Windows Analysis Report statistic-1496367785.xls

Overview

General Information

Sample Name:	statistic-1496367785.xls
Analysis ID:	441923
MD5:	7fb48e03b899f792be6c3118a46c5c8f
SHA1:	55445d13cd433121c6c2bfb31414b08e31e28a65
SHA256:	1c818433e1ca49729f987b3f060b2133c8375f8164181c4684600a278ee6033f
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Found Excel 4.0 Macro with suspicious formulas

Found abnormal large hidden Excel 4.0 Macro sheet

Sigma detected: Microsoft Office Product Spawning Windows Shell

Yara detected hidden Macro 4.0 in Excel

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Yara detected Xls With Macro 4.0

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: statistic-1496367785.xls	Virustotal: Detection: 37%			Perma Link
Source: statistic-1496367785.xls	ReversingLabs: Detection: 34%

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 162.241.2.112:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.179.232.80:443 -> 192.168.2.22:49168 version: TLS 1.2

Software Vulnerabilities:

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: psq.com.mx

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 162.241.2.112:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 162.241.2.112:443

Networking:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 108.179.232.80 108.179.232.80
Source: Joe Sandbox View	IP Address: 162.241.2.112 162.241.2.112

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: rundll32.exe, 00000003.00000002.2342252530.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2337705757.0000000001AC0000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: psq.com.mx

Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.0.dr	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: E0968A1E3A40D2582E7FD463BAEB59CD0.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 00000003.00000002.2342252530.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2337705757.0000000001AC0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2342252530.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2337705757.0000000001AC0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2342442297.0000000001E27000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2337877607.0000000001CA7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2342442297.0000000001E27000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2337877607.0000000001CA7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: E0968A1E3A40D2582E7FD463BAEB59CD0.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: rundll32.exe, 00000003.00000002.2342442297.0000000001E27000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2337877607.0000000001CA7000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2342442297.0000000001E27000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2337877607.0000000001CA7000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000003.00000002.2342252530.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2337705757.0000000001AC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2342442297.0000000001E27000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2337877607.0000000001CA7000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2342252530.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2337705757.0000000001AC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000005.00000002.2337705757.0000000001AC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49189
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49188
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49187
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49186
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49185
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49184
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49183
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49182
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49181
Source: unknown	Network traffic detected: HTTP traffic on port 49204 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49227 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49180
Source: unknown	Network traffic detected: HTTP traffic on port 49279 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49256 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49199 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49210 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49233 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 49262 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 49188 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49245 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49194 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49238 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49251 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49267 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49244 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49187 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49289
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49288
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49287
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49286
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49285
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49284
Source: unknown	Network traffic detected: HTTP traffic on port 49286 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49283
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49282
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49281
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49280
Source: unknown	Network traffic detected: HTTP traffic on port 49193 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49239 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49273 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49216 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49250 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49279
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49278
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49277
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49276
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49182 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49275
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49274
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49273
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49272
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49271
Source: unknown	Network traffic detected: HTTP traffic on port 49222 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49270
Source: unknown	Network traffic detected: HTTP traffic on port 49205 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49278 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49211 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49269 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49284 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49200 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49246 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49223 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49281 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49275 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49252 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49228 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49241 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49198 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49234 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49217 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49263 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49240 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49206 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49197 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49212 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49235 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49218 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49268 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49186 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49199
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49198
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49197
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49196
Source: unknown	Network traffic detected: HTTP traffic on port 49285 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49195
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49194
Source: unknown	Network traffic detected: HTTP traffic on port 49201 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49193
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49192
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49191
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49190
Source: unknown	Network traffic detected: HTTP traffic on port 49280 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49229 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49257 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49192 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49274 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49227
Source: unknown	Network traffic detected: HTTP traffic on port 49185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49226
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49225
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49224
Source: unknown	Network traffic detected: HTTP traffic on port 49265 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49223
Source: unknown	Network traffic detected: HTTP traffic on port 49288 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49222
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49221
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49220
Source: unknown	Network traffic detected: HTTP traffic on port 49242 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49207 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49191 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49271 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49219
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49218
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49217
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49216
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49215
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49214
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49213
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49212
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49211
Source: unknown	Network traffic detected: HTTP traffic on port 49180 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49210
Source: unknown	Network traffic detected: HTTP traffic on port 49224 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49282 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49276 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49213 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49259 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49209
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49208
Source: unknown	Network traffic detected: HTTP traffic on port 49230 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49207
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49206
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49205
Source: unknown	Network traffic detected: HTTP traffic on port 49219 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49204
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49203
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49202
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49201
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49200
Source: unknown	Network traffic detected: HTTP traffic on port 49202 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49225 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49231 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49258 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49289 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49247 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49264 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49208 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49196 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49236 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49179 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49253 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49270 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49269
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49268
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49267
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49266
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49265
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49264
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49263
Source: unknown	Network traffic detected: HTTP traffic on port 49261 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49262
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49261
Source: unknown	Network traffic detected: HTTP traffic on port 49189 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49260
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49195 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49237 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49214 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49184 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49220 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49259
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49258
Source: unknown	Network traffic detected: HTTP traffic on port 49266 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49257
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49256
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49255
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49254
Source: unknown	Network traffic detected: HTTP traffic on port 49287 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49190 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49253
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49252
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49251
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49250
Source: unknown	Network traffic detected: HTTP traffic on port 49249 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49203 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49255 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49177 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49272 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49249
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49248
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49247
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49246
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49245
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49244
Source: unknown	Network traffic detected: HTTP traffic on port 49183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49243
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49242
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49241
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49240
Source: unknown	Network traffic detected: HTTP traffic on port 49248 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49209 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49221 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49254 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49283 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49277 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49178 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49239
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49238
Source: unknown	Network traffic detected: HTTP traffic on port 49243 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49237
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49236
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49235
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49234
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49233
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49232
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49231
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49230
Source: unknown	Network traffic detected: HTTP traffic on port 49226 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49260 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49229
Source: unknown	Network traffic detected: HTTP traffic on port 49215 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49228
Source: unknown	Network traffic detected: HTTP traffic on port 49232 -> 443

