                                                  • 66.201.98.191
                                                                                                                                                                  http://srconsultingsrv.com/wp-admin/open-9c-pqmgpgy9fo4mnwz/verifiable-area/10bpikjgd-32105y0ut8/Get hashmaliciousBrowse
                                                                                                                                                                  • 184.175.123.49
                                                                                                                                                                  SecuriteInfo.com.W97m.Downloader.IWY.30727.docGet hashmaliciousBrowse
                                                                                                                                                                  • 216.198.213.62
                                                                                                                                                                  SecuriteInfo.com.W97m.Downloader.IWY.30727.docGet hashmaliciousBrowse
                                                                                                                                                                  • 216.198.213.62
                                                                                                                                                                  TEAM-HOSTASRUcharge,06.28.2021.docGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.72
                                                                                                                                                                  legislate.06.21.docGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.72
                                                                                                                                                                  legislate.06.21.docGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.72
                                                                                                                                                                  charge,06.28.2021.docGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.72
                                                                                                                                                                  charge,06.28.2021.docGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.72
                                                                                                                                                                  decree.06.28.2021.docGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.72
                                                                                                                                                                  decree.06.28.2021.docGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.72
                                                                                                                                                                  tell.06.21.docGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.72
                                                                                                                                                                  tell.06.21.docGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.72
                                                                                                                                                                  PycwDlq90E.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 45.139.236.24
                                                                                                                                                                  legal paper 06.21.docGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.72
                                                                                                                                                                  legal paper 06.21.docGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.72
                                                                                                                                                                  dqVPlpmWYt.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 185.211.244.128
                                                                                                                                                                  4CLq3NmVuR.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.81
                                                                                                                                                                  z5srbx950F.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.81
                                                                                                                                                                  UWiZrKOCXe.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.81
                                                                                                                                                                  4AUzoTtfYq.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.81
                                                                                                                                                                  z4xg3wj6uy.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.81
                                                                                                                                                                  vb2JPIzyc6.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.81
                                                                                                                                                                  ZKMHPZ5Dho.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.81

                                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                  9e10692f1b7f78228b2d4e424db3a98cCmh_Fax-Message-3865.htmlGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.139
                                                                                                                                                                  Invoice-Message-7784002.htmlGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.139
                                                                                                                                                                  Invoice-Message-4821881.htmlGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.139
                                                                                                                                                                  Mes_Drivers_3.0.4.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.139
                                                                                                                                                                  FAX.HTMLGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.139
                                                                                                                                                                  runsys32.dllGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.139
                                                                                                                                                                  Mclawslaw.ca_Fax-Message.htmlGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.139
                                                                                                                                                                  E00E.dllGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.139
                                                                                                                                                                  Payslip070620219359636Z.htmlGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.139
                                                                                                                                                                  attach.htmlGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.139
                                                                                                                                                                  VM52MC9YQDUO0P.htmlGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.139
                                                                                                                                                                  RFQ40110 (2).htmlGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.139
                                                                                                                                                                  runsys32.dllGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.139
                                                                                                                                                                  2790000.dllGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.139
                                                                                                                                                                  2770174.dllGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.139
                                                                                                                                                                  q7p7x4f4gX.dllGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.139
                                                                                                                                                                  q7p7x4f4gX.dllGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.139
                                                                                                                                                                  PO # 2367.htmlGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.139
                                                                                                                                                                  ( 1 ) Voice note-Dassault-aviation.htmGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.139
                                                                                                                                                                  mJSDCeNxFi.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.139
                                                                                                                                                                  ce5f3254611a8c095a3d821d44539877v3EFryEBFV.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.139
                                                                                                                                                                  7favAeMnIv.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.139
                                                                                                                                                                  3MIvJieGXT.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.139
                                                                                                                                                                  SaI1j8jXQY.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.139
                                                                                                                                                                  OMJe815AqT.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.139
                                                                                                                                                                  XGkPj4XMQe.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.139
                                                                                                                                                                  XqsSqSatDk.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.139
                                                                                                                                                                  oxlesp2DxT.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.139
                                                                                                                                                                  Djd7ehHiF8.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.139
                                                                                                                                                                  WHsXHrvbaP.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.139
                                                                                                                                                                  p3Q0iRs6J5.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.139
                                                                                                                                                                  q7p7x4f4gX.dllGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.139
                                                                                                                                                                  DhA18Qpbxl.docxGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.139
                                                                                                                                                                  9cYXsscTTT.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.139
                                                                                                                                                                  ibj3mCisBP.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.139
                                                                                                                                                                  ransom.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.139
                                                                                                                                                                  bGk64hnnAZ.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.139
                                                                                                                                                                  aiwXQo9A8t.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.139
                                                                                                                                                                  Main-Setup.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.139
                                                                                                                                                                  mJSDCeNxFi.exeGet hashmaliciousBrowse
                                                                                                                                                                  • 45.153.230.139

                                                                                                                                                                  Dropped Files

                                                                                                                                                                  No context

                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{643AD4E1-DF56-11EB-90EB-ECF4BBEA1588}.dat
                                                                                                                                                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                  File Type:Microsoft Word Document
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):29272
                                                                                                                                                                  Entropy (8bit):1.7665913312895036
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:48:IwWGcprnGwpLjG/ap8YGIpcfGvnZpvyGoTPqp98Go435zpmEGWT5fTYGWT7T6pOK:rKZxZD24WwtYifn35zMMRs6KFBLSpB
                                                                                                                                                                  MD5:F1E8391B91C8FD98A4DCDB797345F37A
                                                                                                                                                                  SHA1:3052D424084701BDB5765112C5C77A83A781B31C
                                                                                                                                                                  SHA-256:49DF2C9D24D64FCF47492D2A57B695A2F3A4DA2BA9BC3E8C6D24C10A55542195
                                                                                                                                                                  SHA-512:D952B2E173C99C48575BA01B4BC3CB9FDB654FAF7C7DF5402FEF37B3AA8BBE2075F5B8700E332FE60B8F28DB0BF6FB48EC7B06C363E68FFA64803D021910B77D
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{643AD4E3-DF56-11EB-90EB-ECF4BBEA1588}.dat
                                                                                                                                                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                  File Type:Microsoft Word Document
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):26248
                                                                                                                                                                  Entropy (8bit):1.6580929366922152
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:48:IwuGcprvGwpanG4pQzGrapbSIGQpB2GHHpcLTGUp8VGGzYpmY5FGopaqZ8fGA/X/:ryZZQJ6XBSwj12lWkM4wP/VSA
                                                                                                                                                                  MD5:3BEB5DAA27A7AF27EE5DB0C3210FBD20
                                                                                                                                                                  SHA1:479196CFFCD9608E276AD3AF8BBAA5A955CAA5BB
                                                                                                                                                                  SHA-256:422DDE71533CF70C4DC47E9EE799198525DFA2855D7C7E85B7B9C2E7383F27CB
                                                                                                                                                                  SHA-512:8BDF2D62BF9A05FF063AA1B2464DDE8EE23041EA6F7C2A95751216980D289446E40D7514B4A9B66A51435F4D664D4645B6DE4414CE0683DE2ED84816A8C7D6C3
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml
                                                                                                                                                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):656
                                                                                                                                                                  Entropy (8bit):5.059958773870817
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12:TMHdNMNxOE7nWimI002EtM3MHdNMNxOE7nWimI00OYGVbkEtMb:2d6NxOuSZHKd6NxOuSZ7YLb
                                                                                                                                                                  MD5:B41CF8C50222AD4A456F23ABB0B6F6FC
                                                                                                                                                                  SHA1:1D462336AC7E5FB1A2EA2077E2016DCF6C0D5294
                                                                                                                                                                  SHA-256:082E2C5FF39658A1E04EDAC4A6FB04680507D43C8310824AB7C2B64D4172CB61
                                                                                                                                                                  SHA-512:BD55121CEC1995341C34B21814D42184439CE4CC06D660837B05E00670BA517C03D0BA9D8F040FFBEA612C71DB76EE54CEFC628F1F34F80E7685F091AD208ADF
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x3ac5e040,0x01d77363</date><accdate>0x3ac5e040,0x01d77363</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x3ac5e040,0x01d77363</date><accdate>0x3ac5e040,0x01d77363</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..
                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml
                                                                                                                                                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):653
                                                                                                                                                                  Entropy (8bit):5.094312040833597
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12:TMHdNMNxe2kpnWimI002EtM3MHdNMNxe2kpnWimI00OYGkak6EtMb:2d6Nxr0SZHKd6Nxr0SZ7Yza7b
                                                                                                                                                                  MD5:F19D37AE906CA5A41FF7B92ED34AA2D7
                                                                                                                                                                  SHA1:23C2D6872336923AC6A8B589A2D0562AAAC70772
                                                                                                                                                                  SHA-256:8882C3D8BFD443749D834D8C5594EC83A406574AF25E3E1E974C226F871CAE9A
                                                                                                                                                                  SHA-512:68DC388574A5E9B8CF13C504535CBC57CD740BC466960E3FB3C0E362D45488DD8062F7B167CA043C416E7AC8D4A1A69CE030D45CAC1B62DFD9F416C3F55586BC
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x3abe3f20,0x01d77363</date><accdate>0x3abe3f20,0x01d77363</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x3abe3f20,0x01d77363</date><accdate>0x3abe3f20,0x01d77363</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..
                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml
                                                                                                                                                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):662
                                                                                                                                                                  Entropy (8bit):5.079699573594208
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12:TMHdNMNxvL7nWimI002EtM3MHdNMNxvL7nWimI00OYGmZEtMb:2d6NxvnSZHKd6NxvnSZ7Yjb
                                                                                                                                                                  MD5:8AE6253D6E6A8F81CB750B0D48347479
                                                                                                                                                                  SHA1:AC4EDC386DFEF7EB8D4465D56E2F9DC473A5FDA5
                                                                                                                                                                  SHA-256:724C144C8488BD0C76F180C927CC42D33248DB7272DE65DB9F623BFC68417601
                                                                                                                                                                  SHA-512:7DBE3D5F5E1CC42E0F5B985FB8B9EF53E27CD89D7C991E931D232294C0AA1A924EC5E57108E7F97C72C3CE1DA24BD4FB6E51E98EE53EFC4C57026B5A0D2D2913
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x3ac5e040,0x01d77363</date><accdate>0x3ac5e040,0x01d77363</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x3ac5e040,0x01d77363</date><accdate>0x3ac5e040,0x01d77363</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..
                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml
                                                                                                                                                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):647
                                                                                                                                                                  Entropy (8bit):5.07494825240439
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12:TMHdNMNxi7nWimI002EtM3MHdNMNxi7nWimI00OYGd5EtMb:2d6NxESZHKd6NxESZ7YEjb
                                                                                                                                                                  MD5:7C5CC47CBC2F6D5FC74CDC5860642917
                                                                                                                                                                  SHA1:D72FE627600977DA7C90379A8D9F6CE63DB1CF61
                                                                                                                                                                  SHA-256:0ED9C19F3DDA7781DE64F975E0818199E2D8484CE929D59A2BD41BAD70219FEB
                                                                                                                                                                  SHA-512:D640383112D698275CB50C78133B9D5479223CA2CDF2FC4FA786554BAD0909300D34F8652256F5EC587D020FB6D7CA10D8E7B034F4303396879FF68B21B73C02
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x3ac5e040,0x01d77363</date><accdate>0x3ac5e040,0x01d77363</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x3ac5e040,0x01d77363</date><accdate>0x3ac5e040,0x01d77363</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..
                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml
                                                                                                                                                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):656
                                                                                                                                                                  Entropy (8bit):5.094260227035077
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12:TMHdNMNxhGw7nWimI002EtM3MHdNMNxhGw7nWimI00OYG8K075EtMb:2d6NxQCSZHKd6NxQCSZ7YrKajb
                                                                                                                                                                  MD5:10EF638595F68E547C08F53819032B4D
                                                                                                                                                                  SHA1:FDC07D127A5412DB64156446A0E550FCF1FE200A
                                                                                                                                                                  SHA-256:08B8700E162CB35797860AF87A589544BA3E699F090FA0DF0CFAFBFB81C2A586
                                                                                                                                                                  SHA-512:02B4A327D7DF549F56DE79B74B7832FBC96A6D753EB30939ACE20E815EC2454F0B03E57F3033E6803B17D68602AF0175C6D80FAB1449DF25BF4EA1712E173657
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x3ac5e040,0x01d77363</date><accdate>0x3ac5e040,0x01d77363</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x3ac5e040,0x01d77363</date><accdate>0x3ac5e040,0x01d77363</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..
                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml
                                                                                                                                                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):653
                                                                                                                                                                  Entropy (8bit):5.063564934558767
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12:TMHdNMNx0n7nWimI002EtM3MHdNMNx0n7nWimI00OYGxEtMb:2d6Nx07SZHKd6Nx07SZ7Ygb
                                                                                                                                                                  MD5:BE54AB7DEC291AC84BF444479821B35F
                                                                                                                                                                  SHA1:6262053617300CD13C67530B6EC02CFB5228EEF5
                                                                                                                                                                  SHA-256:FEEFA73FFB62C5BE6B8520B0FC825796202F3EE7F5AFA240F65DFCABBE97834E
                                                                                                                                                                  SHA-512:8D860B9FBC9CF4F1EA59EEB189ADD8B69205FE7B18B66F866C8D080CB4B6A404B5FBDB92039D10920DA1FF578F3DF40E46530D79EB7018FDA8F57F80C7F95D51
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x3ac5e040,0x01d77363</date><accdate>0x3ac5e040,0x01d77363</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x3ac5e040,0x01d77363</date><accdate>0x3ac5e040,0x01d77363</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..
                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml
                                                                                                                                                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):656
                                                                                                                                                                  Entropy (8bit):5.099594053198611
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12:TMHdNMNxx7nWimI002EtM3MHdNMNxx7nWimI00OYG6Kq5EtMb:2d6NxdSZHKd6NxdSZ7Yhb
                                                                                                                                                                  MD5:2CDC4B1296F4F103FCD21A8E8A314EAA
                                                                                                                                                                  SHA1:BC56BC07155564D442CC08143408D5CA7B8C472B
                                                                                                                                                                  SHA-256:8003328BB194573A9CBF71CDB70448AB16676A92C16262761468FF5C2FA90B3A
                                                                                                                                                                  SHA-512:1504FFF674D8F5D02D20905FAAA4A3AD1276AFA31DC91ABD1773CB3376BC895C1EC6525B53EF3B962CBE84B171C6CFCE72CFF6054079621510CCDC6445A3D7CF
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x3ac5e040,0x01d77363</date><accdate>0x3ac5e040,0x01d77363</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x3ac5e040,0x01d77363</date><accdate>0x3ac5e040,0x01d77363</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..
                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml
                                                                                                                                                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):659
                                                                                                                                                                  Entropy (8bit):5.082959143332767
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12:TMHdNMNxcpnWimI002EtM3MHdNMNxcpnWimI00OYGVEtMb:2d6NxcSZHKd6NxcSZ7Ykb
                                                                                                                                                                  MD5:377295D6B628CC755B3AC0177138DA0E
                                                                                                                                                                  SHA1:E068B500141A936CB7779F74D54E936FF4AE41A2
                                                                                                                                                                  SHA-256:5D24E9B2A1534ECFD0FB1017D4B33DFE3F310268795A650088C3DA96F22D3778
                                                                                                                                                                  SHA-512:682BD8347130F94404CFAB6590DCE12AADE402E534FDA2EFC4CBCF0437868E7872A9138C97C3F8C976919FD01F3BC3B664D567114B84316A820B5A935171506E
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x3abe3f20,0x01d77363</date><accdate>0x3abe3f20,0x01d77363</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x3abe3f20,0x01d77363</date><accdate>0x3abe3f20,0x01d77363</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..
                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml
                                                                                                                                                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):653
                                                                                                                                                                  Entropy (8bit):5.060607950760631
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12:TMHdNMNxfn7nWimI002EtM3MHdNMNxfn7nWimI00OYGe5EtMb:2d6NxjSZHKd6NxjSZ7YLjb
                                                                                                                                                                  MD5:3DCF9C0C2B4980F59DCC198D38C6AD17
                                                                                                                                                                  SHA1:8F0C59E242BF79BAFD5CA8DAE0BD695BC466D57C
                                                                                                                                                                  SHA-256:3CFA1DC26AED6D71B0EF201D6F1E076E271D3D9B862C72D6C1ECFD170EBBA618
                                                                                                                                                                  SHA-512:81A206CF07ED3A707792465FC05676B4CFC5AD62527A8170DE20DB0632937E09DF894E2467DFD9FCB25B6A57DB61876FFB526726B4CADFB3B0203FF9CBD84826
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x3ac5e040,0x01d77363</date><accdate>0x3ac5e040,0x01d77363</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x3ac5e040,0x01d77363</date><accdate>0x3ac5e040,0x01d77363</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..
                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\E3EB9BFB-9A3C-4BB8-990C-FB40D6108524
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                  File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):135209
                                                                                                                                                                  Entropy (8bit):5.36308595211387
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:1536:GcQIKNgeBTA3gBwlpQ9DQW+zoY34ZliKWXboOidX5E6LWME9:gEQ9DQW+zwXO1
                                                                                                                                                                  MD5:22390383207807ECE713F2FD66074C26
                                                                                                                                                                  SHA1:DC04617F16883BC64D5C2B4673BDE78E6091E5ED
                                                                                                                                                                  SHA-256:E3E606F2F9AA0744A0F380431FB62A954F02E6C5824317A72FE25DCFD403A320
                                                                                                                                                                  SHA-512:6D19195158D97CC637D54EFB5482287BA0DBD87CB5F861FAF9E5231A8B03A6433A6F8E3D8DAD5CD64ABC0FBFCD91C81DCC3AF58F8AF110D1A010B2D1847C4FDF
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-07-07T19:05:14">.. Build: 16.0.14306.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\51A62567.png
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                  File Type:PNG image data, 8 x 10, 8-bit/color RGB, non-interlaced
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):176
                                                                                                                                                                  Entropy (8bit):6.077353107923878
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:yionv//thPlvtt2Lts2jh/rywOZx9yTl+RESJiWiy8Z1n/XUKTeg1p:6v/lhPgRFjhmhyoiSQZRUAdp
                                                                                                                                                                  MD5:E9BFB9B9FCBAC9F66AA5D02237A83073
                                                                                                                                                                  SHA1:5F602C8214375078A7E503E070FDD1DBE44B30C3
                                                                                                                                                                  SHA-256:23D4BFA6C8893A9C3570C26A1973641A71C787B36B32C6BE64F0DEE8584C86E4
                                                                                                                                                                  SHA-512:17A77897B0C5134CEB6AC39D624388553A13CE20974C3FF858DD1044FB743A71D35208B9487B429CCC8CD89126DC49F9F191C6113C63A0E88D7AF43B9AF62F27
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: .PNG........IHDR.....................sRGB.........pHYs..........+.....UIDAT.W].A..0.......`....C........{}.g@..RW=.q^q.=...........<...=.r..I.q.x..\x._V9^..D...E.....IEND.B`.
                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\FF65F03C.png
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                  File Type:PNG image data, 922 x 684, 8-bit/color RGB, non-interlaced
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):422520
                                                                                                                                                                  Entropy (8bit):7.996314840104008
                                                                                                                                                                  Encrypted:true
                                                                                                                                                                  SSDEEP:12288:WtZp/w4fvVUUcXGS2qBhQbdOM2lCLtTWAUrbIqjx9E5T:WxoYVUrb2NOQtTWAUvrj3CT
                                                                                                                                                                  MD5:24BA12C8BF662394E56B372B046A9EBA
                                                                                                                                                                  SHA1:E244001DB714FEA1AB5D87AB4E5820208A15CF62
                                                                                                                                                                  SHA-256:1D42F50610C56E2816FFC0BF036C75CDD9E3008F9810DBD25644E3482AACFA42
                                                                                                                                                                  SHA-512:C7BEED250A505F5EB8ACCE734525B3D92AA0C95F454C8B2C0D48DE5AD41193CD8174E94B47D9DF0A61A8FC8C8AF549FCBDC493DE73CDDF967E64BE484254BAFB
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: .PNG........IHDR...............U.....sRGB.........pHYs..........+......IDATx^....eGu-:.{r.i.f4.0A9K.PBB`@....6.8`.N..`?g..`.19J$.BX..s.i.&I....9u.....z..U.[..yX...u..^{.Uu.{nSOO.q....jjj.w....@ss3.....n.9.7.9e...R.<k..j.`=.......Q...M}...n<m~.B.s.@%.e[z......M.>.l.c.....6#....................'._....?.\.,..Y....OT.s.b..7...K?[^....$..e.f"..bI"....../kdx.\..E......1.....G...=y.d3....d...6(L........x.+c..$......Z.G...o.c.....)...E..#...%...(...#;..O/.2~.0,....5....._.%....K......t.8.a.........1..%d,.....(..I.......|...z....L...h.....(A4.2.TJf.]..SS%k...d....l..,.....%.....jIDT6.S...6.Id..[_.z..o..1j...."...1C.|.;E....2.G....e9..$...].!Cv.@}.x..o<n...|....Y..>.......[.q....*.T1.xQ.{...u..Y.gI..Aew.C..Q?b..?[nZ.O...h.X............F.....K.l.....A....R.Pi.....`K.x..j8...:..2.\.e.+N!.....q'......(E(.i.gK#E.n&A..nv..A..5r...?.H.A.....g......#Pbx,.....J...U4...-....9..9.)......Dd...T.X..F..C..zx.b...".j.D...d.&jE.~.....R.T.%...25.dqe..` ..M.....d.Y..
                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\background_gradient[1]
                                                                                                                                                                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1x800, frames 3
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):453
                                                                                                                                                                  Entropy (8bit):5.019973044227213
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:6:3llVuiPjlXJYhg5suRd8PImMo23C/kHrJ8yA/NIeYoWg78C/vTFvbKLAh3:V/XPYhiPRd8j7+9LoIrobtHTdbKi
                                                                                                                                                                  MD5:20F0110ED5E4E0D5384A496E4880139B
                                                                                                                                                                  SHA1:51F5FC61D8BF19100DF0F8AADAA57FCD9C086255
                                                                                                                                                                  SHA-256:1471693BE91E53C2640FE7BAEECBC624530B088444222D93F2815DFCE1865D5B
                                                                                                                                                                  SHA-512:5F52C117E346111D99D3B642926139178A80B9EC03147C00E27F07AAB47FE38E9319FE983444F3E0E36DEF1E86DD7C56C25E44B14EFDC3F13B45EDEDA064DB5A
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: ......JFIF.....d.d......Ducky.......P......Adobe.d................................................................................................................................................. ...............W..............................................................Qa.................................?......%.....x......s...Z.......j.T.wz.6...X.@... V.3tM...P@.u.%...m..D.25...T...F.........p......A..........BP..qD.(.........ntH.@......h?..
                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\httpErrorPagesScripts[1]
                                                                                                                                                                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):12105
                                                                                                                                                                  Entropy (8bit):5.451485481468043
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
                                                                                                                                                                  MD5:9234071287E637F85D721463C488704C
                                                                                                                                                                  SHA1:CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
                                                                                                                                                                  SHA-256:65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
                                                                                                                                                                  SHA-512:87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: ...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)|ftp|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem
                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\upl[1].txt
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):404992
                                                                                                                                                                  Entropy (8bit):6.667040453584233
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:6144:h8vockvtMD67Dvy8CyOuq107KjWMTxdtcrsianUAqPt/MmG3G/GERIgg:SwhtCy50mpMTxdtV8AqPtM3gN
                                                                                                                                                                  MD5:5522C21A05DAF91658951BDF1C0E5271
                                                                                                                                                                  SHA1:FED4A9B4069CD2676928441ECF8C844CC7F4A9EE
                                                                                                                                                                  SHA-256:EB6E2519AA5C31174A1ED6C0193B2D0E49E9ED6CA1AC01ED94B3007B5E2F6993
                                                                                                                                                                  SHA-512:D97A8021B9688C612E280FFCB5443916B9D09857DAF82A62BD5EFAC35EFEFF138125466A74579568DD655CD66CD5085E10CEDB4CAF7981F4EE9F240839B33D55
                                                                                                                                                                  Malicious:true
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 43%
                                                                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......f..."..."...".....:.#...<.9.7...<./.....+.?.+..."...V...<.(.....<.>.#...<.8.#...<.=.#...Rich"...........PE..L....6JJ...........!.....d...r......MQ...................................................@.................................4...d....... .......................|".. ...................................@............................................text....b.......d.................. ..`.rdata...f.......h...h..............@..@.data...............................@....rsrc... ...........................@..@.reloc...5.......6..................@..B................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\ErrorPageTemplate[1]
                                                                                                                                                                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):2168
                                                                                                                                                                  Entropy (8bit):5.207912016937144
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:24:5+j5xU5k5N0ndgvoyeP0yyiyQCDr3nowMVworDtX3orKxWxDnCMA0da+hieyuSQK:5Q5K5k5pvFehWrrarrZIrHd3FIQfOS6
                                                                                                                                                                  MD5:F4FE1CB77E758E1BA56B8A8EC20417C5
                                                                                                                                                                  SHA1:F4EDA06901EDB98633A686B11D02F4925F827BF0
                                                                                                                                                                  SHA-256:8D018639281B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F
                                                                                                                                                                  SHA-512:62514AB345B6648C5442200A8E9530DFB88A0355E262069E0A694289C39A4A1C06C6143E5961074BFAC219949102A416C09733F24E8468984B96843DC222B436
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: .body..{...font-family: "Segoe UI", "verdana", "arial";...background-image: url(background_gradient.jpg);...background-repeat: repeat-x;...background-color: #E8EAEF;...margin-top: 20px;...margin-left: 20px;...color: #575757;..}....body.securityError..{...font-family: "Segoe UI", "verdana" , "Arial";...background-image: url(background_gradient_red.jpg);...background-repeat: repeat-x;...background-color: #E8EAEF;...margin-top: 20px;...margin-left: 20px;..}....body.tabInfo..{...background-image: none;...background-color: #F4F4F4;..}.. ..a..{...color: rgb(19,112,171);.font-size: 1em;...font-weight: normal;...text-decoration: none;...margin-left: 0px;...vertical-align: top;..}....a:link, a:visited..{...color: rgb(19,112,171);...text-decoration: none;...vertical-align: top;..}....a:hover..{...color: rgb(7,74,229);...text-decoration: underline;..}....p..{...font-size: 0.9em;..}.....h1 /* used for Title */..{...color: #4465A2;...font-size: 1.1em;...font-weight: normal;...vertical-align
                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\bullet[1]
                                                                                                                                                                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                  File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):447
                                                                                                                                                                  Entropy (8bit):7.304718288205936
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12:6v/71Cyt/JNTWxGdr+kZDWO7+4dKIv0b1GKuxu+R:/yBJNTqsSk9BTwE05su+R
                                                                                                                                                                  MD5:26F971D87CA00E23BD2D064524AEF838
