Analysis Report statistic-2069354685.xlsm

Overview

General Information

Sample Name:	statistic-2069354685.xlsm
Analysis ID:	403883
MD5:	e594ea809c24d81cacae25761ae68a4d
SHA1:	c402e78a57d801ee6220aa1e8532e444db22f911
SHA256:	d328633005bb0fd39826107193a26f4d6d933fb4f2dfb6f8e4eb48c6eab81df3
Tags:	IcedIDxlsm
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Found Excel 4.0 Macro with suspicious formulas

Found abnormal large hidden Excel 4.0 Macro sheet

Sigma detected: Microsoft Office Product Spawning Windows Shell

Sigma detected: System File Execution Location Anomaly

Yara detected MalDoc1

Excel documents contains an embedded macro which executes code when the document is opened

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: statistic-2069354685.xlsm	Metadefender: Detection: 18%			Perma Link
Source: statistic-2069354685.xlsm	ReversingLabs: Detection: 34%

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 192.254.233.89:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.5.2:443 -> 192.168.2.22:49170 version: TLS 1.2

Software Vulnerabilities:

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: industrialarttextile.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 192.254.233.89:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 192.254.233.89:443

Networking:

Yara detected MalDoc1

Source: Yara match

File source: sharedStrings.xml, type: SAMPLE

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 192.185.5.2 192.185.5.2
Source: Joe Sandbox View	IP Address: 192.254.233.89 192.254.233.89

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\216A9434.png

Jump to behavior

Source: rundll32.exe, 00000003.00000002.2114018629.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2108934497.0000000001C30000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: industrialarttextile.com

Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.0.dr	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: jordji.nbvt11.0.dr	String found in binary or memory: http://fwdssp.com/?dn=referer_detect&pid=5POL4F2O4
Source: rundll32.exe, 00000003.00000002.2114018629.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2108934497.0000000001C30000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2114018629.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2108934497.0000000001C30000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2114228743.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2109091484.0000000001E17000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2114228743.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2109091484.0000000001E17000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000003.00000002.2114228743.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2109091484.0000000001E17000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2114228743.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2109091484.0000000001E17000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000003.00000002.2114018629.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2108934497.0000000001C30000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2114228743.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2109091484.0000000001E17000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2114018629.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2108934497.0000000001C30000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000004.00000002.2108934497.0000000001C30000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443

Source: unknown	HTTPS traffic detected: 192.254.233.89:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.5.2:443 -> 192.168.2.22:49170 version: TLS 1.2

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing , please click Enable Cont
Source: Screenshot number: 4	Screenshot OCR: Enable Content from the yellow bar above RunDLL \|~\| OTherewas a problem starting ..\jordji.nbvt1
Source: Document image extraction number: 8	Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing , please click Enable Conten
Source: Document image extraction number: 8	Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? You are using iOS or Andro
Source: Screenshot number: 8	Screenshot OCR: Enable Editing , please click Enable Content from the yellow bar above WHY I CANNOTOPEN THIS DOCUM
Source: Screenshot number: 8	Screenshot OCR: Enable Content from the yellow bar above WHY I CANNOTOPEN THIS DOCUMENT? 1 W You are usingiOS orA

Found Excel 4.0 Macro with suspicious formulas

Source: statistic-2069354685.xlsm	Initial sample: EXEC
Source: statistic-2069354685.xlsm	Initial sample: CALL

Found abnormal large hidden Excel 4.0 Macro sheet

Source: statistic-2069354685.xlsm

Initial sample: Sheet size: 22188

Excel documents contains an embedded macro which executes code when the document is opened