Source: unknown	HTTPS traffic detected: 162.241.2.112:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.179.232.80:443 -> 192.168.2.22:49168 version: TLS 1.2

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable Editing 11 from the yellow bar above 12 13 Once You have Enable Editing, please click En
Source: Screenshot number: 4	Screenshot OCR: Enable Content 14 from the yellow bar above 15 16 17 ,, WHY I CANNOT OPEN THIS DOCUMENT? 19 2

Found Excel 4.0 Macro with suspicious formulas

Source: statistic-1496367785.xls	Initial sample: CALL
Source: statistic-1496367785.xls	Initial sample: EXEC

Found abnormal large hidden Excel 4.0 Macro sheet

Source: statistic-1496367785.xls

Initial sample: Sheet size: 8121

Source: rundll32.exe, 00000003.00000002.2342252530.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2337705757.0000000001AC0000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal80.expl.evad.winXLS@5/13@2/2

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\7BCE0000

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC33F.tmp

Jump to behavior

Source: statistic-1496367785.xls

OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe rundll32 ..\flamo.vir,DllRegisterServer

Source: statistic-1496367785.xls	Virustotal: Detection: 37%
Source: statistic-1496367785.xls	ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\flamo.vir,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\flamo.vir1,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\flamo.vir,DllRegisterServer	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\flamo.vir1,DllRegisterServer	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: statistic-1496367785.xls

Initial sample: OLE indicators vbamacros = False

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Yara detected hidden Macro 4.0 in Excel

Source: Yara match

File source: statistic-1496367785.xls, type: SAMPLE

Yara detected Xls With Macro 4.0

Source: Yara match

File source: statistic-1496367785.xls, type: SAMPLE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
108.179.232.80	academy.haleemcampus.com	United States		46606	UNIFIEDLAYER-AS-1US	false
162.241.2.112	psq.com.mx	United States		26337	OIS1US	false

Contacted Domains

Name	IP	Active
academy.haleemcampus.com	108.179.232.80	true
psq.com.mx	162.241.2.112	true

AV Detection:

Multi AV Scanner detection for submitted file

Source: statistic-1496367785.xls	Virustotal: Detection: 37%			Perma Link
Source: statistic-1496367785.xls	ReversingLabs: Detection: 34%

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 162.241.2.112:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.179.232.80:443 -> 192.168.2.22:49168 version: TLS 1.2

Software Vulnerabilities:

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: psq.com.mx

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 162.241.2.112:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 162.241.2.112:443

Networking:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 108.179.232.80 108.179.232.80
Source: Joe Sandbox View	IP Address: 162.241.2.112 162.241.2.112

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: rundll32.exe, 00000003.00000002.2342252530.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2337705757.0000000001AC0000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: psq.com.mx

Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.0.dr	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: E0968A1E3A40D2582E7FD463BAEB59CD0.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 00000003.00000002.2342252530.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2337705757.0000000001AC0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2342252530.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2337705757.0000000001AC0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2342442297.0000000001E27000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2337877607.0000000001CA7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2342442297.0000000001E27000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2337877607.0000000001CA7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: E0968A1E3A40D2582E7FD463BAEB59CD0.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: rundll32.exe, 00000003.00000002.2342442297.0000000001E27000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2337877607.0000000001CA7000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2342442297.0000000001E27000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2337877607.0000000001CA7000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000003.00000002.2342252530.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2337705757.0000000001AC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2342442297.0000000001E27000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2337877607.0000000001CA7000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2342252530.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2337705757.0000000001AC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000005.00000002.2337705757.0000000001AC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49189
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49188
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49187
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49186
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49185
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49184
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49183
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49182
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49181
Source: unknown	Network traffic detected: HTTP traffic on port 49204 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49227 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49180
Source: unknown	Network traffic detected: HTTP traffic on port 49279 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49256 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49199 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49210 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49233 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 49262 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 49188 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49245 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49194 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49238 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49251 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49267 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49244 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49187 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49289
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49288
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49287
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49286
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49285
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49284
Source: unknown	Network traffic detected: HTTP traffic on port 49286 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49283
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49282
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49281
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49280
Source: unknown	Network traffic detected: HTTP traffic on port 49193 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49239 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49273 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49216 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49250 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49279
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49278
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49277
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49276
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49182 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49275
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49274
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49273
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49272
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49271
Source: unknown	Network traffic detected: HTTP traffic on port 49222 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49270
Source: unknown	Network traffic detected: HTTP traffic on port 49205 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49278 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49211 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49269 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49284 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49200 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49246 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49223 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49281 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49275 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49252 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49228 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49241 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49198 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49234 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49217 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49263 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49240 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49206 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49197 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49212 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49235 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49218 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49268 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49186 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49199
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49198
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49197
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49196
Source: unknown	Network traffic detected: HTTP traffic on port 49285 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49195
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49194
Source: unknown	Network traffic detected: HTTP traffic on port 49201 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49193
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49192
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49191
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49190
Source: unknown	Network traffic detected: HTTP traffic on port 49280 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49229 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49257 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49192 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49274 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49227
Source: unknown	Network traffic detected: HTTP traffic on port 49185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49226
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49225
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49224
Source: unknown	Network traffic detected: HTTP traffic on port 49265 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49223
Source: unknown	Network traffic detected: HTTP traffic on port 49288 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49222
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49221
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49220
Source: unknown	Network traffic detected: HTTP traffic on port 49242 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49207 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49191 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49271 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49219
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49218
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49217
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49216
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49215
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49214
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49213
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49212
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49211
Source: unknown	Network traffic detected: HTTP traffic on port 49180 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49210
Source: unknown	Network traffic detected: HTTP traffic on port 49224 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49282 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49276 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49213 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49259 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49209
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49208
Source: unknown	Network traffic detected: HTTP traffic on port 49230 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49207
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49206
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49205
Source: unknown	Network traffic detected: HTTP traffic on port 49219 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49204
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49203
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49202
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49201
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49200
Source: unknown	Network traffic detected: HTTP traffic on port 49202 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49225 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49231 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49258 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49289 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49247 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49264 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49208 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49196 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49236 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49179 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49253 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49270 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49269
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49268
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49267
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49266
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49265
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49264
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49263
Source: unknown	Network traffic detected: HTTP traffic on port 49261 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49262
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49261
Source: unknown	Network traffic detected: HTTP traffic on port 49189 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49260
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49195 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49237 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49214 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49184 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49220 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49259
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49258
Source: unknown	Network traffic detected: HTTP traffic on port 49266 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49257
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49256
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49255
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49254
Source: unknown	Network traffic detected: HTTP traffic on port 49287 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49190 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49253
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49252
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49251
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49250
Source: unknown	Network traffic detected: HTTP traffic on port 49249 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49203 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49255 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49177 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49272 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49249
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49248
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49247
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49246
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49245
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49244
Source: unknown	Network traffic detected: HTTP traffic on port 49183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49243
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49242
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49241
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49240
Source: unknown	Network traffic detected: HTTP traffic on port 49248 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49209 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49221 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49254 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49283 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49277 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49178 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49239
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49238
Source: unknown	Network traffic detected: HTTP traffic on port 49243 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49237
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49236
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49235
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49234
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49233
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49232
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49231
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49230
Source: unknown	Network traffic detected: HTTP traffic on port 49226 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49260 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49229
Source: unknown	Network traffic detected: HTTP traffic on port 49215 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49228
Source: unknown	Network traffic detected: HTTP traffic on port 49232 -> 443