                                                                                                                                                                  SHA1:7440BEFF2F4F8FABC9315608A13BF26CABAD27D9
                                                                                                                                                                  SHA-256:1D8E5FD3C1FD384C0A7507E7283C7FE8F65015E521B84569132A7EABEDC9D41D
                                                                                                                                                                  SHA-512:C62EB51BE301BB96C80539D66A73CD17CA2021D5D816233853A37DB72E04050271E581CC99652F3D8469B390003CA6C62DAD2A9D57164C620B7777AE99AA1B15
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: .PNG........IHDR...............ex....PLTE...(EkFRp&@e&@e)Af)AgANjBNjDNjDNj2Vv-Xz-Y{3XyC\}E_.2j.3l.8p.7q.;j.;l.Zj.\l.5o.7q.<..aw.<..dz.E...........1..@.7..~.....9..:.....A..B..E..9..:..a..c..b..g.#M.%O.#r.#s.%y.2..4..+..-..?..@..;..p..s...G..H..M.........z`....#tRNS................................../,....mIDATx^..C..`.......S....y'...05...|..k.X......*`.F.K....JQ..u.<.}.. ..[U..m....'r%.......yn.`.7F..).5..b..rX.T.....IEND.B`.
                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\down[1]
                                                                                                                                                                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                  File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):748
                                                                                                                                                                  Entropy (8bit):7.249606135668305
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
                                                                                                                                                                  MD5:C4F558C4C8B56858F15C09037CD6625A
                                                                                                                                                                  SHA1:EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
                                                                                                                                                                  SHA-256:39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
                                                                                                                                                                  SHA-512:D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: .PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.
                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\errorPageStrings[1]
                                                                                                                                                                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):4720
                                                                                                                                                                  Entropy (8bit):5.164796203267696
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
                                                                                                                                                                  MD5:D65EC06F21C379C87040B83CC1ABAC6B
                                                                                                                                                                  SHA1:208D0A0BB775661758394BE7E4AFB18357E46C8B
                                                                                                                                                                  SHA-256:A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
                                                                                                                                                                  SHA-512:8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: .//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L
                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\http_404[1]
                                                                                                                                                                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                  File Type:HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):6495
                                                                                                                                                                  Entropy (8bit):3.8998802417135856
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:48:up4d0yV4VkBXvLutC5N9J/1a5TI7kZ3GUXn3GFa7K083GJehBu01kptk7KwyBwpM:uKp6yN9JaKktZX36a7x05hwW7RM
                                                                                                                                                                  MD5:F65C729DC2D457B7A1093813F1253192
                                                                                                                                                                  SHA1:5006C9B50108CF582BE308411B157574E5A893FC
                                                                                                                                                                  SHA-256:B82BFB6FA37FD5D56AC7C00536F150C0F244C81F1FC2D4FEFBBDC5E175C71B4F
                                                                                                                                                                  SHA-512:717AFF18F105F342103D36270D642CC17BD9921FF0DBC87E3E3C2D897F490F4ECFAB29CF998D6D99C4951C3EABB356FE759C3483A33704CE9FCC1F546EBCBBC7
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: .<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">....<html dir="ltr">.... <head>.. <link rel="stylesheet" type="text/css" href="ErrorPageTemplate.css">.... <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.... <title>HTTP 404 Not Found</title>.... <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="javascript:initHomepage(); expandCollapse('infoBlockID', true); initGoBack(); initMoreInfo('infoBlockID');">.... <table width="730" cellpadding="0" cellspacing="0" border="0">.... Error title -->.. <tr>.. <td id="infoIconAlign" width="60" align="left" valign="top" rowspan="2">.. <img src="info_48.png" id="infoIcon" alt="Info icon">..
                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\info_48[1]
                                                                                                                                                                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                  File Type:PNG image data, 47 x 48, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):4113
                                                                                                                                                                  Entropy (8bit):7.9370830126943375
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:96:WNTJL8szf79M8FUjE39KJoUUuJPnvmKacs6Uq7qDMj1XPL:WNrzFoQSJPnvzs6rL
                                                                                                                                                                  MD5:5565250FCC163AA3A79F0B746416CE69
                                                                                                                                                                  SHA1:B97CC66471FCDEE07D0EE36C7FB03F342C231F8F
                                                                                                                                                                  SHA-256:51129C6C98A82EA491F89857C31146ECEC14C4AF184517450A7A20C699C84859
                                                                                                                                                                  SHA-512:E60EA153B0FECE4D311769391D3B763B14B9A140105A36A13DAD23C2906735EAAB9092236DEB8C68EF078E8864D6E288BEF7EF1731C1E9F1AD9B0170B95AC134
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: .PNG........IHDR.../...0.......#.....IDATx^...pUU..{....KB........!....F......jp.Q.......Vg.F..m.Q....{...,m.@.56D...&$d!.<..}....s..K9.....{............[./<..T..I.I..JR)).9.k.N.%.E.W^}....Po..............X..;.=.P......./...+...9./..s.....9..|.......*.7v.`..V.....-^.$S[[[......K..z......3..3....5 ...0.."/n/.c...&.{.ht..?....A..I{.n.....|....t......N}..%.v...:.E..i....`....a.k.mg.LX..fcFU.fO-..YEfd.}...~."......}l$....^.re..'^X..*}.?.^U.G..... .30...X......f[.l0.P`..KC...[..[..6....~..i..Q.|;x..T ..........s.5...n+.0..;...H#.2..#.M..m[^3x&E.Ya..\K..{[..M..g...yf0..~....M.]7..ZZZ:..a.O.G64]....9..l[..a....N,,.h......5...f*.y...}...BX{.G^...?.c.......s^..P.(..G...t.0.:.X.DCs.....]vf...py).........x..>-..Be.a...G...Y!...z...g.{....d.s.o.....%.x......R.W.....Z.b,....!..6Ub....U.qY(/v..m.a...4.`Qr\.E.G..a)..t..e.j.W........C<.1.....c..l1w....]3%....tR;.,..3..-.NW.5...t..H..h..D..b......M....)B..2J...)..o..m..M.t....wn./....+Wv....xkg..*..
                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\JavaDeployReg.log
                                                                                                                                                                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                  Category:modified
                                                                                                                                                                  Size (bytes):89
                                                                                                                                                                  Entropy (8bit):4.4382905670638335
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:oVXUdXUfF7W8JOGXnEdXUfFgn:o9UVUf0qEVUfm
                                                                                                                                                                  MD5:22530EC16123D69F6BBD980485593697
                                                                                                                                                                  SHA1:5E260BFEC0131704952EDFDEBED95EB6E0002113
                                                                                                                                                                  SHA-256:919D40AA995D1A4B1191646E0B503051E20F9C3CF834F382971EF0F9B5FAC5E7
                                                                                                                                                                  SHA-512:9BBBD41DE0804B218D1FBD7095E40432EF609EB5EB859E9B479B51DC434558B87D17E752B6C1D1A4641B202E2DCCCEB4F5D9C96ACA54B31FF938D77EFF5FB579
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: [2021/07/07 21:06:12.934] Latest deploy version: ..[2021/07/07 21:06:12.934] 11.211.2 ..
                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\~DF5838B134AEB34B2C.TMP
                                                                                                                                                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):38745
                                                                                                                                                                  Entropy (8bit):0.37169551383082305
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:48:kBqoxKAuvScS+Jn1kYIYkqZ8uqZ8QqZ8d:kBqoxKAuvScS+Jn1kHb2I1
                                                                                                                                                                  MD5:1864878A8F36324C7D867F6CB684DE4B
                                                                                                                                                                  SHA1:17C4C72FDDE876AC609B0808A6AB07B37CC67E55
                                                                                                                                                                  SHA-256:DFE45CB395C85131AD5540CE07004125A1FED955440AC573C2C2E3FD60B5D6EE
                                                                                                                                                                  SHA-512:0475600736E8385A432A3B136FFE6B7CD45301D1BED42DF0F2A51BED1EE668344E7028806FEA367BE425FB240620199FF170318B1E1D260F2EEFE38015488FB4
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\~DFF1BA8F1D432A84A7.TMP
                                                                                                                                                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):12933
                                                                                                                                                                  Entropy (8bit):0.4081061619504598
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12:c9lCg5/9lCgeK9l26an9l26an9l8fRCF9l8fR+9lTqj2At:c9lLh9lLh9lIn9lIn9loO9lo+9lWj2q
                                                                                                                                                                  MD5:134EC12CD57E16973E112F64AA99B4A3
                                                                                                                                                                  SHA1:710230079F7269DB117ED058E3F4611702B53BF7
                                                                                                                                                                  SHA-256:07EC1E7A5CD93A4881271F97E4C53EFFF435F0333805731F14B96521566BBCF1
                                                                                                                                                                  SHA-512:9DF9EBDD077E820F0C73BE8C2EB374870853733F62BDFD1E1C209491C9EC875BE541B6FBE892D665466E6E19B50FD0CB6157123D763DE6096E157915F83D83C7
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                  C:\Users\user\Desktop\~$bDemJQO51z.xlsb
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):165
                                                                                                                                                                  Entropy (8bit):1.6081032063576088
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:RFXI6dtt:RJ1
                                                                                                                                                                  MD5:7AB76C81182111AC93ACF915CA8331D5
                                                                                                                                                                  SHA1:68B94B5D4C83A6FB415C8026AF61F3F8745E2559
                                                                                                                                                                  SHA-256:6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
                                                                                                                                                                  SHA-512:A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: .pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                  C:\Users\user\tru.dll
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):404992
                                                                                                                                                                  Entropy (8bit):6.667040453584233
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:6144:h8vockvtMD67Dvy8CyOuq107KjWMTxdtcrsianUAqPt/MmG3G/GERIgg:SwhtCy50mpMTxdtV8AqPtM3gN
                                                                                                                                                                  MD5:5522C21A05DAF91658951BDF1C0E5271
                                                                                                                                                                  SHA1:FED4A9B4069CD2676928441ECF8C844CC7F4A9EE
                                                                                                                                                                  SHA-256:EB6E2519AA5C31174A1ED6C0193B2D0E49E9ED6CA1AC01ED94B3007B5E2F6993
                                                                                                                                                                  SHA-512:D97A8021B9688C612E280FFCB5443916B9D09857DAF82A62BD5EFAC35EFEFF138125466A74579568DD655CD66CD5085E10CEDB4CAF7981F4EE9F240839B33D55
                                                                                                                                                                  Malicious:true
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 43%
                                                                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......f..."..."...".....:.#...<.9.7...<./.....+.?.+..."...V...<.(.....<.>.#...<.8.#...<.=.#...Rich"...........PE..L....6JJ...........!.....d...r......MQ...................................................@.................................4...d....... .......................|".. ...................................@............................................text....b.......d.................. ..`.rdata...f.......h...h..............@..@.data...............................@....rsrc... ...........................@..@.reloc...5.......6..................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  Static File Info

                                                                                                                                                                  General

                                                                                                                                                                  File type:Microsoft Excel 2007+
                                                                                                                                                                  Entropy (8bit):7.991532360136052
                                                                                                                                                                  TrID:
                                                                                                                                                                  • Excel Microsoft Office Binary workbook document (47504/1) 49.74%
                                                                                                                                                                  • Excel Microsoft Office Open XML Format document (40004/1) 41.89%
                                                                                                                                                                  • ZIP compressed archive (8000/1) 8.38%
                                                                                                                                                                  File name:bDemJQO51z.xlsb
                                                                                                                                                                  File size:437796
                                                                                                                                                                  MD5:b53ed71b3c7a18f70d693a137b5adc5c
                                                                                                                                                                  SHA1:a31f1a98ea227e331303ec0c6ee226a711427998
                                                                                                                                                                  SHA256:9e05cd392d9c1334c404ceb8fe28d6bc179d9844569bced9d2d1c057de538dee
                                                                                                                                                                  SHA512:0c528acb14396cd98cd7ff4516a13744ba90cd07b28a9badc6142bccaa4542e4e23acba888f0eb872eb8252a8c65cd39262bae0ce4f41d7dad637613c9c918ae
                                                                                                                                                                  SSDEEP:12288:6EtZp/w4fvVUUcXGS2qBhQbdOM2lCLtTWAUrbIqjx9E59:6ExoYVUrb2NOQtTWAUvrj3C9
                                                                                                                                                                  File Content Preview:PK..........!.................[Content_Types].xml ...(.........!!..............................................................................................................................................................................................

                                                                                                                                                                  File Icon

                                                                                                                                                                  Icon Hash:74f0d0d2c6d6d0f4

                                                                                                                                                                  Network Behavior

                                                                                                                                                                  Network Port Distribution

                                                                                                                                                                  TCP Packets

                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                  Jul 7, 2021 21:05:16.981862068 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:17.172054052 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:17.172147989 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:17.173038960 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:17.367424011 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:17.367461920 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:17.367480040 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:17.367496967 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:17.367516994 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:17.368165970 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:17.368189096 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:17.417115927 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:17.607440948 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:17.607585907 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:17.608366966 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:17.800487995 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:17.800518036 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:17.800533056 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:17.800549030 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:17.800565004 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:17.800580978 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:17.800596952 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:17.800612926 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:17.800632000 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:17.800649881 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:17.809403896 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:17.809432983 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:17.809437990 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:17.809442043 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:17.809444904 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.001907110 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.001943111 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.001960993 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.001980066 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.001996040 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.002015114 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.002032042 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.002047062 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.002067089 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.002083063 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.002099991 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.002111912 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.002125025 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.002140999 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.002156973 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.002171993 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.002183914 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.002196074 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.002199888 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.002209902 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.002214909 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.002223015 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.002240896 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.002315998 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.002928019 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.191994905 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.192038059 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.192080975 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.192116976 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.192156076 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.192197084 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.192230940 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.192246914 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.192264080 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.192266941 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.192271948 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.192307949 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.192344904 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.192365885 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.192378044 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.192378998 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.192380905 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.192413092 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.192445993 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.192487955 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.192527056 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.192538023 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.192543030 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.192543983 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.192545891 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.192567110 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.192601919 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.192603111 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.192606926 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.192610025 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.192635059 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.192667961 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.192692041 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.192698002 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.192702055 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.192735910 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.192775011 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.192791939 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.192796946 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.192811012 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.192847967 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.192863941 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.192873955 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.192879915 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.192886114 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.192929029 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.192967892 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.192979097 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.192984104 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.192985058 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.193005085 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.193042994 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.193085909 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.193129063 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.193141937 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.193146944 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.193149090 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.193150997 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.193166971 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.193196058 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.193223953 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.193262100 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.193299055 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.193336964 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.193357944 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.193367004 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.193370104 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.193376064 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.193378925 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.193417072 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.193460941 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.193460941 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.193464994 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.193470001 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.194109917 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.383795977 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.383836985 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.383865118 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.383894920 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.383924007 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.383950949 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.383976936 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.384025097 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.384053946 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.384057045 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.384076118 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.384082079 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.384082079 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.384087086 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.384095907 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.384100914 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.384115934 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.384120941 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.384143114 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.384170055 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.384197950 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.384226084 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.384246111 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.384254932 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.384258986 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.384268999 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.384274006 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.384278059 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.384285927 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.384294987 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.384315014 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.384344101 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.384403944 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.384433031 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.384459972 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.384468079 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.384475946 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.384481907 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.384485960 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.384511948 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.384531021 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.384546995 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.384552002 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.384552956 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.384582043 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.384617090 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.384623051 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.384628057 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.384634972 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.384665966 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.384686947 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.384690046 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.384702921 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.384721041 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.384723902 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.384728909 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.384747982 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.384768009 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.384774923 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.384805918 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.384831905 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.384859085 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.384884119 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.384911060 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.384939909 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.384933949 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.385041952 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.385046959 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.385087967 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.385091066 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.385094881 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.385097027 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.385099888 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.385248899 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.385281086 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.385309935 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.385333061 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.385351896 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.385375023 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.385404110 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.385420084 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.385426044 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.385426998 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.385428905 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.385432005 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.385433912 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.385437012 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.385462046 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.385489941 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.386095047 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.386128902 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.386149883 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.386171103 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.386188030 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.386195898 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.386219025 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.386238098 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.386256933 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.386275053 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.386293888 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.386342049 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.386352062 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.386373997 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.386380911 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.390003920 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.390037060 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.390067101 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.390096903 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.390132904 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.390157938 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.390185118 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.390208006 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.390238047 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.390259981 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.390279055 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.390302896 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.390301943 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.390325069 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.390332937 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.390340090 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.390345097 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.390345097 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.390364885 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.390368938 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.390377998 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.390383959 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.390393972 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.390403032 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.390412092 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.390424967 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.390451908 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.390476942 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.390489101 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.390497923 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.390506983 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.390512943 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.390515089 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.390521049 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.390561104 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.390573025 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.575442076 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.575469017 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.575480938 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.575496912 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.575591087 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.575643063 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.575659037 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.575676918 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.575701952 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.575719118 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.575736046 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.575737000 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.575750113 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.575762033 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.575776100 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.575792074 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.575808048 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.575824022 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.575840950 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.575849056 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.575855017 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.575856924 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.575858116 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.575864077 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.575870991 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.575881004 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.575884104 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.575897932 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.575912952 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.575928926 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.575941086 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.575948954 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.575958967 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.576059103 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.576077938 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.576097012 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.576109886 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.576123953 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.576144934 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.576157093 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.576162100 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.576169968 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.576169968 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.576173067 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.576175928 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.576183081 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.576200962 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.576212883 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.576225996 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.576241970 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.576253891 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.576255083 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.576260090 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.576261997 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.576268911 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.576281071 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.576293945 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.576306105 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.576323032 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.576339960 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.576356888 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.576374054 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.576381922 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.576387882 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.576390028 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.576390028 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.576400995 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.576402903 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.576404095 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.576818943 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.576827049 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.591186047 CEST49734443192.168.2.4184.175.93.196
                                                                                                                                                                  Jul 7, 2021 21:05:18.781413078 CEST44349734184.175.93.196192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:14.370563984 CEST49753443192.168.2.445.153.230.139
                                                                                                                                                                  Jul 7, 2021 21:06:14.370615005 CEST49754443192.168.2.445.153.230.139
                                                                                                                                                                  Jul 7, 2021 21:06:14.410235882 CEST4434975345.153.230.139192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:14.410435915 CEST49753443192.168.2.445.153.230.139
                                                                                                                                                                  Jul 7, 2021 21:06:14.412095070 CEST4434975445.153.230.139192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:14.412261963 CEST49754443192.168.2.445.153.230.139
                                                                                                                                                                  Jul 7, 2021 21:06:14.423991919 CEST49753443192.168.2.445.153.230.139
                                                                                                                                                                  Jul 7, 2021 21:06:14.424886942 CEST49754443192.168.2.445.153.230.139
                                                                                                                                                                  Jul 7, 2021 21:06:14.463356018 CEST4434975345.153.230.139192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:14.463624954 CEST4434975345.153.230.139192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:14.463723898 CEST4434975345.153.230.139192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:14.463736057 CEST49753443192.168.2.445.153.230.139
                                                                                                                                                                  Jul 7, 2021 21:06:14.463752031 CEST4434975345.153.230.139192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:14.463766098 CEST4434975345.153.230.139192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:14.463809967 CEST49753443192.168.2.445.153.230.139
                                                                                                                                                                  Jul 7, 2021 21:06:14.463843107 CEST49753443192.168.2.445.153.230.139
                                                                                                                                                                  Jul 7, 2021 21:06:14.466537952 CEST4434975345.153.230.139192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:14.466573000 CEST4434975445.153.230.139192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:14.466587067 CEST4434975445.153.230.139192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:14.466604948 CEST4434975445.153.230.139192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:14.466618061 CEST4434975445.153.230.139192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:14.466625929 CEST4434975445.153.230.139192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:14.466713905 CEST49754443192.168.2.445.153.230.139
                                                                                                                                                                  Jul 7, 2021 21:06:14.466737986 CEST49753443192.168.2.445.153.230.139
                                                                                                                                                                  Jul 7, 2021 21:06:14.467595100 CEST4434975445.153.230.139192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:14.467724085 CEST49754443192.168.2.445.153.230.139
                                                                                                                                                                  Jul 7, 2021 21:06:14.510972023 CEST49754443192.168.2.445.153.230.139
                                                                                                                                                                  Jul 7, 2021 21:06:14.511507034 CEST49753443192.168.2.445.153.230.139
                                                                                                                                                                  Jul 7, 2021 21:06:14.551182985 CEST4434975345.153.230.139192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:14.551215887 CEST4434975345.153.230.139192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:14.551656961 CEST49753443192.168.2.445.153.230.139
                                                                                                                                                                  Jul 7, 2021 21:06:14.551769018 CEST4434975445.153.230.139192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:14.551861048 CEST4434975445.153.230.139192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:14.551934004 CEST49754443192.168.2.445.153.230.139
                                                                                                                                                                  Jul 7, 2021 21:06:14.553749084 CEST49754443192.168.2.445.153.230.139
                                                                                                                                                                  Jul 7, 2021 21:06:14.553891897 CEST49754443192.168.2.445.153.230.139
                                                                                                                                                                  Jul 7, 2021 21:06:14.595756054 CEST4434975445.153.230.139192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:14.595793009 CEST4434975445.153.230.139192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:15.681777000 CEST4434975445.153.230.139192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:15.681884050 CEST49754443192.168.2.445.153.230.139
                                                                                                                                                                  Jul 7, 2021 21:06:17.216057062 CEST49753443192.168.2.445.153.230.139
                                                                                                                                                                  Jul 7, 2021 21:06:17.216430902 CEST49754443192.168.2.445.153.230.139
                                                                                                                                                                  Jul 7, 2021 21:06:27.329047918 CEST49760443192.168.2.445.153.230.139
                                                                                                                                                                  Jul 7, 2021 21:06:27.371994019 CEST4434976045.153.230.139192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:27.372134924 CEST49760443192.168.2.445.153.230.139
                                                                                                                                                                  Jul 7, 2021 21:06:27.377137899 CEST49760443192.168.2.445.153.230.139
                                                                                                                                                                  Jul 7, 2021 21:06:27.418935061 CEST4434976045.153.230.139192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:27.419384956 CEST4434976045.153.230.139192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:27.419411898 CEST4434976045.153.230.139192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:27.419430017 CEST4434976045.153.230.139192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:27.419446945 CEST4434976045.153.230.139192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:27.419497013 CEST49760443192.168.2.445.153.230.139
                                                                                                                                                                  Jul 7, 2021 21:06:27.419534922 CEST49760443192.168.2.445.153.230.139
                                                                                                                                                                  Jul 7, 2021 21:06:27.420726061 CEST4434976045.153.230.139192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:27.422987938 CEST49760443192.168.2.445.153.230.139
                                                                                                                                                                  Jul 7, 2021 21:06:27.464652061 CEST4434976045.153.230.139192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:27.464988947 CEST4434976045.153.230.139192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:27.515489101 CEST49760443192.168.2.445.153.230.139
                                                                                                                                                                  Jul 7, 2021 21:06:27.515548944 CEST49760443192.168.2.445.153.230.139
                                                                                                                                                                  Jul 7, 2021 21:06:27.557544947 CEST4434976045.153.230.139192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:27.557571888 CEST4434976045.153.230.139192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:28.810513973 CEST4434976045.153.230.139192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:29.026063919 CEST49760443192.168.2.445.153.230.139
                                                                                                                                                                  Jul 7, 2021 21:06:39.014174938 CEST49760443192.168.2.445.153.230.139
                                                                                                                                                                  Jul 7, 2021 21:06:39.014240980 CEST49760443192.168.2.445.153.230.139
                                                                                                                                                                  Jul 7, 2021 21:06:39.055939913 CEST4434976045.153.230.139192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:39.055967093 CEST4434976045.153.230.139192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:39.899578094 CEST4434976045.153.230.139192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:39.995785952 CEST49760443192.168.2.445.153.230.139
                                                                                                                                                                  Jul 7, 2021 21:07:54.902317047 CEST4434976045.153.230.139192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:07:54.902334929 CEST4434976045.153.230.139192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:07:54.902457952 CEST49760443192.168.2.445.153.230.139

                                                                                                                                                                  UDP Packets

                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                  Jul 7, 2021 21:04:54.910118103 CEST6464653192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:04:54.990175009 CEST53646468.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:04:56.562803984 CEST6529853192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:04:56.620771885 CEST53652988.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:00.801677942 CEST5912353192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:05:00.856192112 CEST53591238.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:01.149630070 CEST5453153192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:05:01.204739094 CEST53545318.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:02.249592066 CEST4971453192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:05:02.298583031 CEST53497148.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:04.185895920 CEST5802853192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:05:04.231900930 CEST53580288.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:07.145267010 CEST5309753192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:05:07.191788912 CEST53530978.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:13.122337103 CEST4925753192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:05:13.180203915 CEST53492578.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:14.408698082 CEST6238953192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:05:14.489720106 CEST53623898.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:14.858450890 CEST4991053192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:05:14.918947935 CEST53499108.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:15.865077972 CEST4991053192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:05:15.872878075 CEST5585453192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:05:15.925741911 CEST53499108.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:15.929390907 CEST53558548.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:16.669984102 CEST6454953192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:05:16.879371881 CEST4991053192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:05:16.912683010 CEST6315353192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:05:16.943059921 CEST53499108.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:16.959290981 CEST53631538.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:16.979497910 CEST53645498.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:17.736424923 CEST5299153192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:05:17.783871889 CEST53529918.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.748835087 CEST5370053192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:05:18.797899008 CEST53537008.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:18.895239115 CEST4991053192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:05:18.957967997 CEST53499108.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:22.918673992 CEST4991053192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:05:22.980756044 CEST53499108.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:23.303416014 CEST5172653192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:05:23.350342989 CEST53517268.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:24.133745909 CEST5679453192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:05:24.182934046 CEST53567948.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:25.012482882 CEST5653453192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:05:25.063160896 CEST53565348.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:25.999238014 CEST5662753192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:05:26.045545101 CEST53566278.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:26.231981039 CEST5662153192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:05:26.295367002 CEST53566218.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:27.404259920 CEST6311653192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:05:27.451932907 CEST53631168.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:28.339978933 CEST6407853192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:05:28.395930052 CEST53640788.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:29.313455105 CEST6480153192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:05:29.360414982 CEST53648018.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:30.961344004 CEST6172153192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:05:31.008625984 CEST53617218.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:35.696541071 CEST5125553192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:05:35.743041039 CEST53512558.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:36.626074076 CEST6152253192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:05:36.675091028 CEST53615228.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:37.747603893 CEST5233753192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:05:37.811229944 CEST53523378.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:05:48.994630098 CEST5504653192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:05:49.050997972 CEST53550468.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:07.985479116 CEST4961253192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:06:08.052778959 CEST53496128.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:12.593307018 CEST4928553192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:06:12.641618013 CEST53492858.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:14.290328979 CEST5060153192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:06:14.349544048 CEST53506018.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:14.943749905 CEST6087553192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:06:15.008488894 CEST53608758.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:27.262942076 CEST5644853192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:06:27.318104982 CEST53564488.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:38.063810110 CEST5917253192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:06:38.144547939 CEST53591728.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:39.253743887 CEST6242053192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:06:39.399365902 CEST53624208.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:39.804413080 CEST6057953192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:06:39.873558044 CEST53605798.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:40.724558115 CEST5018353192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:06:40.779237986 CEST53501838.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:41.594939947 CEST6153153192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:06:41.652295113 CEST53615318.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:42.595927954 CEST4922853192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:06:42.645060062 CEST53492288.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:42.653825045 CEST5979453192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:06:42.708533049 CEST53597948.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:43.590854883 CEST4922853192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:06:43.640114069 CEST53492288.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:43.747392893 CEST5591653192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:06:43.805279970 CEST53559168.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:44.592988968 CEST4922853192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:06:44.644897938 CEST53492288.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:44.756887913 CEST5275253192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:06:44.812753916 CEST53527528.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:46.559779882 CEST4922853192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:06:46.608870029 CEST53492288.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:46.753911018 CEST6054253192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:06:46.809228897 CEST53605428.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:48.130497932 CEST6068953192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:06:48.188730955 CEST53606898.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:49.212111950 CEST6420653192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:06:49.258481026 CEST53642068.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:50.575519085 CEST4922853192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:06:50.625231981 CEST53492288.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:55.086452007 CEST5090453192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:06:55.151460886 CEST53509048.8.8.8192.168.2.4
                                                                                                                                                                  Jul 7, 2021 21:06:55.842556953 CEST5752553192.168.2.48.8.8.8
                                                                                                                                                                  Jul 7, 2021 21:06:55.910106897 CEST53575258.8.8.8192.168.2.4

                                                                                                                                                                  DNS Queries

                                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                  Jul 7, 2021 21:05:16.669984102 CEST192.168.2.48.8.8.80x3c70Standard query (0)promocioninmobiliaria.clA (IP address)IN (0x0001)
                                                                                                                                                                  Jul 7, 2021 21:06:14.290328979 CEST192.168.2.48.8.8.80x38dcStandard query (0)bussipod.xyzA (IP address)IN (0x0001)
                                                                                                                                                                  Jul 7, 2021 21:06:27.262942076 CEST192.168.2.48.8.8.80x4e0bStandard query (0)bussipod.xyzA (IP address)IN (0x0001)

                                                                                                                                                                  DNS Answers

                                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                  Jul 7, 2021 21:05:16.979497910 CEST8.8.8.8192.168.2.40x3c70No error (0)promocioninmobiliaria.cl184.175.93.196A (IP address)IN (0x0001)
                                                                                                                                                                  Jul 7, 2021 21:06:14.349544048 CEST8.8.8.8192.168.2.40x38dcNo error (0)bussipod.xyz45.153.230.139A (IP address)IN (0x0001)
                                                                                                                                                                  Jul 7, 2021 21:06:27.318104982 CEST8.8.8.8192.168.2.40x4e0bNo error (0)bussipod.xyz45.153.230.139A (IP address)IN (0x0001)

                                                                                                                                                                  HTTPS Packets

                                                                                                                                                                  TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                                                                  Jul 7, 2021 21:05:17.367516994 CEST184.175.93.196443192.168.2.449734CN=promocioninmobiliaria.cl CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBSat May 22 02:00:00 CEST 2021 Mon May 18 02:00:00 CEST 2015 Thu Jan 01 01:00:00 CET 2004Sat Aug 21 01:59:59 CEST 2021 Sun May 18 01:59:59 CEST 2025 Mon Jan 01 00:59:59 CET 2029771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                                                                                                                  CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=USCN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBMon May 18 02:00:00 CEST 2015Sun May 18 01:59:59 CEST 2025
                                                                                                                                                                  CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBThu Jan 01 01:00:00 CET 2004Mon Jan 01 00:59:59 CET 2029
                                                                                                                                                                  Jul 7, 2021 21:06:14.466537952 CEST45.153.230.139443192.168.2.449753CN=bussipod.xyz CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=USCN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Mon Jun 28 14:38:28 CEST 2021 Fri Sep 04 02:00:00 CEST 2020 Wed Jan 20 20:14:03 CET 2021Sun Sep 26 14:38:27 CEST 2021 Mon Sep 15 18:00:00 CEST 2025 Mon Sep 30 20:14:03 CEST 2024771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,09e10692f1b7f78228b2d4e424db3a98c
                                                                                                                                                                  CN=R3, O=Let's Encrypt, C=USCN=ISRG Root X1, O=Internet Security Research Group, C=USFri Sep 04 02:00:00 CEST 2020Mon Sep 15 18:00:00 CEST 2025
                                                                                                                                                                  CN=ISRG Root X1, O=Internet Security Research Group, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Jan 20 20:14:03 CET 2021Mon Sep 30 20:14:03 CEST 2024
                                                                                                                                                                  Jul 7, 2021 21:06:14.467595100 CEST45.153.230.139443192.168.2.449754CN=bussipod.xyz CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=USCN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Mon Jun 28 14:38:28 CEST 2021 Fri Sep 04 02:00:00 CEST 2020 Wed Jan 20 20:14:03 CET 2021Sun Sep 26 14:38:27 CEST 2021 Mon Sep 15 18:00:00 CEST 2025 Mon Sep 30 20:14:03 CEST 2024771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,09e10692f1b7f78228b2d4e424db3a98c
                                                                                                                                                                  CN=R3, O=Let's Encrypt, C=USCN=ISRG Root X1, O=Internet Security Research Group, C=USFri Sep 04 02:00:00 CEST 2020Mon Sep 15 18:00:00 CEST 2025
                                                                                                                                                                  CN=ISRG Root X1, O=Internet Security Research Group, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Jan 20 20:14:03 CET 2021Mon Sep 30 20:14:03 CEST 2024
                                                                                                                                                                  Jul 7, 2021 21:06:27.420726061 CEST45.153.230.139443192.168.2.449760CN=bussipod.xyz CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=USCN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Mon Jun 28 14:38:28 CEST 2021 Fri Sep 04 02:00:00 CEST 2020 Wed Jan 20 20:14:03 CET 2021Sun Sep 26 14:38:27 CEST 2021 Mon Sep 15 18:00:00 CEST 2025 Mon Sep 30 20:14:03 CEST 2024771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-23-65281,29-23-24,0ce5f3254611a8c095a3d821d44539877
                                                                                                                                                                  CN=R3, O=Let's Encrypt, C=USCN=ISRG Root X1, O=Internet Security Research Group, C=USFri Sep 04 02:00:00 CEST 2020Mon Sep 15 18:00:00 CEST 2025
                                                                                                                                                                  CN=ISRG Root X1, O=Internet Security Research Group, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Jan 20 20:14:03 CET 2021Mon Sep 30 20:14:03 CEST 2024

                                                                                                                                                                  Code Manipulations

                                                                                                                                                                  Statistics

                                                                                                                                                                  CPU Usage

                                                                                                                                                                  Click to jump to process

                                                                                                                                                                  Memory Usage

                                                                                                                                                                  Click to jump to process

                                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                                  Behavior

                                                                                                                                                                  Click to jump to process

                                                                                                                                                                  System Behavior

                                                                                                                                                                  General

                                                                                                                                                                  Start time:21:05:12
                                                                                                                                                                  Start date:07/07/2021
                                                                                                                                                                  Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                                                                                                                                                                  Imagebase:0xcc0000
                                                                                                                                                                  File size:27110184 bytes
                                                                                                                                                                  MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:high

                                                                                                                                                                  General

                                                                                                                                                                  Start time:21:05:18
                                                                                                                                                                  Start date:07/07/2021
                                                                                                                                                                  Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:regsvr32 -silent ..\tru.dll
                                                                                                                                                                  Imagebase:0x1180000
                                                                                                                                                                  File size:20992 bytes
                                                                                                                                                                  MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Yara matches:
                                                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.785587738.00000000061C0000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.786351947.00000000061C0000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.785490720.00000000061C0000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.786471515.00000000061C0000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.785914746.00000000061C0000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.786046396.00000000061C0000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.785681429.00000000061C0000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.785395370.00000000061C0000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.786832498.00000000061C0000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.786290579.00000000061C0000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.786111301.00000000061C0000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.786598638.00000000061C0000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.786404919.00000000061C0000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.786951850.00000000061C0000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.786858058.00000000061C0000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.786925101.00000000061C0000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.786757271.00000000061C0000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.786687841.00000000061C0000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.786643583.00000000061C0000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.786530397.00000000061C0000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.786910689.00000000061C0000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.786941081.00000000061C0000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.786803854.00000000061C0000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.786882909.00000000061C0000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.786722388.00000000061C0000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.785763994.00000000061C0000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.785197460.00000000061C0000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.793270555.00000000061C0000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.786173982.00000000061C0000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.785302233.00000000061C0000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.785981820.00000000061C0000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.785845872.00000000061C0000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.786231862.00000000061C0000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                  Reputation:high

                                                                                                                                                                  General

                                                                                                                                                                  Start time:21:06:11
                                                                                                                                                                  Start date:07/07/2021
                                                                                                                                                                  Path:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                  Commandline:'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                                                                                                                                                                  Imagebase:0x7ff636db0000
                                                                                                                                                                  File size:823560 bytes
                                                                                                                                                                  MD5 hash:6465CB92B25A7BC1DF8E01D8AC5E7596
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:high

                                                                                                                                                                  General

                                                                                                                                                                  Start time:21:06:12
                                                                                                                                                                  Start date:07/07/2021
                                                                                                                                                                  Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6756 CREDAT:17410 /prefetch:2
                                                                                                                                                                  Imagebase:0x9e0000
                                                                                                                                                                  File size:822536 bytes
                                                                                                                                                                  MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:high

                                                                                                                                                                  General

                                                                                                                                                                  Start time:21:06:37
                                                                                                                                                                  Start date:07/07/2021
                                                                                                                                                                  Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:regsvr32 -silent ..\tru.dll
                                                                                                                                                                  Imagebase:0x1180000
                                                                                                                                                                  File size:20992 bytes
                                                                                                                                                                  MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:high

                                                                                                                                                                  Disassembly

                                                                                                                                                                  Code Analysis

                                                                                                                                                                  Reset < >