Source: workbook.xml

Binary string: <workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships"><fileVersion appName="xl" lastEdited="5" lowestEdited="6" rupBuild="9303"/><workbookPr filterPrivacy="1"/><bookViews><workbookView xWindow="8595" yWindow="0" windowWidth="4020" windowHeight="3120"/></bookViews><sheets><sheet name="Sheet1" sheetId="9" r:id="rId1"/><sheet name="Sheet2" sheetId="4" r:id="rId2"/><sheet name="Sheet3" sheetId="7" r:id="rId3"/><sheet name="Sheet4" sheetId="8" r:id="rId4"/></sheets><definedNames><definedName name="_xlnm.Auto_Open">Sheet2!$AO$115</definedName></definedNames><calcPr calcId="145621"/><extLst><ext uri="{140A7094-0E35-4892-8432-C4D2E57EDEB5}" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main"><x15:workbookPr chartTrackingRefBase="1"/></ext></extLst></workbook>

Source: rundll32.exe, 00000003.00000002.2114018629.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2108934497.0000000001C30000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal84.troj.expl.evad.winXLSM@5/18@2/2

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$statistic-2069354685.xlsm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD26B.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe rundll32 ..\jordji.nbvt1,DllRegisterServer

Source: statistic-2069354685.xlsm	Metadefender: Detection: 18%
Source: statistic-2069354685.xlsm	ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\jordji.nbvt1,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\jordji.nbvt11,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\jordji.nbvt1,DllRegisterServer	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\jordji.nbvt11,DllRegisterServer	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: statistic-2069354685.xlsm	Initial sample: OLE zip file path = xl/media/image4.png
Source: statistic-2069354685.xlsm	Initial sample: OLE zip file path = xl/media/image2.png
Source: statistic-2069354685.xlsm	Initial sample: OLE zip file path = xl/media/image1.png
Source: statistic-2069354685.xlsm	Initial sample: OLE zip file path = xl/media/image3.png
Source: statistic-2069354685.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: statistic-2069354685.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.185.5.2	anaheimdermatologists.com	United States		46606	UNIFIEDLAYER-AS-1US	false
192.254.233.89	industrialarttextile.com	United States		46606	UNIFIEDLAYER-AS-1US	false

Contacted Domains

Name	IP	Active
anaheimdermatologists.com	192.185.5.2	true
industrialarttextile.com	192.254.233.89	true

ID:	403883
Product:	CloudBasic
Start time:	13:43:27
Start date:	04.05.2021
Sample:	statistic-2069354685.xlsm
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	e594ea809c24d81cacae25761ae68a4d
SHA1:	c402e78a57d801ee6220aa1e8532e444db22f911
SHA256:	d328633005bb0fd39826107193a26f4d6d933fb4f2dfb6f8e4eb48c6eab81df3
Filetype:	Excel Microsoft Office Open XML Format document (40004/1) 83.33%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 58596 bytes, 1 file	61A03D15CF62612F50B74867090DBE79	15228F34067B4B107E917BEBAF17CC7C3C1280A8	F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	D4AE187B4574036C2D76B6DF8A8C1A30	B06F409FA14BAB33CBAF4A37811B8740B624D9E5	A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	4F5E4C2DD3AA32D30BF30638A47A83F9	B6BF02C21B1B0CF38F344597CA3A217AC76AAFDB	606F69BE69F8C92D632251DC12D34C2CBDCDCE29B4762780F4429046BDCF388C
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	22C81A3207323A001185E4D347C8CB62	F9FE61F0813EB67E6894162159F0A8A43832996E	72A21E4A36B6A07E8B5F3E1F666769E7B8FF00BA80A57FE9B94AC430DA47F88D
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\suspendedpage[1].htm	HTML document, ASCII text	0357AA49EA850B11B99D09A2479C321B	41472BA5C40F61FA1C77C42CF06248F13B8785F0	0FF0B7FCB090C65D0BDCB2AF4BBD2C30F33356B3CE9B117186FA20391EF840A3
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\216A9434.png	PNG image data, 205 x 58, 8-bit/color RGB, non-interlaced	D8574C9CC4123EF67C8B600850BE52EE	5547AC473B3523BA2410E04B75E37B1944EE0CCC	ADD8156BAA01E6A9DE10132E57A2E4659B1A8027A8850B8937E57D56A4FC204B
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7417EC62.png	PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced	A516B6CB784827C6BDE58BC9D341C1BD	9D602E7248E06FF639E6437A0A16EA7A4F9E6C73	EF8F7EDB6BA0B5ACEC64543A0AF1B133539FFD439F8324634C3F970112997074
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\82F80CFB.png	PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced	02DB1068B56D3FD907241C2F3240F849	58EC338C879DDBDF02265CBEFA9A2FB08C569D20	D58FF94F5BB5D49236C138DC109CE83E82879D0D44BE387B0EA3773D908DD25F
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A28A3EA5.png	PNG image data, 485 x 185, 8-bit/color RGB, non-interlaced	2C5A59B7F30E5E41412EC22FDEA1DBB5	9A64FB6A68683EEC580A881725DBD146E80D06B1	E872E66F60AE5651AE96A2C2A88D07B0D1C96CDDD45F787AB04237891AD4E8FB
C:\Users\user\AppData\Local\Temp\0CDE0000	data	74AE1B685F40E9853B1CDBF7545042DA	C45DE5DECD85C1A40A35818310731B49AB3F8B74	3F18EA54A30438B03923B8E0511D08D9D0A657720BC64E07D614038A0D9CD905
C:\Users\user\AppData\Local\Temp\CabE725.tmp	Microsoft Cabinet archive data, 58596 bytes, 1 file	61A03D15CF62612F50B74867090DBE79	15228F34067B4B107E917BEBAF17CC7C3C1280A8	F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
C:\Users\user\AppData\Local\Temp\TarE726.tmp	data	4E0487E929ADBBA279FD752E7FB9A5C4	2497E03F42D2CBB4F4989E87E541B5BB27643536	AE781E4F9625949F7B8A9445B8901958ADECE7E3B95AF344E2FCB24FE989EEB7
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Tue May 4 19:44:41 2021, atime=Tue May 4 19:44:41 2021, length=8192, window=hide	DD0604BCE70E45479C53C63FC04CAD71	8A1B7D31F07A2960A5690ABE07E6852DE5D8D7DB	EE0A698FFCE0C54CDE21B7309704F3C5BF602FE2EBA2B74FC0DC1925167270CE
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	19FC1324EF0021D509D5A8DAF316C4DF	60FF2DF708BD84B80D40E01FF037C9D61F478E46	68782E3476F3DA67AB4D1796164708A27E2CE02134A59429591A41C6C7964DA8
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\statistic-2069354685.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:16 2020, mtime=Tue May 4 19:44:41 2021, atime=Tue May 4 19:44:41 2021, length=109076, window=hide	7F3A420A1FB1AEDA14809CFF6E3275D8	89B87D890C8B5DB508E457AFDF5B70A2C263FBBA	8B1370F81A11AD27F3A5F2E06D5C25A5C27E0DD526AD991182229867E9B58957
C:\Users\user\Desktop\0DDE0000	data	74AE1B685F40E9853B1CDBF7545042DA	C45DE5DECD85C1A40A35818310731B49AB3F8B74	3F18EA54A30438B03923B8E0511D08D9D0A657720BC64E07D614038A0D9CD905
C:\Users\user\Desktop\~$statistic-2069354685.xlsm	data	96114D75E30EBD26B572C1FC83D1D02E	A44EEBDA5EB09862AC46346227F06F8CFAF19407	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
C:\Users\user\jordji.nbvt11	HTML document, ASCII text	0357AA49EA850B11B99D09A2479C321B	41472BA5C40F61FA1C77C42CF06248F13B8785F0	0FF0B7FCB090C65D0BDCB2AF4BBD2C30F33356B3CE9B117186FA20391EF840A3

Analysis Report statistic-2069354685.xlsm

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains