Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
NB NT19901102W.xls

Overview

General Information

Sample name:NB NT19901102W.xls
Analysis ID:1636402
MD5:50f4662d25acba4c65aeb4249bb92048
SHA1:7583fdc28466d08710fb86017b477e58128f884b
SHA256:90883aca6d0f0119112cf6cdba8323643f8385428af33e88e6d9050daa8899bd
Tags:xlsuser-abuse_ch
Infos:

Detection

Score:56
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Detected non-DNS traffic on DNS port
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Document misses a certain OLE stream usually present in this Microsoft Office document type
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections

Classification

Process Tree

  • System is w11x64_office
  • EXCEL.EXE (PID: 7652 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: F9F7B6C42211B06E7AC3E4B60AA8FB77)
    • splwow64.exe (PID: 7644 cmdline: C:\Windows\splwow64.exe 12288 MD5: AF4A7EBF6114EE9E6FBCC910EC3C96E6)
  • EXCEL.EXE (PID: 2848 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\NB NT19901102W.xls" MD5: F9F7B6C42211B06E7AC3E4B60AA8FB77)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Excel Network Connections
Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 52.123.129.14, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7652, Protocol: tcp, SourceIp: 192.168.2.24, SourceIsIpv6: false, SourcePort: 51355
Sigma detected: Suspicious Office Outbound Connections
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.24, DestinationIsIpv6: false, DestinationPort: 51355, EventID: 3, Image: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7652, Protocol: tcp, SourceIp: 52.123.129.14, SourceIsIpv6: false, SourcePort: 443

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: NB NT19901102W.xlsAvira: detected
Multi AV Scanner detection for submitted file
Source: NB NT19901102W.xlsVirustotal: Detection: 43%Perma Link
Source: NB NT19901102W.xlsReversingLabs: Detection: 36%
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEDirectory created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior
Source: global trafficDNS query: name: st3.pro
Source: global trafficTCP traffic: 192.168.2.24:51355 -> 52.123.129.14:443
Source: global trafficTCP traffic: 192.168.2.24:51355 -> 52.123.129.14:443
Source: global trafficTCP traffic: 192.168.2.24:51355 -> 52.123.129.14:443
Source: global trafficTCP traffic: 192.168.2.24:51356 -> 2.19.11.98:443
Source: global trafficTCP traffic: 192.168.2.24:51356 -> 2.19.11.98:443
Source: global trafficTCP traffic: 192.168.2.24:51356 -> 2.19.11.98:443
Source: global trafficTCP traffic: 192.168.2.24:51355 -> 52.123.129.14:443
Source: global trafficTCP traffic: 192.168.2.24:51355 -> 52.123.129.14:443
Source: global trafficTCP traffic: 192.168.2.24:51356 -> 2.19.11.98:443
Source: global trafficTCP traffic: 192.168.2.24:51356 -> 2.19.11.98:443
Source: global trafficTCP traffic: 192.168.2.24:55885 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.24:55885 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.24:55885 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.24:55885 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.24:55885 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.24:55887 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.24:55887 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.24:55887 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.24:55887 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.24:55887 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.24:55893 -> 2.22.242.120:443
Source: global trafficTCP traffic: 192.168.2.24:55893 -> 2.22.242.120:443
Source: global trafficTCP traffic: 192.168.2.24:55893 -> 2.22.242.120:443
Source: global trafficTCP traffic: 192.168.2.24:55893 -> 2.22.242.120:443
Source: global trafficTCP traffic: 192.168.2.24:55893 -> 2.22.242.120:443
Source: global trafficTCP traffic: 192.168.2.24:55896 -> 2.22.242.120:443
Source: global trafficTCP traffic: 192.168.2.24:55896 -> 2.22.242.120:443
Source: global trafficTCP traffic: 192.168.2.24:55896 -> 2.22.242.120:443
Source: global trafficTCP traffic: 192.168.2.24:55897 -> 2.22.242.145:443
Source: global trafficTCP traffic: 192.168.2.24:55897 -> 2.22.242.145:443
Source: global trafficTCP traffic: 192.168.2.24:55897 -> 2.22.242.145:443
Source: global trafficTCP traffic: 192.168.2.24:55898 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.24:55898 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.24:55898 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.24:55896 -> 2.22.242.120:443
Source: global trafficTCP traffic: 192.168.2.24:55896 -> 2.22.242.120:443
Source: global trafficTCP traffic: 192.168.2.24:55901 -> 2.22.242.120:443
Source: global trafficTCP traffic: 192.168.2.24:55901 -> 2.22.242.120:443
Source: global trafficTCP traffic: 192.168.2.24:55901 -> 2.22.242.120:443
Source: global trafficTCP traffic: 192.168.2.24:55898 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.24:55898 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.24:55897 -> 2.22.242.145:443
Source: global trafficTCP traffic: 192.168.2.24:55897 -> 2.22.242.145:443
Source: global trafficTCP traffic: 192.168.2.24:55901 -> 2.22.242.120:443
Source: global trafficTCP traffic: 192.168.2.24:55901 -> 2.22.242.120:443
Source: global trafficTCP traffic: 192.168.2.24:55905 -> 2.22.242.120:443
Source: global trafficTCP traffic: 192.168.2.24:55905 -> 2.22.242.120:443
Source: global trafficTCP traffic: 192.168.2.24:55905 -> 2.22.242.120:443
Source: global trafficTCP traffic: 192.168.2.24:55905 -> 2.22.242.120:443
Source: global trafficTCP traffic: 192.168.2.24:55905 -> 2.22.242.120:443
Source: global trafficTCP traffic: 192.168.2.24:51351 -> 1.1.1.1:53
Source: global trafficTCP traffic: 1.1.1.1:53 -> 192.168.2.24:51351
Source: global trafficTCP traffic: 192.168.2.24:51351 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.24:51351 -> 1.1.1.1:53
Source: global trafficTCP traffic: 1.1.1.1:53 -> 192.168.2.24:51351
Source: global trafficTCP traffic: 1.1.1.1:53 -> 192.168.2.24:51351
Source: global trafficTCP traffic: 192.168.2.24:51351 -> 1.1.1.1:53
Source: global trafficTCP traffic: 1.1.1.1:53 -> 192.168.2.24:51351
Source: global trafficTCP traffic: 192.168.2.24:51351 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.24:51355 -> 52.123.129.14:443
Source: global trafficTCP traffic: 52.123.129.14:443 -> 192.168.2.24:51355
Source: global trafficTCP traffic: 192.168.2.24:51355 -> 52.123.129.14:443
Source: global trafficTCP traffic: 192.168.2.24:51355 -> 52.123.129.14:443
Source: global trafficTCP traffic: 52.123.129.14:443 -> 192.168.2.24:51355
Source: global trafficTCP traffic: 192.168.2.24:51356 -> 2.19.11.98:443
Source: global trafficTCP traffic: 2.19.11.98:443 -> 192.168.2.24:51356
Source: global trafficTCP traffic: 192.168.2.24:51356 -> 2.19.11.98:443
Source: global trafficTCP traffic: 192.168.2.24:51356 -> 2.19.11.98:443
Source: global trafficTCP traffic: 2.19.11.98:443 -> 192.168.2.24:51356
Source: global trafficTCP traffic: 192.168.2.24:55875 -> 1.1.1.1:53
Source: global trafficTCP traffic: 1.1.1.1:53 -> 192.168.2.24:55875
Source: global trafficTCP traffic: 192.168.2.24:55875 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.24:55875 -> 1.1.1.1:53
Source: global trafficTCP traffic: 1.1.1.1:53 -> 192.168.2.24:55875
Source: global trafficTCP traffic: 1.1.1.1:53 -> 192.168.2.24:55875
Source: global trafficTCP traffic: 192.168.2.24:55875 -> 1.1.1.1:53
Source: global trafficTCP traffic: 1.1.1.1:53 -> 192.168.2.24:55875
Source: global trafficTCP traffic: 192.168.2.24:55875 -> 1.1.1.1:53
Source: global trafficTCP traffic: 52.123.129.14:443 -> 192.168.2.24:51355
Source: global trafficTCP traffic: 192.168.2.24:51355 -> 52.123.129.14:443
Source: global trafficTCP traffic: 192.168.2.24:51355 -> 52.123.129.14:443
Source: global trafficTCP traffic: 52.123.129.14:443 -> 192.168.2.24:51355
Source: global trafficTCP traffic: 2.19.11.98:443 -> 192.168.2.24:51356
Source: global trafficTCP traffic: 192.168.2.24:51356 -> 2.19.11.98:443
Source: global trafficTCP traffic: 192.168.2.24:51356 -> 2.19.11.98:443
Source: global trafficTCP traffic: 2.19.11.98:443 -> 192.168.2.24:51356
Source: global trafficTCP traffic: 192.168.2.24:55885 -> 5.161.200.29:443
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.24:55885
Source: global trafficTCP traffic: 192.168.2.24:55885 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.24:55885 -> 5.161.200.29:443
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.24:55885
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.24:55885
Source: global trafficTCP traffic: 192.168.2.24:55885 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.24:55885 -> 5.161.200.29:443
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.24:55885
Source: global trafficTCP traffic: 192.168.2.24:55887 -> 5.161.200.29:443
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.24:55887
Source: global trafficTCP traffic: 192.168.2.24:55887 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.24:55887 -> 5.161.200.29:443
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.24:55887
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.24:55887
Source: global trafficTCP traffic: 192.168.2.24:55887 -> 5.161.200.29:443
Source: global trafficTCP traffic: 192.168.2.24:55887 -> 5.161.200.29:443
Source: global trafficTCP traffic: 5.161.200.29:443 -> 192.168.2.24:55887
Source: global trafficTCP traffic: 192.168.2.24:55893 -> 2.22.242.120:443
Source: global trafficTCP traffic: 2.22.242.120:443 -> 192.168.2.24:55893
Source: global trafficTCP traffic: 192.168.2.24:55893 -> 2.22.242.120:443
Source: global trafficTCP traffic: 192.168.2.24:55893 -> 2.22.242.120:443
Source: global trafficTCP traffic: 2.22.242.120:443 -> 192.168.2.24:55893
Source: global trafficTCP traffic: 2.22.242.120:443 -> 192.168.2.24:55893
Source: global trafficTCP traffic: 192.168.2.24:55893 -> 2.22.242.120:443
Source: global trafficTCP traffic: 192.168.2.24:55893 -> 2.22.242.120:443
Source: global trafficTCP traffic: 2.22.242.120:443 -> 192.168.2.24:55893
Source: global trafficTCP traffic: 192.168.2.24:55896 -> 2.22.242.120:443
Source: global trafficTCP traffic: 2.22.242.120:443 -> 192.168.2.24:55896
Source: global trafficTCP traffic: 192.168.2.24:55896 -> 2.22.242.120:443
Source: global trafficTCP traffic: 192.168.2.24:55896 -> 2.22.242.120:443
Source: global trafficTCP traffic: 2.22.242.120:443 -> 192.168.2.24:55896
Source: global trafficTCP traffic: 192.168.2.24:55897 -> 2.22.242.145:443
Source: global trafficTCP traffic: 2.22.242.145:443 -> 192.168.2.24:55897
Source: global trafficTCP traffic: 192.168.2.24:55897 -> 2.22.242.145:443
Source: global trafficTCP traffic: 192.168.2.24:55897 -> 2.22.242.145:443
Source: global trafficTCP traffic: 2.22.242.145:443 -> 192.168.2.24:55897
Source: global trafficTCP traffic: 192.168.2.24:55898 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.24:55898
Source: global trafficTCP traffic: 192.168.2.24:55898 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.24:55898 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.24:55898
Source: global trafficTCP traffic: 2.22.242.120:443 -> 192.168.2.24:55896
Source: global trafficTCP traffic: 192.168.2.24:55896 -> 2.22.242.120:443
Source: global trafficTCP traffic: 192.168.2.24:55896 -> 2.22.242.120:443
Source: global trafficTCP traffic: 2.22.242.120:443 -> 192.168.2.24:55896
Source: global trafficTCP traffic: 192.168.2.24:55901 -> 2.22.242.120:443
Source: global trafficTCP traffic: 2.22.242.120:443 -> 192.168.2.24:55901
Source: global trafficTCP traffic: 192.168.2.24:55901 -> 2.22.242.120:443
Source: global trafficTCP traffic: 192.168.2.24:55901 -> 2.22.242.120:443
Source: global trafficTCP traffic: 2.22.242.120:443 -> 192.168.2.24:55901
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.24:55898
Source: global trafficTCP traffic: 192.168.2.24:55898 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.24:55898 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.24:55898
Source: global trafficTCP traffic: 2.22.242.145:443 -> 192.168.2.24:55897
Source: global trafficTCP traffic: 192.168.2.24:55897 -> 2.22.242.145:443
Source: global trafficTCP traffic: 192.168.2.24:55897 -> 2.22.242.145:443
Source: global trafficTCP traffic: 2.22.242.145:443 -> 192.168.2.24:55897
Source: global trafficTCP traffic: 2.22.242.120:443 -> 192.168.2.24:55901
Source: global trafficTCP traffic: 192.168.2.24:55901 -> 2.22.242.120:443
Source: global trafficTCP traffic: 192.168.2.24:55901 -> 2.22.242.120:443
Source: global trafficTCP traffic: 2.22.242.120:443 -> 192.168.2.24:55901
Source: global trafficTCP traffic: 192.168.2.24:55905 -> 2.22.242.120:443
Source: global trafficTCP traffic: 2.22.242.120:443 -> 192.168.2.24:55905
Source: global trafficTCP traffic: 192.168.2.24:55905 -> 2.22.242.120:443
Source: global trafficTCP traffic: 192.168.2.24:55905 -> 2.22.242.120:443
Source: global trafficTCP traffic: 2.22.242.120:443 -> 192.168.2.24:55905
Source: global trafficTCP traffic: 2.22.242.120:443 -> 192.168.2.24:55905
Source: global trafficTCP traffic: 192.168.2.24:55905 -> 2.22.242.120:443
Source: global trafficTCP traffic: 192.168.2.24:55905 -> 2.22.242.120:443
Source: global trafficTCP traffic: 2.22.242.120:443 -> 192.168.2.24:55905
Source: global trafficTCP traffic: 192.168.2.24:51351 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.24:55875 -> 1.1.1.1:53
Source: Joe Sandbox ViewIP Address: 2.19.11.98 2.19.11.98
Source: Joe Sandbox ViewIP Address: 52.123.129.14 52.123.129.14
Source: Joe Sandbox ViewIP Address: 52.123.128.14 52.123.128.14
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: st3.pro
Source: Primary1741801307029278700_09756817-52A8-400B-95AB-A6E5D1880F0B.log.13.dr, Primary1741801209701384900_A0CA31DF-E178-4AC3-8D65-A06E1C86B9A6.log.0.drString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40/flatfontassets.pkg
Source: NB NT19901102W.xls, E4A50000.0.drString found in binary or memory: https://st3.pro/7PhNlfi?&coke=absorbing&quiet=heady&weakness=habitual&miscommunicationY
Source: unknownNetwork traffic detected: HTTP traffic on port 51356 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51355 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55905
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55887
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55898
Source: unknownNetwork traffic detected: HTTP traffic on port 55897 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 55898 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 55896 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55901
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51355
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55885
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55896
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51356
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55897
Source: unknownNetwork traffic detected: HTTP traffic on port 55901 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 55893 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55893
Source: unknownNetwork traffic detected: HTTP traffic on port 55887 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 55885 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 55905 -> 443
Source: NB NT19901102W.xlsOLE indicator, VBA macros: true
Source: NB NT19901102W.xlsStream path 'MBD00B2C91F/\x1Ole' : https://st3.pro/7PhNlfi?&coke=absorbing&quiet=heady&weakness=habitual&miscommunicationYc-X#J6jSTOrEL}jSRpwTnms2ANwtsU2Cp0NcXYbJLuDnoaN0NtYnDfVnUtBXp9tmFOkZN9vFL8obZgrytr9zMmrj1uvIRYjcIfBE4OyWOAjGci931oT1d1hAuDuavBgQ<}U&
Source: E4A50000.0.drStream path 'MBD00B2C91F/\x1Ole' : https://st3.pro/7PhNlfi?&coke=absorbing&quiet=heady&weakness=habitual&miscommunicationYc-X#J6jSTOrEL}jSRpwTnms2ANwtsU2Cp0NcXYbJLuDnoaN0NtYnDfVnUtBXp9tmFOkZN9vFL8obZgrytr9zMmrj1uvIRYjcIfBE4OyWOAjGci931oT1d1hAuDuavBgQ<}U&
Source: ~DF35D568B4C4991E19.TMP.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: classification engineClassification label: mal56.winXLS@4/15@1/7
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\Desktop\E4A50000Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{A0CA31DF-E178-4AC3-8D65-A06E1C86B9A6} - OProcSessId.datJump to behavior
Source: NB NT19901102W.xlsOLE indicator, Workbook stream: true
Source: E4A50000.0.drOLE indicator, Workbook stream: true
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: NB NT19901102W.xlsVirustotal: Detection: 43%
Source: NB NT19901102W.xlsReversingLabs: Detection: 36%
Source: unknownProcess created: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: unknownProcess created: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\NB NT19901102W.xls"
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEAutomated click: OK
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEDirectory created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: NB NT19901102W.xlsStatic file information: File size 1294336 > 1048576
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior
Source: ~DF35D568B4C4991E19.TMP.0.drInitial sample: OLE indicators vbamacros = False
Source: NB NT19901102W.xlsInitial sample: OLE indicators encrypted = True
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: NB NT19901102W.xlsStream path 'MBD00B2C91E/Package' entropy: 7.99483476295 (max. 8.0)
Source: NB NT19901102W.xlsStream path 'Workbook' entropy: 7.98583897101 (max. 8.0)
Source: E4A50000.0.drStream path 'Workbook' entropy: 7.9837506374 (max. 8.0)
Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 618Jump to behavior
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information queried: ProcessInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid Accounts3
Exploitation for Client Execution		1
Scripting		1
Process Injection		3
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local System2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Virtualization/Sandbox Evasion		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account Manager1
Application Window Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.