Source: unknown	HTTPS traffic detected: 162.241.2.112:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.179.232.80:443 -> 192.168.2.22:49168 version: TLS 1.2

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable Editing 11 from the yellow bar above 12 13 Once You have Enable Editing, please click En
Source: Screenshot number: 4	Screenshot OCR: Enable Content 14 from the yellow bar above 15 16 17 ,, WHY I CANNOT OPEN THIS DOCUMENT? 19 2

Found Excel 4.0 Macro with suspicious formulas

Source: statistic-1496367785.xls	Initial sample: CALL
Source: statistic-1496367785.xls	Initial sample: EXEC

Found abnormal large hidden Excel 4.0 Macro sheet

Source: statistic-1496367785.xls

Initial sample: Sheet size: 8121

Source: rundll32.exe, 00000003.00000002.2342252530.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2337705757.0000000001AC0000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal80.expl.evad.winXLS@5/13@2/2

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\7BCE0000

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC33F.tmp

Jump to behavior

Source: statistic-1496367785.xls

OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe rundll32 ..\flamo.vir,DllRegisterServer

Source: statistic-1496367785.xls	Virustotal: Detection: 37%
Source: statistic-1496367785.xls	ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\flamo.vir,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\flamo.vir1,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\flamo.vir,DllRegisterServer	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\flamo.vir1,DllRegisterServer	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: statistic-1496367785.xls

Initial sample: OLE indicators vbamacros = False

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Yara detected hidden Macro 4.0 in Excel

Source: Yara match

File source: statistic-1496367785.xls, type: SAMPLE

Yara detected Xls With Macro 4.0

Source: Yara match

File source: statistic-1496367785.xls, type: SAMPLE

ID:	441923
Product:	CloudBasic
Start time:	17:39:41
Start date:	29.06.2021
Sample:	statistic-1496367785.xls
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	7fb48e03b899f792be6c3118a46c5c8f
SHA1:	55445d13cd433121c6c2bfb31414b08e31e28a65
SHA256:	1c818433e1ca49729f987b3f060b2133c8375f8164181c4684600a278ee6033f
Filetype:	Microsoft Excel sheet (30009/1) 78.94%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 61020 bytes, 1 file	2902DE11E30DCC620B184E3BB0F0C1CB	5D11D14A2558801A2688DC2D6DFAD39AC294F222	E6A7F1F8810E46A736E80EE5AC6187690F28F4D5D35D130D410E20084B2C1544
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0968A1E3A40D2582E7FD463BAEB59CD	data	285EC909C4AB0D2D57F5086B225799AA	D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	68B9C761219A5B1F0131784474665DB61BBDB109E00F05CA9F74244EE5F5F52B
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	D4AE187B4574036C2D76B6DF8A8C1A30	B06F409FA14BAB33CBAF4A37811B8740B624D9E5	A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	5887C271965F719C89333C6163140C6D	CCC64032064157F9FFB5E4029658F2E54DBBE718	41837F6E53AA0BFA346A01BC4097C81ADFB00AEE7C9980E2AFCEEDD875EA0C3E
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0968A1E3A40D2582E7FD463BAEB59CD	data	22E86CEB0C5CC0960981167FFA58E3FD	6AACE3A60A040C637E47DE3693BE9238DCF03A60	F8E8C226C714E1209B320FDD083890D545C0917173287C8CF4B653DA4BA0E3A2
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	1F793405F9FC9C81BBC7F99C7F5A8BDF	840F15829F9F926B3164AB9E8CBE2DFFDD519A37	9E8D613136A5D033EEA184928671C325E5599AEB9D4B5BBB97AADA7BE3E6D38B
C:\Users\user\AppData\Local\Temp\BACE0000	data	95886F5C23351447BEE438643BB47432	E883CB7D47EDA8D717A9E5BEFBE2FC07A5466A48	133BED2878DC1421701EFD5F935ECA31E278507D75D2C629A2349DC39CCAAC6F
C:\Users\user\AppData\Local\Temp\CabD3B5.tmp	Microsoft Cabinet archive data, 61020 bytes, 1 file	2902DE11E30DCC620B184E3BB0F0C1CB	5D11D14A2558801A2688DC2D6DFAD39AC294F222	E6A7F1F8810E46A736E80EE5AC6187690F28F4D5D35D130D410E20084B2C1544
C:\Users\user\AppData\Local\Temp\TarD3B6.tmp	data	E4731F8A3E7352DBA44EC7D3DD15BAEA	D5CA0025FBD356DEB8EDE35001F93039625562A5	6C78EF77ACEF978321CCD30EE126FB7D30285BC186DDBDBE8B3E8F6E69D01353
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Sun May 30 23:40:37 2021, atime=Sun May 30 23:40:37 2021, length=16384, window=hide	F6CB0636A61B6677DB175EAB2729313C	CD6C7366FEE018D85A9E30EFE4C3C07C78D1F7D0	C22D9BCFD7B727AB047457EF656C6D998921191BAA002702A3131D31CC6F811E
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	827572951026F0F9437E31D866B8FF08	0B6A363D618B5E1D031EE6E5DCE5C18A9B13BBE6	493A258224290D5C5BB92DC4C57E3B8E36D4BE213CC9F3744D69D345F03B843B
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\statistic-1496367785.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:13 2020, mtime=Sun May 30 23:40:37 2021, atime=Sun May 30 23:40:37 2021, length=173056, window=hide	EAE54A6709DFE2966EF10CC1E73A3345	3EB62EF39E7F1925E6AED8B9197596770CF6ADD1	367542B6A9E110DD6525E6A474419B03BB4F9C790655EEF1A755110759F0EBD7
C:\Users\user\Desktop\7BCE0000	Applesoft BASIC program data, first line number 16	7CEED140B26A2DDA4FCB7BD954F211CF	4D2AF9F747412365FBB0CB4C235AD669C67006A9	7C074CAFC1D4A9E6EE817FDB3FBB247D0506EBD57D9FAE98A208A963F3BE1F5E

Windows Analysis Report statistic-1496367785.xls

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains