Loading ...

Play interactive tourEdit tour

Windows Analysis Report policy#37820.xlsb

Overview

General Information

Sample Name:policy#37820.xlsb
Analysis ID:442547
MD5:f60146ee4fab89ecde8bb1bdb23287b6
SHA1:82bb4929a849deb1860e4c902745a0673c5911c8
SHA256:6ab90a34f6fdfaf1486009f70318816cc61201248c0a5231030b9b3d3e010fe9
Infos:

Most interesting Screenshot:

Detection

RMSRemoteAdmin Hidden Macro 4.0
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (drops PE files)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Contains functionality to create processes via WMI
Creates processes via WMI
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found abnormal large hidden Excel 4.0 Macro sheet
Office process drops PE file
Query firmware table information (likely to detect VMs)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Contains functionality for read data from the clipboard
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the current domain controller via net
Queries the installation date of Windows
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious WMI Execution
Stores large binary data to the registry
Tries to load missing DLLs
Yara detected RMS RemoteAdmin tool

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 5412 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • WMIC.exe (PID: 6388 cmdline: wmic process call create 'C:\Users\Public\Libraries/appscomhost' MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
      • conhost.exe (PID: 6448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • appscomhost (PID: 6596 cmdline: C:\Users\Public\Libraries/appscomhost MD5: 8DF649FAB065908962626C67F247618C)
    • Javelin.exe (PID: 6832 cmdline: 'C:\Users\Public\JavelinNew\Javelin.exe' MD5: AF5879D56594F01794A2C028BC75EC27)
      • Javelin.exe (PID: 7128 cmdline: C:\Users\Public\JavelinNew\Javelin.exe -run_agent -second MD5: AF5879D56594F01794A2C028BC75EC27)
        • cmd.exe (PID: 6308 cmdline: C:\Windows\system32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 4088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • net.exe (PID: 6836 cmdline: net user /domain MD5: DD0561156F62BC1958CE0E370B23711B)
            • net1.exe (PID: 6436 cmdline: C:\Windows\system32\net1 user /domain MD5: B5A26C2BF17222E86B91D26F1247AF3E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\Public\JavelinNew\Javelin.exeJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
    C:\Users\Public\JavelinNew\Javelin.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000008.00000002.300472994.0000000001208000.00000002.00020000.sdmpJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
        00000008.00000000.273261388.0000000001208000.00000002.00020000.sdmpJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
          0000000B.00000003.311749860.000000007D910000.00000004.00000001.sdmpJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
            0000000B.00000003.319348250.000000007E8F0000.00000004.00000001.sdmpJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
              0000000B.00000000.293269223.0000000001208000.00000002.00020000.sdmpJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
                Click to see the 10 entries

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Execution from Suspicious FolderShow sources
                Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\JavelinNew\Javelin.exe' , CommandLine: 'C:\Users\Public\JavelinNew\Javelin.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\JavelinNew\Javelin.exe, NewProcessName: C:\Users\Public\JavelinNew\Javelin.exe, OriginalFileName: C:\Users\Public\JavelinNew\Javelin.exe, ParentCommandLine: C:\Users\Public\Libraries/appscomhost, ParentImage: C:\Users\Public\Libraries\appscomhost, ParentProcessId: 6596, ProcessCommandLine: 'C:\Users\Public\JavelinNew\Javelin.exe' , ProcessId: 6832
                Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
                Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: wmic process call create 'C:\Users\Public\Libraries/appscomhost', CommandLine: wmic process call create 'C:\Users\Public\Libraries/appscomhost', CommandLine|base64offset|contains: h, Image: C:\Windows\SysWOW64\wbem\WMIC.exe, NewProcessName: C:\Windows\SysWOW64\wbem\WMIC.exe, OriginalFileName: C:\Windows\SysWOW64\wbem\WMIC.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 5412, ProcessCommandLine: wmic process call create 'C:\Users\Public\Libraries/appscomhost', ProcessId: 6388
                Sigma detected: Suspicious WMI ExecutionShow sources
                Source: Process startedAuthor: Michael Haag, Florian Roth, juju4, oscd.community: Data: Command: wmic process call create 'C:\Users\Public\Libraries/appscomhost', CommandLine: wmic process call create 'C:\Users\Public\Libraries/appscomhost', CommandLine|base64offset|contains: h, Image: C:\Windows\SysWOW64\wbem\WMIC.exe, NewProcessName: C:\Windows\SysWOW64\wbem\WMIC.exe, OriginalFileName: C:\Windows\SysWOW64\wbem\WMIC.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 5412, ProcessCommandLine: wmic process call create 'C:\Users\Public\Libraries/appscomhost', ProcessId: 6388
                Sigma detected: Net.exe ExecutionShow sources
                Source: Process startedAuthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: net user /domain, CommandLine: net user /domain, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\system32\cmd.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6308, ProcessCommandLine: net user /domain, ProcessId: 6836

                Signature Overview

                Click to jump to signature section

                Show All Signature Results
                Source: 5.1.appscomhost.10000000.2.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                Source: Javelin.exe, 00000008.00000002.300472994.0000000001208000.00000002.00020000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
                Source: unknownHTTPS traffic detected: 212.2.198.90:443 -> 192.168.2.3:49720 version: TLS 1.2
                Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2l-x32\out32dll\ssleay32.pdb0U source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp, Javelin.exe, 00000008.00000002.305461054.000000001203F000.00000002.00020000.sdmp
                Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2l-x32\out32dll\libeay32.pdb source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp, Javelin.exe, 00000008.00000002.304923395.00000000110E7000.00000002.00020000.sdmp
                Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2l-x32\out32dll\ssleay32.pdb source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp, Javelin.exe, 00000008.00000002.305461054.000000001203F000.00000002.00020000.sdmp
                Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2l-x32\out32dll\libeay32.pdb | source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp, Javelin.exe, 00000008.00000002.304923395.00000000110E7000.00000002.00020000.sdmp
                Source: C:\Users\Public\Libraries\appscomhostCode function: 5_2_0040676F FindFirstFileW,FindClose,
                Source: C:\Users\Public\Libraries\appscomhostCode function: 5_2_00405B23 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
                Source: C:\Users\Public\Libraries\appscomhostCode function: 5_2_00402902 FindFirstFileW,

                Software Vulnerabilities:

                barindex
                Document exploit detected (drops PE files)Show sources
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: usa[1].0.drJump to dropped file
                Document exploit detected (UrlDownloadToFile)Show sources
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileA
                Document exploit detected (process start blacklist hit)Show sources
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe
                Source: global trafficDNS query: name: etisalatbuyback.com
                Source: global trafficTCP traffic: 192.168.2.3:49720 -> 212.2.198.90:443
                Source: global trafficTCP traffic: 192.168.2.3:49720 -> 212.2.198.90:443
                Source: excel.exeMemory has grown: Private usage: 1MB later: 104MB
                Source: global trafficTCP traffic: 192.168.2.3:49737 -> 209.205.218.178:5655
                Source: global trafficTCP traffic: 192.168.2.3:49749 -> 198.147.28.34:5655
                Source: Joe Sandbox ViewIP Address: 209.205.218.178 209.205.218.178
                Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                Source: unknownTCP traffic detected without corresponding DNS query: 192.119.14.178
                Source: unknownTCP traffic detected without corresponding DNS query: 192.119.14.178
                Source: unknownTCP traffic detected without corresponding DNS query: 192.119.14.178
                Source: unknownTCP traffic detected without corresponding DNS query: 192.119.14.178
                Source: unknownTCP traffic detected without corresponding DNS query: 192.119.14.178
                Source: unknownTCP traffic detected without corresponding DNS query: 192.119.14.178
                Source: unknownTCP traffic detected without corresponding DNS query: 192.119.14.178
                Source: unknownTCP traffic detected without corresponding DNS query: 192.119.14.178
                Source: unknownTCP traffic detected without corresponding DNS query: 192.119.14.178
                Source: unknownTCP traffic detected without corresponding DNS query: 192.119.14.178
                Source: unknownTCP traffic detected without corresponding DNS query: 192.119.14.178
                Source: unknownTCP traffic detected without corresponding DNS query: 192.119.14.178
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 192.119.14.178
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 192.119.14.178
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownDNS traffic detected: queries for: etisalatbuyback.com
                Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
                Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
                Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
                Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
                Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                Source: Javelin.exe, 00000008.00000002.294909755.0000000000401000.00000020.00020000.sdmp, Javelin.exe, 0000000B.00000003.315153554.000000007DEF0000.00000004.00000001.sdmpString found in binary or memory: http://madExcept.comU
                Source: appscomhost, 00000005.00000002.284875976.000000000040A000.00000004.00020000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0H
                Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0I
                Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                Source: Javelin.exe, 00000008.00000002.300472994.0000000001208000.00000002.00020000.sdmp, Javelin.exe, 00000008.00000002.302591567.0000000001463000.00000002.00020000.sdmp, Javelin.exe, 0000000B.00000003.311749860.000000007D910000.00000004.00000001.sdmpString found in binary or memory: http://rmansys.ru/internet-id/
                Source: Javelin.exe, 00000008.00000002.294909755.0000000000401000.00000020.00020000.sdmp, Javelin.exe, 0000000B.00000003.315153554.000000007DEF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                Source: Javelin.exe, 00000008.00000002.294909755.0000000000401000.00000020.00020000.sdmpString found in binary or memory: http://update.remoteutilities.net/upgrade.ini
                Source: Javelin.exe, 00000008.00000002.294909755.0000000000401000.00000020.00020000.sdmpString found in binary or memory: http://update.remoteutilities.net/upgrade_beta.ini
                Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                Source: Javelin.exe, 00000008.00000000.272062914.0000000000E01000.00000020.00020000.sdmp, Javelin.exe, 0000000B.00000003.311749860.000000007D910000.00000004.00000001.sdmpString found in binary or memory: http://www.indyproject.org/
                Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp, Javelin.exe, 00000008.00000002.305300851.0000000011149000.00000002.00020000.sdmpString found in binary or memory: http://www.openssl.org/V
                Source: Javelin.exe, 00000008.00000002.304923395.00000000110E7000.00000002.00020000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
                Source: Javelin.exe, 00000008.00000002.304923395.00000000110E7000.00000002.00020000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEPRNG
                Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                Source: unknownHTTPS traffic detected: 212.2.198.90:443 -> 192.168.2.3:49720 version: TLS 1.2
                Source: C:\Users\Public\Libraries\appscomhostCode function: 5_2_004055B8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

                System Summary:

                barindex
                Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
                Source: Screenshot number: 4Screenshot OCR: Enable editing on the yellow bar if the document was downloaded from the Internet. 12 ,, , " 3. C
                Source: Screenshot number: 4Screenshot OCR: Enable content onthe yellow barto run plugin Core decryption. 14 15 16 1 i 17 P 18 19 20 2
                Source: Screenshot number: 8Screenshot OCR: Enable editing on the yellow bar if the document was downloaded from the Internet. , Click Enable
                Source: Screenshot number: 8Screenshot OCR: Enable content onthe yellow barto run plugin Core decryption. Results o o Certifies documents )
                Contains functionality to create processes via WMIShow sources
                Source: WMIC.exe, 00000001.00000002.259206296.0000000000800000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Documents\C:\Windows\SysWOW64\Wbem\wmic.exewmic process call create 'C:\Users\Public\Libraries/appscomhost'C:\Windows\System32\Wbem\wmic.exeWinSta0\Default=::=::\=C:=C:\Users\user\DocumentsALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=4OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=NEBFQQYUSERDOMAIN_ROAMINGPROFILE=computerUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\WindowsU?
                Found abnormal large hidden Excel 4.0 Macro sheetShow sources
                Source: policy#37820.xlsbInitial sample: Sheet size: 230235
                Office process drops PE fileShow sources
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\usa[1]Jump to dropped file
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\Public\Libraries\appscomhostJump to dropped file
                Source: C:\Users\Public\Libraries\appscomhostCode function: 5_2_004034C5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
                Source: C:\Users\Public\JavelinNew\Javelin.exeFile created: C:\Windows\TEMP\Javelin.madExceptJump to behavior
                Source: C:\Users\Public\JavelinNew\Javelin.exeFile deleted: C:\Windows\Temp\Javelin.madExceptJump to behavior
                Source: C:\Users\Public\Libraries\appscomhostCode function: 5_2_00407458
                Source: C:\Users\Public\Libraries\appscomhostCode function: 5_2_00406C81
                Source: Javelin.exe.5.drStatic PE information: Number of sections : 11 > 10
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: C:\Users\Public\JavelinNew\Javelin.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Users\Public\JavelinNew\Javelin.exeSection loaded: dhcpcsvc.dll
                Source: C:\Users\Public\JavelinNew\Javelin.exeSection loaded: dnsapi.dll
                Source: C:\Users\Public\JavelinNew\Javelin.exeSection loaded: winnsi.dll
                Source: C:\Users\Public\JavelinNew\Javelin.exeSection loaded: rasadhlp.dll
                Source: C:\Users\Public\JavelinNew\Javelin.exeSection loaded: textinputframework.dll
                Source: C:\Users\Public\JavelinNew\Javelin.exeSection loaded: coreuicomponents.dll
                Source: C:\Users\Public\JavelinNew\Javelin.exeSection loaded: coremessaging.dll
                Source: classification engineClassification label: mal96.expl.evad.winXLSB@15/18@4/6
                Source: C:\Users\Public\Libraries\appscomhostCode function: 5_2_004034C5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
                Source: C:\Users\Public\Libraries\appscomhostCode function: 5_2_00404858 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,
                Source: C:\Users\Public\Libraries\appscomhostCode function: 5_2_004021A2 CoCreateInstance,
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
                Source: C:\Users\Public\JavelinNew\Javelin.exeMutant created: \Sessions\1\BaseNamedObjects\HookTThread$1bd8
                Source: C:\Users\Public\JavelinNew\Javelin.exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1bd8
                Source: C:\Users\Public\JavelinNew\Javelin.exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1ab0
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4088:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6448:120:WilError_01
                Source: C:\Users\Public\JavelinNew\Javelin.exeMutant created: \Sessions\1\BaseNamedObjects\HookTThread$1ab0
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{291ED4E2-78EE-480C-BE22-D3277A2D5535} - OProcSessId.datJump to behavior
                Source: Yara matchFile source: 0000000B.00000003.315153554.000000007DEF0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000003.320355698.000000007EED0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000003.309591822.000000007CF10000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.517622759.0000000000401000.00000020.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000000.288998400.0000000000401000.00000020.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.294909755.0000000000401000.00000020.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000000.268064699.0000000000401000.00000020.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: C:\Users\Public\JavelinNew\Javelin.exe, type: DROPPED
                Source: C:\Users\Public\Libraries\appscomhostKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\Public\JavelinNew\Javelin.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\Public\JavelinNew\Javelin.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\Public\JavelinNew\Javelin.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                Source: C:\Users\Public\JavelinNew\Javelin.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Windows\SysWOW64\wbem\WMIC.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: C:\Users\Public\JavelinNew\Javelin.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\Public\JavelinNew\Javelin.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\Public\JavelinNew\Javelin.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process call create 'C:\Users\Public\Libraries/appscomhost'
                Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\Public\Libraries\appscomhost C:\Users\Public\Libraries/appscomhost
                Source: C:\Users\Public\Libraries\appscomhostProcess created: C:\Users\Public\JavelinNew\Javelin.exe 'C:\Users\Public\JavelinNew\Javelin.exe'
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess created: C:\Users\Public\JavelinNew\Javelin.exe C:\Users\Public\JavelinNew\Javelin.exe -run_agent -second
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net user /domain
                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user /domain
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process call create 'C:\Users\Public\Libraries/appscomhost'
                Source: C:\Users\Public\Libraries\appscomhostProcess created: C:\Users\Public\JavelinNew\Javelin.exe 'C:\Users\Public\JavelinNew\Javelin.exe'
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net user /domain
                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user /domain
                Source: C:\Windows\SysWOW64\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
                Source: C:\Users\Public\JavelinNew\Javelin.exeWindow found: window name: TComboBox
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: policy#37820.xlsbInitial sample: OLE zip file path = xl/media/image2.png
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
                Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2l-x32\out32dll\ssleay32.pdb0U source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp, Javelin.exe, 00000008.00000002.305461054.000000001203F000.00000002.00020000.sdmp
                Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2l-x32\out32dll\libeay32.pdb source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp, Javelin.exe, 00000008.00000002.304923395.00000000110E7000.00000002.00020000.sdmp
                Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2l-x32\out32dll\ssleay32.pdb source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp, Javelin.exe, 00000008.00000002.305461054.000000001203F000.00000002.00020000.sdmp
                Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2l-x32\out32dll\libeay32.pdb | source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp, Javelin.exe, 00000008.00000002.304923395.00000000110E7000.00000002.00020000.sdmp
                Source: Javelin.exe.5.drStatic PE information: real checksum: 0xfe775f should be:
                Source: Javelin.exe.5.drStatic PE information: section name: .didata

                Persistence and Installation Behavior:

                barindex
                Creates processes via WMIShow sources
                Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\usa[1]Jump to dropped file
                Source: C:\Users\Public\Libraries\appscomhostFile created: C:\Users\user\AppData\Local\Temp\nso349F.tmp\nsis7z.dllJump to dropped file
                Source: C:\Users\Public\Libraries\appscomhostFile created: C:\Users\user\AppData\Local\Temp\nso349F.tmp\registry.dllJump to dropped file
                Source: C:\Users\Public\Libraries\appscomhostFile created: C:\Users\user\AppData\Local\Temp\nso349F.tmp\NSISList.dllJump to dropped file
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\Public\Libraries\appscomhostJump to dropped file
                Source: C:\Users\Public\Libraries\appscomhostFile created: C:\Users\Public\JavelinNew\Javelin.exeJump to dropped file
                Source: C:\Users\Public\Libraries\appscomhostFile created: C:\Users\user\AppData\Local\Temp\nso349F.tmp\System.dllJump to dropped file
                Source: C:\Users\Public\Libraries\appscomhostFile created: C:\Users\Public\JavelinNew\ssleay32.dllJump to dropped file
                Source: C:\Users\Public\Libraries\appscomhostFile created: C:\Users\Public\JavelinNew\libeay32.dllJump to dropped file
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\usa[1]Jump to dropped file
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\Public\Libraries\appscomhostJump to dropped file
                Source: C:\Users\Public\Libraries\appscomhostRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                Source: C:\Users\Public\Libraries\appscomhostKey value created or modified: HKEY_CURRENT_USER\Software\Postapocalyptic rundlet\Host\Parameters GeneralJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\appscomhostProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\appscomhostProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\appscomhostProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\appscomhostProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\appscomhostProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\appscomhostProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\appscomhostProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\appscomhostProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX

                Malware Analysis System Evasion:

                barindex
                Query firmware table information (likely to detect VMs)Show sources
                Source: C:\Users\Public\JavelinNew\Javelin.exeSystem information queried: FirmwareTableInformation
                Source: C:\Users\Public\JavelinNew\Javelin.exeSystem information queried: FirmwareTableInformation
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                Source: Javelin.exe, 00000008.00000000.272062914.0000000000E01000.00000020.00020000.sdmp, Javelin.exe, 0000000B.00000003.311749860.000000007D910000.00000004.00000001.sdmpBinary or memory string: OLLYDBG.EXE
                Source: C:\Users\Public\JavelinNew\Javelin.exeWindow / User API: threadDelayed 1403
                Source: C:\Users\Public\JavelinNew\Javelin.exe TID: 6608Thread sleep time: -35000s >= -30000s
                Source: C:\Users\Public\JavelinNew\Javelin.exe TID: 6520Thread sleep time: -180000s >= -30000s
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net user /domain
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net user /domain
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\Public\JavelinNew\Javelin.exeLast function: Thread delayed
                Source: C:\Users\Public\JavelinNew\Javelin.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Users\Public\Libraries\appscomhostCode function: 5_2_0040676F FindFirstFileW,FindClose,
                Source: C:\Users\Public\Libraries\appscomhostCode function: 5_2_00405B23 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
                Source: C:\Users\Public\Libraries\appscomhostCode function: 5_2_00402902 FindFirstFileW,
                Source: C:\Users\Public\JavelinNew\Javelin.exeThread delayed: delay time: 60000
                Source: WMIC.exe, 00000001.00000002.258960030.0000000000700000.00000002.00000001.sdmp, Javelin.exe, 00000008.00000002.303131921.0000000001A70000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: Javelin.exe, 0000000B.00000003.331432284.00000000052E1000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                Source: WMIC.exe, 00000001.00000002.258960030.0000000000700000.00000002.00000001.sdmp, Javelin.exe, 00000008.00000002.303131921.0000000001A70000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: WMIC.exe, 00000001.00000002.258960030.0000000000700000.00000002.00000001.sdmp, Javelin.exe, 00000008.00000002.303131921.0000000001A70000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: WMIC.exe, 00000001.00000002.258960030.0000000000700000.00000002.00000001.sdmp, Javelin.exe, 00000008.00000002.303131921.0000000001A70000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Users\Public\Libraries\appscomhostAPI call chain: ExitProcess graph end node
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information queried: ProcessInformation
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess token adjusted: Debug
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess token adjusted: Debug
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess token adjusted: Debug
                Source: C:\Users\Public\Libraries\appscomhostProcess created: C:\Users\Public\JavelinNew\Javelin.exe 'C:\Users\Public\JavelinNew\Javelin.exe'
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net user /domain
                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user /domain
                Source: C:\Users\Public\JavelinNew\Javelin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
                Source: C:\Users\Public\JavelinNew\Javelin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                Source: C:\Users\Public\JavelinNew\Javelin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                Source: C:\Users\Public\JavelinNew\Javelin.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Users\Public\JavelinNew\Javelin.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Users\Public\Libraries\appscomhostCode function: 5_2_004034C5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
                Source: C:\Users\Public\JavelinNew\Javelin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                Source: Javelin.exe, 00000008.00000000.272062914.0000000000E01000.00000020.00020000.sdmp, Javelin.exe, 0000000B.00000003.311749860.000000007D910000.00000004.00000001.sdmpBinary or memory string: OLLYDBG.EXE
                Source: Yara matchFile source: 00000008.00000002.300472994.0000000001208000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000000.273261388.0000000001208000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000003.311749860.000000007D910000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000003.319348250.000000007E8F0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000000.293269223.0000000001208000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000003.324153787.000000007F8D0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Javelin.exe PID: 6832, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Javelin.exe PID: 7128, type: MEMORY
                Source: Yara matchFile source: C:\Users\Public\JavelinNew\Javelin.exe, type: DROPPED

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management Instrumentation21DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1OS Credential DumpingFile and Directory Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
                Default AccountsScripting1Boot or Logon Initialization ScriptsExtra Window Memory Injection1Scripting1LSASS MemorySystem Information Discovery37Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsExploitation for Client Execution33Logon Script (Windows)Access Token Manipulation1Software Packing1Security Account ManagerQuery Registry1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Process Injection11DLL Side-Loading1NTDSSecurity Software Discovery221Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptFile Deletion1LSA SecretsProcess Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonExtra Window Memory Injection1Cached Domain CredentialsVirtualization/Sandbox Evasion111VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading21DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobModify Registry1Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Virtualization/Sandbox Evasion111/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Access Token Manipulation1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronProcess Injection11Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 442547 Sample: policy#37820.xlsb Startdate: 30/06/2021 Architecture: WINDOWS Score: 96 62 Document exploit detected (drops PE files) 2->62 64 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->64 66 Contains functionality to create processes via WMI 2->66 68 6 other signatures 2->68 10 EXCEL.EXE 163 56 2->10         started        15 appscomhost 8 27 2->15         started        process3 dnsIp4 56 etisalatbuyback.com 212.2.198.90, 443, 49720 DORUKNETTR Turkey 10->56 36 C:\Users\user\AppData\Local\...\usa[1], PE32 10->36 dropped 38 C:\Users\Public\Libraries\appscomhost, PE32 10->38 dropped 40 C:\Users\user\Desktop\~$policy#37820.xlsb, data 10->40 dropped 72 Document exploit detected (UrlDownloadToFile) 10->72 17 WMIC.exe 1 10->17         started        42 C:\Users\Public\JavelinNew\Javelin.exe, PE32 15->42 dropped 44 C:\Users\user\AppData\Local\...\registry.dll, PE32 15->44 dropped 46 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 15->46 dropped 48 4 other files (none is malicious) 15->48 dropped 20 Javelin.exe 2 15->20         started        file5 signatures6 process7 signatures8 58 Creates processes via WMI 17->58 22 conhost.exe 17->22         started        60 Query firmware table information (likely to detect VMs) 20->60 24 Javelin.exe 4 4 20->24         started        process9 dnsIp10 50 192.119.14.178, 49739, 5655 24SHELLSUS United States 24->50 52 198.147.28.34, 49749, 49751, 49753 24SHELLSUS United States 24->52 54 3 other IPs or domains 24->54 70 Query firmware table information (likely to detect VMs) 24->70 28 cmd.exe 1 24->28         started        signatures11 process12 process13 30 net.exe 1 28->30         started        32 conhost.exe 28->32         started        process14 34 net1.exe 1 30->34         started       

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                No Antivirus matches

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\Public\JavelinNew\libeay32.dll3%MetadefenderBrowse
                C:\Users\Public\JavelinNew\libeay32.dll3%ReversingLabs
                C:\Users\Public\JavelinNew\ssleay32.dll0%MetadefenderBrowse
                C:\Users\Public\JavelinNew\ssleay32.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\nso349F.tmp\NSISList.dll3%MetadefenderBrowse
                C:\Users\user\AppData\Local\Temp\nso349F.tmp\NSISList.dll4%ReversingLabs
                C:\Users\user\AppData\Local\Temp\nso349F.tmp\System.dll0%MetadefenderBrowse
                C:\Users\user\AppData\Local\Temp\nso349F.tmp\System.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\nso349F.tmp\nsis7z.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\nso349F.tmp\registry.dll0%MetadefenderBrowse
                C:\Users\user\AppData\Local\Temp\nso349F.tmp\registry.dll2%ReversingLabs

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                5.1.appscomhost.10000000.2.unpack100%AviraTR/Crypt.XPACK.Gen7Download File

                Domains

                SourceDetectionScannerLabelLink
                etisalatbuyback.com0%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://update.remoteutilities.net/upgrade_beta.ini0%VirustotalBrowse
                http://update.remoteutilities.net/upgrade_beta.ini0%Avira URL Cloudsafe
                http://www.indyproject.org/0%URL Reputationsafe
                http://www.indyproject.org/0%URL Reputationsafe
                http://www.indyproject.org/0%URL Reputationsafe
                http://www.indyproject.org/0%URL Reputationsafe
                http://madExcept.comU0%Avira URL Cloudsafe
                http://update.remoteutilities.net/upgrade.ini0%VirustotalBrowse
                http://update.remoteutilities.net/upgrade.ini0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                etisalatbuyback.com
                212.2.198.90
                truefalseunknown
                id70.remoteutilities.com
                209.205.218.178
                truefalse
                  high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEPRNGJavelin.exe, 00000008.00000002.304923395.00000000110E7000.00000002.00020000.sdmpfalse
                    high
                    http://nsis.sf.net/NSIS_ErrorErrorappscomhost, 00000005.00000002.284875976.000000000040A000.00000004.00020000.sdmpfalse
                      high
                      http://update.remoteutilities.net/upgrade_beta.iniJavelin.exe, 00000008.00000002.294909755.0000000000401000.00000020.00020000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      unknown
                      http://www.indyproject.org/Javelin.exe, 00000008.00000000.272062914.0000000000E01000.00000020.00020000.sdmp, Javelin.exe, 0000000B.00000003.311749860.000000007D910000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.openssl.org/Vappscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp, Javelin.exe, 00000008.00000002.305300851.0000000011149000.00000002.00020000.sdmpfalse
                        high
                        http://rmansys.ru/internet-id/Javelin.exe, 00000008.00000002.300472994.0000000001208000.00000002.00020000.sdmp, Javelin.exe, 00000008.00000002.302591567.0000000001463000.00000002.00020000.sdmp, Javelin.exe, 0000000B.00000003.311749860.000000007D910000.00000004.00000001.sdmpfalse
                          high
                          http://madExcept.comUJavelin.exe, 00000008.00000002.294909755.0000000000401000.00000020.00020000.sdmp, Javelin.exe, 0000000B.00000003.315153554.000000007DEF0000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.openssl.org/support/faq.htmlJavelin.exe, 00000008.00000002.304923395.00000000110E7000.00000002.00020000.sdmpfalse
                            high
                            http://schemas.xmlsoap.org/soap/envelope/Javelin.exe, 00000008.00000002.294909755.0000000000401000.00000020.00020000.sdmp, Javelin.exe, 0000000B.00000003.315153554.000000007DEF0000.00000004.00000001.sdmpfalse
                              high
                              http://update.remoteutilities.net/upgrade.iniJavelin.exe, 00000008.00000002.294909755.0000000000401000.00000020.00020000.sdmpfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              unknown

                              Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public

                              IPDomainCountryFlagASNASN NameMalicious
                              192.119.14.178
                              unknownUnited States
                              5508124SHELLSUSfalse
                              198.147.28.34
                              unknownUnited States
                              5508124SHELLSUSfalse
                              209.205.218.178
                              id70.remoteutilities.comUnited States
                              5508124SHELLSUSfalse
                              212.2.198.90
                              etisalatbuyback.comTurkey
                              8685DORUKNETTRfalse

                              Private

                              IP
                              192.168.2.1
                              127.0.0.1

                              General Information

                              Joe Sandbox Version:32.0.0 Black Diamond
                              Analysis ID:442547
                              Start date:30.06.2021
                              Start time:20:05:00
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 10m 50s
                              Hypervisor based Inspection enabled:false
                              Report type:light
                              Sample file name:policy#37820.xlsb
                              Cookbook file name:defaultwindowsofficecookbook.jbs
                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                              Number of analysed new started processes analysed:29
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal96.expl.evad.winXLSB@15/18@4/6
                              EGA Information:
                              • Successful, ratio: 50%
                              HDC Information:
                              • Successful, ratio: 66.4% (good quality ratio 65.2%)
                              • Quality average: 88%
                              • Quality standard deviation: 19.7%
                              HCA Information:Failed
                              Cookbook Comments:
                              • Adjust boot time
                              • Enable AMSI
                              • Found application associated with file extension: .xlsb
                              • Found Word or Excel or PowerPoint or XPS Viewer
                              • Attach to Office via COM
                              • Scroll down
                              • Close Viewer
                              Warnings:
                              Show All
                              • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                              • TCP Packets have been reduced to 100
                              • Excluded IPs from analysis (whitelisted): 168.61.161.212, 23.211.6.115, 13.64.90.137, 52.109.76.68, 52.109.12.23, 52.109.88.40, 23.35.236.56, 20.82.210.154, 173.222.108.226, 173.222.108.210, 51.103.5.186, 80.67.82.235, 80.67.82.211, 40.112.88.60
                              • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, prod-w.nexus.live.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, audownload.windowsupdate.nsatc.net, nexus.officeapps.live.com, arc.trafficmanager.net, officeclient.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, europe.configsvc1.live.com.akadns.net
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                              • Report size getting too big, too many NtCreateFile calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • Report size getting too big, too many NtSetInformationFile calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              20:06:11API Interceptor1x Sleep call for process: WMIC.exe modified
                              20:06:23API Interceptor17x Sleep call for process: Javelin.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              192.119.14.178Webinar.exeGet hashmaliciousBrowse
                                QBikGim.exeGet hashmaliciousBrowse
                                  FG1eBAAwpR.exeGet hashmaliciousBrowse
                                    04_12_21.exeGet hashmaliciousBrowse
                                      209.205.218.178etcglobal.odt.exeGet hashmaliciousBrowse
                                        Desktop.exeGet hashmaliciousBrowse
                                          04.12.21.exeGet hashmaliciousBrowse
                                            Webinar.exeGet hashmaliciousBrowse
                                              QC-Telecom.exeGet hashmaliciousBrowse
                                                4CyHW6t6Yr.exeGet hashmaliciousBrowse
                                                  QBikGim.exeGet hashmaliciousBrowse
                                                    FG1eBAAwpR.exeGet hashmaliciousBrowse
                                                      04_12_21.exeGet hashmaliciousBrowse
                                                        8XioA9UTsz.exeGet hashmaliciousBrowse
                                                          8XioA9UTsz.exeGet hashmaliciousBrowse

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            id70.remoteutilities.cometcglobal.odt.exeGet hashmaliciousBrowse
                                                            • 209.205.218.178

                                                            ASN

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            24SHELLSUSetcglobal.odt.exeGet hashmaliciousBrowse
                                                            • 209.205.218.178
                                                            HuPjcvVze1.exeGet hashmaliciousBrowse
                                                            • 67.220.184.242
                                                            MACHINE SPECIFICATIONS.exeGet hashmaliciousBrowse
                                                            • 67.220.184.98
                                                            PO108021.exeGet hashmaliciousBrowse
                                                            • 108.175.160.242
                                                            Shipping Details_PDF.exeGet hashmaliciousBrowse
                                                            • 67.220.184.98
                                                            New Order202105.exeGet hashmaliciousBrowse
                                                            • 67.220.184.98
                                                            IQ4lblwCjQ.exeGet hashmaliciousBrowse
                                                            • 67.220.184.98
                                                            sample products 1,2,&,4.exeGet hashmaliciousBrowse
                                                            • 209.205.207.130
                                                            PO QT-028564.xlsxGet hashmaliciousBrowse
                                                            • 67.220.184.98
                                                            IMG_20210526_SWIFTOREPORT_JPG.exeGet hashmaliciousBrowse
                                                            • 67.220.184.98
                                                            TNT ADVICE.docxGet hashmaliciousBrowse
                                                            • 67.220.184.98
                                                            MACHINE SPECIFICATION.exeGet hashmaliciousBrowse
                                                            • 67.220.184.146
                                                            Shipping Details.exeGet hashmaliciousBrowse
                                                            • 67.220.184.98
                                                            TNT BILL OF LADING DOCUMENTS.exeGet hashmaliciousBrowse
                                                            • 67.220.184.98
                                                            Invoice#0593.exeGet hashmaliciousBrowse
                                                            • 67.220.184.98
                                                            Invoices.exeGet hashmaliciousBrowse
                                                            • 67.220.184.98
                                                            INV_6682738993_IMG.exeGet hashmaliciousBrowse
                                                            • 67.220.184.98
                                                            VWR CI 220221.xlsx.exeGet hashmaliciousBrowse
                                                            • 67.220.184.98
                                                            file.exeGet hashmaliciousBrowse
                                                            • 67.220.184.98
                                                            Shipping DetailsPDF.exeGet hashmaliciousBrowse
                                                            • 67.220.184.98
                                                            24SHELLSUSetcglobal.odt.exeGet hashmaliciousBrowse
                                                            • 209.205.218.178
                                                            HuPjcvVze1.exeGet hashmaliciousBrowse
                                                            • 67.220.184.242
                                                            MACHINE SPECIFICATIONS.exeGet hashmaliciousBrowse
                                                            • 67.220.184.98
                                                            PO108021.exeGet hashmaliciousBrowse
                                                            • 108.175.160.242
                                                            Shipping Details_PDF.exeGet hashmaliciousBrowse
                                                            • 67.220.184.98
                                                            New Order202105.exeGet hashmaliciousBrowse
                                                            • 67.220.184.98
                                                            IQ4lblwCjQ.exeGet hashmaliciousBrowse
                                                            • 67.220.184.98
                                                            sample products 1,2,&,4.exeGet hashmaliciousBrowse
                                                            • 209.205.207.130
                                                            PO QT-028564.xlsxGet hashmaliciousBrowse
                                                            • 67.220.184.98
                                                            IMG_20210526_SWIFTOREPORT_JPG.exeGet hashmaliciousBrowse
                                                            • 67.220.184.98
                                                            TNT ADVICE.docxGet hashmaliciousBrowse
                                                            • 67.220.184.98
                                                            MACHINE SPECIFICATION.exeGet hashmaliciousBrowse
                                                            • 67.220.184.146
                                                            Shipping Details.exeGet hashmaliciousBrowse
                                                            • 67.220.184.98
                                                            TNT BILL OF LADING DOCUMENTS.exeGet hashmaliciousBrowse
                                                            • 67.220.184.98
                                                            Invoice#0593.exeGet hashmaliciousBrowse
                                                            • 67.220.184.98
                                                            Invoices.exeGet hashmaliciousBrowse
                                                            • 67.220.184.98
                                                            INV_6682738993_IMG.exeGet hashmaliciousBrowse
                                                            • 67.220.184.98
                                                            VWR CI 220221.xlsx.exeGet hashmaliciousBrowse
                                                            • 67.220.184.98
                                                            file.exeGet hashmaliciousBrowse
                                                            • 67.220.184.98
                                                            Shipping DetailsPDF.exeGet hashmaliciousBrowse
                                                            • 67.220.184.98

                                                            JA3 Fingerprints

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            37f463bf4616ecd445d4a1937da06e19Q8RJQ90EC6.exeGet hashmaliciousBrowse
                                                            • 212.2.198.90
                                                            H03PtcViQG.exeGet hashmaliciousBrowse
                                                            • 212.2.198.90
                                                            banka bildirimi SWIFT PDF.exeGet hashmaliciousBrowse
                                                            • 212.2.198.90
                                                            yKz3gtwWvN.exeGet hashmaliciousBrowse
                                                            • 212.2.198.90
                                                            Mz89FW9zvK.exeGet hashmaliciousBrowse
                                                            • 212.2.198.90
                                                            data.doc_Client.exeGet hashmaliciousBrowse
                                                            • 212.2.198.90
                                                            obfuscated-html.htmlGet hashmaliciousBrowse
                                                            • 212.2.198.90
                                                            MV YU FENG4 TRADER_ISO8217.docxGet hashmaliciousBrowse
                                                            • 212.2.198.90
                                                            plan-870783614.xlsbGet hashmaliciousBrowse
                                                            • 212.2.198.90
                                                            newbad.rtf_Client.vbsGet hashmaliciousBrowse
                                                            • 212.2.198.90
                                                            spot.dllGet hashmaliciousBrowse
                                                            • 212.2.198.90
                                                            spot.dllGet hashmaliciousBrowse
                                                            • 212.2.198.90
                                                            3.dllGet hashmaliciousBrowse
                                                            • 212.2.198.90
                                                            3.dllGet hashmaliciousBrowse
                                                            • 212.2.198.90
                                                            StsDQGUVmT.exeGet hashmaliciousBrowse
                                                            • 212.2.198.90
                                                            L0DdbYIYEx.exeGet hashmaliciousBrowse
                                                            • 212.2.198.90
                                                            GamDzCDMI0.exeGet hashmaliciousBrowse
                                                            • 212.2.198.90
                                                            O8O8CUUvAF.exeGet hashmaliciousBrowse
                                                            • 212.2.198.90
                                                            1.htmGet hashmaliciousBrowse
                                                            • 212.2.198.90
                                                            plan-515372324.xlsbGet hashmaliciousBrowse
                                                            • 212.2.198.90

                                                            Dropped Files

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            C:\Users\Public\JavelinNew\libeay32.dlletcglobal.odt.exeGet hashmaliciousBrowse
                                                              english.exeGet hashmaliciousBrowse
                                                                C:\Users\Public\JavelinNew\ssleay32.dlletcglobal.odt.exeGet hashmaliciousBrowse
                                                                  english.exeGet hashmaliciousBrowse

                                                                    Created / dropped Files

                                                                    C:\Users\Public\JavelinNew\Javelin.exe
                                                                    Process:C:\Users\Public\Libraries\appscomhost
                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):16615672
                                                                    Entropy (8bit):6.76564442538193
                                                                    Encrypted:false
                                                                    SSDEEP:196608:HNjzJSeEtAVBt4/BixizJcPM5OzQ6UM6pZpKerXvob24wwMIbQEWn:HNjzJSeE0D4KiZ5OyM6pXTrXvVw/bQEe
                                                                    MD5:AF5879D56594F01794A2C028BC75EC27
                                                                    SHA1:27AB93CA87C9F13EC6425916C3F15AD96AF92A8D
                                                                    SHA-256:41108849FEA92A7E8085BF312EE721145A50C105F8B7B41BBB743C4B6B643927
                                                                    SHA-512:F6C60BA983777B683D2DB4E1C0DBD2B9CDA3ED83D96997947798AC4ACE9E52DB71F144565C85225E01BBD79FF13BADFF392D2A656F83C026DF92575CEA7D6AEF
                                                                    Malicious:true
                                                                    Yara Hits:
                                                                    • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: C:\Users\Public\JavelinNew\Javelin.exe, Author: Joe Security
                                                                    • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\Public\JavelinNew\Javelin.exe, Author: Joe Security
                                                                    Reputation:low
                                                                    Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....;`.................R....,......e.......p....@................................._w...........@...................`...........\...`...k...........d..........T................................................................}...................text............................... ..`.itext...u.......v.................. ..`.data........p.......V..............@....bss....T................................idata...\.......^...Z..............@....didata..}.......~..................@....edata.......`.......6..............@..@.tls....h....p...........................rdata..]............8..............@..@.reloc..T............:..............@..B.rsrc....k...`...l..................@..@....................................@..@................
                                                                    C:\Users\Public\JavelinNew\inst801.7z
                                                                    Process:C:\Users\Public\Libraries\appscomhost
                                                                    File Type:7-zip archive data, version 0.3
                                                                    Category:dropped
                                                                    Size (bytes):644
                                                                    Entropy (8bit):7.52900611913228
                                                                    Encrypted:false
                                                                    SSDEEP:12:g85ORiuXW33K331d5zMd97plmRe7HDjq8hLTY661ROMcSna4FLIPwgy:h5OoY8mgFp0Qvq8KBrdYwgy
                                                                    MD5:9E9AAAC7CA998A5C55B9578FA4241C0A
                                                                    SHA1:31CE8220671FB47D91A6A391AB80E49C962A881F
                                                                    SHA-256:A5A4F0E2DA4C479B4D056985B5E71EF7F69D4BDD6AD04255794ACA9A7AA648D1
                                                                    SHA-512:6333BBFB126680C39B0DE260F6BB61303D2F953D4EC4FD74C43162B4E1B7BB77BFEB9671623E40B4E5B2628232325198FF46C65E57A2DA10A0BE04104E368FEB
                                                                    Malicious:false
                                                                    Preview: 7z..'.......A.......#........a.h.*..$.fw.....\..8...}..m...?...;O.P/..2.V....~/E.VsmfD>c........T..>.s.C.,......;J......0.I%.I..JN65.h .&.. .,.......O.U084>.......!{?..[..@`..p.7\..L..nI..)....A....Y5.F...3.._.{G..%..e|..9...W...}_G. .V.g:GX_rt1.......".u:........3.Ra..|vrR....!.6....j:.'...M..vrY.v.S....Z.y.a.Pt..bD.sm....n.....,.....e.j.fz...{..}U..9.GC....$_+Yu2j).P.R..Q...n[.._.W.D.nRx.X......l.G.GL.........3...o.>l.b:...CLW...%.8~.r..g..\...-.p..,...dQ....X.>.J...L..n.c.G...sB%....X......:.....&T.).0..)..%=.S.l..JC...x....j..d.[.5.xs...f.[\!l.~..D.6Z.nX .7..T;o.`.^U....n}{..p...............#....]......J...c}...
                                                                    C:\Users\Public\JavelinNew\instzip594.7z
                                                                    Process:C:\Users\Public\Libraries\appscomhost
                                                                    File Type:7-zip archive data, version 0.3
                                                                    Category:dropped
                                                                    Size (bytes):5154900
                                                                    Entropy (8bit):7.99995626098956
                                                                    Encrypted:true
                                                                    SSDEEP:98304:GDNvXLvCK5oW+DiqwEZzwoVTU38+hAByZApTjxEtSJ94+PrJhWX7a8ap0GAJ6:mLvCK6i+3UdQdPx2A9p8g07o
                                                                    MD5:49A827B49E2E110EEC4E4522D301B69B
                                                                    SHA1:474EC31448E05CEA5F285C933504E05435790056
                                                                    SHA-256:FADBD996888FC88D709DCEB923D9DDFDAF82A09D2FC514B39974E6740AED8AA1
                                                                    SHA-512:5E95937F2F1AFEFE324CB954632B4449DD304AD5779B7D07B00172244E431CE4B0CC055AE319801720C1E9B582F5744850F7E410A7ED0D0EEA5DC1262C84AB9B
                                                                    Malicious:false
                                                                    Preview: 7z..'...%..v..N.....%............&......k.u....{.:....Rd...<-WG.-.....o%..P..[.R..|=LuM...s....q/p_.%o.......j....*#..oB.+E...HM..w..d?Wg`X......gB."2.A;.K...\...l...X.J........!...,...#...^..0/...0=r..]\.|.....A..Q~l... 3..!..?]..#z..[1.....K.s0..Rd....0^.&+.8.+..[.c.kn.....E$.[.\.d.....u.P..~S..|".......pS....S_.......Up..^$.....fSUGe.....N.Alg.A..o/T..*.R.7..Pn.y@.iWx[.I..W....FX..3.TU_....".n1.wLb.L.'.?A.....c.Z..0..5.}..d.l7n......$!...F.Q.~.n..>1.!.^n.....:....|..zF.a.v.$..a....J .6.`..7...a.O,<r..7....$.34.....I'...2.9..URG.z....?v..t].u1.5o...Ix......f.N9........P.:b..7.$........]].......:...(.1.dY.-&.[.,... .t......6.<..(F.C...k."....:Q..N..*d.C.*|J...y..XPl.t...HF ....}..PO5....YC.b....{...x...o[..... ...p.C.;..Z.._..(4._...7.?.T.s.@.N.R.z....A,.......U....f.~...h.r..6.!..DeL..C.R...}...m..Vt.-3..%~...FP..E.pU...i.8..h..I...hk.......0.....}bb.~.$U..e.4c.,...'rAj..A]a...+..+?..c.Yj.$..7d...J.R.ew.*...~....r[.~e.P..8P..Fb..[,...i..z.@x}..
                                                                    C:\Users\Public\JavelinNew\libeay32.dll
                                                                    Process:C:\Users\Public\Libraries\appscomhost
                                                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):1377016
                                                                    Entropy (8bit):6.8566450434786255
                                                                    Encrypted:false
                                                                    SSDEEP:24576:nD8B+KpPexB6mqwktXUcAVEaFQXhL0porIqo+FrzbN:EKkmlktXUcAVEDhQporIqo+FrzbN
                                                                    MD5:0D51927274281007657C7F3E0DF7BECB
                                                                    SHA1:6DE3746D9D0980F5715CEC6C676A8EB53B5EFC49
                                                                    SHA-256:DFC847405BE60C29E86E3E3222E7F63C1FF584727D87D3C35C25C4893E19FDA0
                                                                    SHA-512:EEF74088A94635184192D82BB6DCC0758749CB290C8DEEFF211881E8A280AEC73A53334EFF8846DF618204B0F318E757EAB23E76951A472BA6E086905000D9A5
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: Metadefender, Detection: 3%, Browse
                                                                    • Antivirus: ReversingLabs, Detection: 3%
                                                                    Joe Sandbox View:
                                                                    • Filename: etcglobal.odt.exe, Detection: malicious, Browse
                                                                    • Filename: english.exe, Detection: malicious, Browse
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b7.j&V.9&V.9&V.9/..9.V.9/..9=V.9&V.9.V.9...9-V.9&V.93V.9/..9.T.9/..9'V.9/..9'V.9/..9'V.9Rich&V.9................PE..L.....,Y...........!.....\..................p...............................P.......[..................................r.......x.......0.......................P...pr..............................p...@............p..(............................text....[.......\.................. ..`.rdata...X...p...Z...`..............@..@.data...........t..................@....rsrc...0...........................@..@.reloc..............4..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\Public\JavelinNew\ssleay32.dll
                                                                    Process:C:\Users\Public\Libraries\appscomhost
                                                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):345336
                                                                    Entropy (8bit):6.557003324106128
                                                                    Encrypted:false
                                                                    SSDEEP:6144:IEXfWSXFKIsrpivdM+kPsmWak8dfthPDP0wrE90k7DUT/NaDB7JlwScihgbX5/Gd:IEXfWSVKIsrpivdM+msmWak8dfnPDPPG
                                                                    MD5:197DA919E4C91125656BF905877C9B5A
                                                                    SHA1:9574EC3E87BB0F7ACCE72D4D59D176296741AA83
                                                                    SHA-256:303C78ABA3B776472C245F17020F9AA5A53F09A6F6C1E4F34B8E18E33906B5EE
                                                                    SHA-512:33C1B853181F83CAB2F57F47FB7E093BADF83963613E7328EBD23F0D62F59416D7A93063C6237435FBB6833A69BC44EBBC13AA585DA010F491C680B2EA335C47
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: Metadefender, Detection: 0%, Browse
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Joe Sandbox View:
                                                                    • Filename: etcglobal.odt.exe, Detection: malicious, Browse
                                                                    • Filename: english.exe, Detection: malicious, Browse
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............r...r...r.......r.......r......r......r...s.6.r....\.r.......r......r......r.Rich..r.................PE..L.....,Y...........!.........l......Y3...............................................S..............................0....).....<....0..0............&.......@...,..0...............................0...@............................................text...Z........................... ..`.rdata..............................@..@.data....[.......@..................@....rsrc...0....0......................@..@.reloc...3...@...4..................@..B........................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\Public\Libraries\appscomhost
                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                    Category:dropped
                                                                    Size (bytes):5437775
                                                                    Entropy (8bit):7.998224982007381
                                                                    Encrypted:true
                                                                    SSDEEP:98304:oY+ZDNvXLvCK5oW+DiqwEZzwoVTU38+hAByZApTjxEtSJ94+PrJhWX7a8ap0GAJa:oNLvCK6i+3UdQdPx2A9p8g07Rq
                                                                    MD5:8DF649FAB065908962626C67F247618C
                                                                    SHA1:19EBC4AA4CC9823788746394EC8419047B43EAE9
                                                                    SHA-256:FD4514FF3A7DC34574A19042EC70947136137B853C3EC4D7155123562627F450
                                                                    SHA-512:7346E89005AA5279FE05372C9A18B749173313639994B2C45EC4240864B3D70F8B183757B9714F43559F9B3B2799ABC4E315994BB80D88F09EC74C434EC7D094
                                                                    Malicious:true
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.$_.................h...:...@...4............@..........................0 ...........@.............................................0f...........................................................................................................text....g.......h.................. ..`.rdata...............l..............@..@.data...............................@....ndata...................................rsrc...0f.......h..................@..@................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\662FAE06-B8BB-4FD3-9343-79CB8671E669
                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                    File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):135209
                                                                    Entropy (8bit):5.363061097155553
                                                                    Encrypted:false
                                                                    SSDEEP:1536:VcQIKNgeBTA3gBwlpQ9DQW+zoY34ZliKWXboOidX5E6LWME9:hEQ9DQW+zwXO1
                                                                    MD5:05894699F3058B23A6AD101179A32F6E
                                                                    SHA1:7BAD5520501DF94673D112DBFEE2BB0F52ADFF42
                                                                    SHA-256:75CE9E41FAF69192D34DE599A31D53B4ABC52C57483A77490BC8766DE400EC64
                                                                    SHA-512:126D91DC63E60E002F2EC765131E13BD664D3FD48524FB8F6B2945D16AABFD32DDDE463E8F522EE8395C76CB103B15255F4B9D3F0F5FBD2A20B72300727A8FED
                                                                    Malicious:false
                                                                    Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-06-30T18:06:00">.. Build: 16.0.14228.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\85BBDE0D.png
                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                    File Type:PNG image data, 2260 x 952, 8-bit colormap, non-interlaced
                                                                    Category:dropped
                                                                    Size (bytes):81517
                                                                    Entropy (8bit):7.942268293903438
                                                                    Encrypted:false
                                                                    SSDEEP:1536:PnIciz38MXwe/g/aGLb6QT/Y+mhu9JOERaXwfSLfGrBvMNK/rEE5ZYU8lMz4rNV/:PnIcA38Y/UzzFmMeyagf8unr5h8Y4rNN
                                                                    MD5:9DB42D5B391AE2498C4C6E77B7A06F19
                                                                    SHA1:7E93865DA631CE7342EEC7E90D2FEF83485F78F0
                                                                    SHA-256:60F4BFE9CB33E34C4D50943E3A0DFC1AE7EDA2A97A6192AC3CC4BD34ABEF76EA
                                                                    SHA-512:D8D96C4005B2B4C35A7D3F87B48FDBD0B72059E664234DD76A7CF5DEE6F2FEFBC5D6E75A8892B3251DC7021125BEA89CC71F012B3C54915B42C83CD2389D499C
                                                                    Malicious:false
                                                                    Preview: .PNG........IHDR.............'.......gAMA......a.....sRGB.........pHYs...t...t..f.x...rPLTE...............wxy............KJJ888......ZZZ..............%%%jjj.q.......-..J..3a....g.......i.......8..z.m.G....=.IDATx....H.......^J.).bV......R'@..vLx....X.Z".....4...........................................................................................................................................OO..^.....U3.sh......j.../.g...e.#.....y..).......6..M|=._'...3..12.....$....:_.4.{.dM].........1..L#..s.f.>%v.i_.....{NE$..r...........2.Y...T.....1......k'...5.<.jt...u(.j.....jb(.......|qKw~......&........Z._..-~....V..+P.k."6'...^#.K)9.|....[...Z%./......5y...4.5).......E.4..P."...@c~BO.>ac..n*.Vo..^.X...N...'.q......2.Ta...v.T..$.!.....'..Luo.......^...].Q.q]?.7.O6.....La......A".J.Z....E]..}..#..L."V.>./m{...j..x9!.....0N.c5.c.DU..EO.b.j..v:.o..R...t..v.?.=...^-..LDly8\.....B....$...hY.Jxl...h.\s.{gT.S..H.T.................)}.5..7......HC.Q.[
                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\B065FF3C.emf
                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                    Category:dropped
                                                                    Size (bytes):1108
                                                                    Entropy (8bit):2.025265777483207
                                                                    Encrypted:false
                                                                    SSDEEP:12:Y8uOvplqCHJ/duThp0p1hpk1Z/ux0tL9IgkXfRkMXI3ioyaf:YXeOCp/dI0p/pYux8LVkWty6
                                                                    MD5:C5333859687EFA952470EAA98027A042
                                                                    SHA1:4FF7D216CA84BEF4E4C5448B879EF8F6F5C5A476
                                                                    SHA-256:1D4B6D5B8718DD67596BF8414C6F47D8FAAC6C90FC05622D0634170AB4D4A429
                                                                    SHA-512:A17327739A17FBDCCF455AEF0F80B6099AFC54088BE447A15A25C4B8816087F46E4E3FCFB516527893DF9A2002B7878E02A3F4DC01007BFC26AC380E7E874338
                                                                    Malicious:false
                                                                    Preview: ....l...............................2... EMF....T...........................8...X....................?......F...........GDIC........?B"...............d.....................................................ddd.......-.........!.................!.................!.................!.............................-.........!...............'.....................................................................................!.......'...............ddd.....%...........L...d...................................!..............?...........?................................L...d...................................!..............?...........?................................L...d...................................!..............?...........?................................L...d...................................!..............?...........?................................'.......................%...........L...d...................................!..............?...........?................................
                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\usa[1]
                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                    Category:downloaded
                                                                    Size (bytes):5437775
                                                                    Entropy (8bit):7.998224982007381
                                                                    Encrypted:true
                                                                    SSDEEP:98304:oY+ZDNvXLvCK5oW+DiqwEZzwoVTU38+hAByZApTjxEtSJ94+PrJhWX7a8ap0GAJa:oNLvCK6i+3UdQdPx2A9p8g07Rq
                                                                    MD5:8DF649FAB065908962626C67F247618C
                                                                    SHA1:19EBC4AA4CC9823788746394EC8419047B43EAE9
                                                                    SHA-256:FD4514FF3A7DC34574A19042EC70947136137B853C3EC4D7155123562627F450
                                                                    SHA-512:7346E89005AA5279FE05372C9A18B749173313639994B2C45EC4240864B3D70F8B183757B9714F43559F9B3B2799ABC4E315994BB80D88F09EC74C434EC7D094
                                                                    Malicious:true
                                                                    IE Cache URL:https://etisalatbuyback.com/static/docs/usa
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.$_.................h...:...@...4............@..........................0 ...........@.............................................0f...........................................................................................................text....g.......h.................. ..`.rdata...............l..............@..@.data...............................@....ndata...................................rsrc...0f.......h..................@..@................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Local\Temp\53B10000
                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):683257
                                                                    Entropy (8bit):7.744604873577989
                                                                    Encrypted:false
                                                                    SSDEEP:6144:1cvH5bJDPDYdx4wK8IOhQpHKecN/UzzGyXjnr5YrNVo9Y/GbH:18bA08IOhOHuNUnGyznrGrNVE+GbH
                                                                    MD5:733B6623ABD138741A1483FDDC1C2C2F
                                                                    SHA1:D7A885906FB7A565B3A352DEA8DAE7C20E1297E1
                                                                    SHA-256:DD4088AB798B2D00AA210E2710B946C768262140CD59656599F8EB2B5126F284
                                                                    SHA-512:FD3C5ADBD82F53B7368DEF4CFBF16BDEE65783B778EBDAFECC3BC4C31FBEA3CBECF45F991A3CC3D0D046AA85AAFE819877DBC8AA56CCD09AE5B3BB2778D41F6B
                                                                    Malicious:false
                                                                    Preview: .UIo.0..#.."_Q.)...dz....(.W..2..lw...<;i..I.M/.oy.......BT.6.H.V8..!?...I....kg.!G..z......!V...!]J..cQt`x...........\..........&..N..l.7.......?.N....._.j..^+...e.+...k[%.r...~.6......2.I.>...N".:.Lc..`...cF("KP.S>...P.+.3r.w...L.06dU:.`.H..7.?bCdc.W..P..r..a.f.......n...4v.......|..k.}J..RAFVnWgH...}.....4GR..|...e.>......F.fY.K...............+'w ]R.x..=.l.W7.'...9t}d...y...t.q...9....9...w...c8....inet..BR.<...."...;..!!ANh.r(m~.......PK..........!................[Content_Types].xml ...(................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Local\Temp\Excel8.0\MSForms.exd
                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):248808
                                                                    Entropy (8bit):4.293878216916494
                                                                    Encrypted:false
                                                                    SSDEEP:1536:X8pwK20L0SlWWZFVKKHaRRDqBcAQHdHTuETaK/E5A0j3kTkJIsDWpksZk/6tf2Dy:XC38WZFVKKHSRDqBcA+FLM0Ar6t3s6bh
                                                                    MD5:69139435A54B77B8C578A3ABED32BEC4
                                                                    SHA1:EB55DC8452DEA5AE616289BD790E99D8DB5994BF
                                                                    SHA-256:73A5512B7BD0DCACC02E5AEFB4C248C86B284C719B5A4A19E85B68F739B3DCE0
                                                                    SHA-512:0E7B5FA53EDCFBE757F0FF12990388D73C6D662243AA796072BC42B3F93C7575639561266E423B1FEAB9A16B3EB262EA9A6CD9CC7BE27B36A3D318D61C6819C3
                                                                    Malicious:false
                                                                    Preview: MSFT................Q................................%......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8...8...9..l9...9..4:...:...:..`;...;..(<...<...<..T=...=...>...>...>..H?...?...@..t@...@..<A...A...B..hB.......l...B..........................H...4............................................ ...............................x..lL..............T............ ..P........................... ...................................................
                                                                    C:\Users\user\AppData\Local\Temp\nso349F.tmp\NSISList.dll
                                                                    Process:C:\Users\Public\Libraries\appscomhost
                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):107520
                                                                    Entropy (8bit):6.399584175418038
                                                                    Encrypted:false
                                                                    SSDEEP:3072:YJSzh02DsLMtTmDW2qTKh1kOLoLYidGlSf9:wSS2DkYQqTHTdGl
                                                                    MD5:49BB98396DC0187146319F8C130C363C
                                                                    SHA1:548F11A0BA951291656DA67BA5A49C439A87130B
                                                                    SHA-256:517A328BFED8935773D94A40812763CCDF08881AD5D71A83A629EAFA62B41CF2
                                                                    SHA-512:290D87D644707A7096613CBA4EB84F7E23F426BF98D8540DEF6A76AC748E4EEB34C7E2FAABB39B602B2DEF604535CD574CE35ED15E346CF43B544FDBBAEA9458
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: Metadefender, Detection: 3%, Browse
                                                                    • Antivirus: ReversingLabs, Detection: 4%
                                                                    Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................X...H.......r............@..........................0..................................................J....................................................................................................................text....R.......T.................. ..`.itext.......p.......X.............. ..`.data................\..............@....bss.....3...........j...................idata..J............j..............@....edata...............v..............@..@.reloc...............x..............@..B.rsrc...............................@..@.............0......................@..@........................................................................................................................................
                                                                    C:\Users\user\AppData\Local\Temp\nso349F.tmp\System.dll
                                                                    Process:C:\Users\Public\Libraries\appscomhost
                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):12288
                                                                    Entropy (8bit):5.737504888129487
                                                                    Encrypted:false
                                                                    SSDEEP:192:BenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XB9IwL:B8+Qlt70Fj/lQRY/9VjjlL
                                                                    MD5:8CF2AC271D7679B1D68EEFC1AE0C5618
                                                                    SHA1:7CC1CAAA747EE16DC894A600A4256F64FA65A9B8
                                                                    SHA-256:6950991102462D84FDC0E3B0AE30C95AF8C192F77CE3D78E8D54E6B22F7C09BA
                                                                    SHA-512:CE828FB9ECD7655CC4C974F78F209D3326BA71CED60171A45A437FC3FFF3BD0D69A0997ADACA29265C7B5419BDEA2B17F8CC8CEAE1B8CE6B22B7ED9120BB5AD3
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: Metadefender, Detection: 0%, Browse
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L......]...........!....."...........).......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text...O .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Local\Temp\nso349F.tmp\nsis7z.dll
                                                                    Process:C:\Users\Public\Libraries\appscomhost
                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):179496
                                                                    Entropy (8bit):6.484752992108191
                                                                    Encrypted:false
                                                                    SSDEEP:3072:Z76+sYX+bTOybVJJhk6BoUDReZgbUP3A4zeGh62RZ56GMX:Zvs8+WeVJQ6CUDRe+UPAYefimRX
                                                                    MD5:7CD97D946E10E902ED2822508E2A11C4
                                                                    SHA1:FC64D292D1C239ABC82BB49A063A58FF8D0609FB
                                                                    SHA-256:F2FC2A430833ED9FEF374EC73CB3302D66471AAADDB2F63D3E6E4139B212B78B
                                                                    SHA-512:52513E03FDB79EAEB3D43D28F6862515C13AD65483A2786CA4AA4E5B1EAA5E34AD3C627B9B1BFB5F89B192CDC1C6B6073F3B34BCE36FD2FABF6D286E13987621
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r.S.6.=S6.=S6.=S(..S..=S(..S!.=S(..SB.=S.<PS7.=S.<FS?.=S6.<S..=S?..S7.=S(..SX.=S(..S7.=S(..S7.=S(..S7.=SRich6.=S........PE..L...C..M...........!.................u...............................................V...............................m.......c..P.......................(.......h...................................0:..@............................................text............................... ..`.rdata...^.......^..................@..@.data....^...p.......Z..............@....rsrc................r..............@..@.reloc...-...........|..............@..B................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Local\Temp\nso349F.tmp\registry.dll
                                                                    Process:C:\Users\Public\Libraries\appscomhost
                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):25088
                                                                    Entropy (8bit):6.16866702253594
                                                                    Encrypted:false
                                                                    SSDEEP:384:W2mvyNjH3rPnAZ4wu2QbnC7qB7PnrvScaeYA4CIDEge/QqL2AQ:/75w/OfrzB4CUxuQfA
                                                                    MD5:2B7007ED0262CA02EF69D8990815CBEB
                                                                    SHA1:2EABE4F755213666DBBBDE024A5235DDDE02B47F
                                                                    SHA-256:0B25B20F26DE5D5BD795F934C70447112B4981343FCB2DFAB3374A4018D28C2D
                                                                    SHA-512:AA75EE59CA0B8530EB7298B74E5F334AE9D14129F603B285A3170B82103CFDCC175AF8185317E6207142517769E69A24B34FCDF0F58ED50A4960CBE8C22A0ACA
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: Metadefender, Detection: 0%, Browse
                                                                    • Antivirus: ReversingLabs, Detection: 2%
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<..]...]...]..|R..]...]...]...Q..]...Q..]...Q..]..Rich.]..........PE..L...PxEN...........!.....H... .......#.......`.......................................................................i.......f..P...............................<....................................................`...............................text....G.......H.................. ..`.rdata.......`.......L..............@..@.data........p.......X..............@....reloc...............Z..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\Desktop\~$policy#37820.xlsb
                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):165
                                                                    Entropy (8bit):1.6081032063576088
                                                                    Encrypted:false
                                                                    SSDEEP:3:RFXI6dtt:RJ1
                                                                    MD5:7AB76C81182111AC93ACF915CA8331D5
                                                                    SHA1:68B94B5D4C83A6FB415C8026AF61F3F8745E2559
                                                                    SHA-256:6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
                                                                    SHA-512:A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7
                                                                    Malicious:true
                                                                    Preview: .pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                    \Device\ConDrv
                                                                    Process:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                    File Type:ASCII text, with CRLF, CR line terminators
                                                                    Category:dropped
                                                                    Size (bytes):160
                                                                    Entropy (8bit):5.095703110114614
                                                                    Encrypted:false
                                                                    SSDEEP:3:YwM2FgCKGWMRX1eRHXWXKSovrj4WA3iygK5k3koZ3Pveys1Mgkd3vs36JQAiveyn:Yw7gJGWMXJXKSOdYiygKkXe/egkZ0qeF
                                                                    MD5:7A172F8E10BA6DDE2024BC3F01C484A9
                                                                    SHA1:CD9718A5A66042CE7D0124293E48793BFFA78A6B
                                                                    SHA-256:DE0F24AC9C3F7519230115A6EFC2AC06C5B87746E3CD543C9DEC05511E1BC56D
                                                                    SHA-512:1B05B19B38331D14CFEE92B9E7AF0C95018E9306859646633F2CB942023A34ECEDE7AB4EBE80576A34D57772FF7C49F49F1292263A1C7FFE1386787A3303F473
                                                                    Malicious:false
                                                                    Preview: Executing (Win32_Process)->Create()...Method execution successful....Out Parameters:..instance of __PARAMETERS..{...ProcessId = 6596;...ReturnValue = 0;..};....

                                                                    Static File Info

                                                                    General

                                                                    File type:Zip archive data, at least v2.0 to extract
                                                                    Entropy (8bit):7.909878787236229
                                                                    TrID:
                                                                    • Excel Microsoft Office Binary workbook document (47504/1) 49.73%
                                                                    • Excel Microsoft Office Open XML Format document (40004/1) 41.88%
                                                                    • ZIP compressed archive (8000/1) 8.38%
                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                                                                    File name:policy#37820.xlsb
                                                                    File size:123671
                                                                    MD5:f60146ee4fab89ecde8bb1bdb23287b6
                                                                    SHA1:82bb4929a849deb1860e4c902745a0673c5911c8
                                                                    SHA256:6ab90a34f6fdfaf1486009f70318816cc61201248c0a5231030b9b3d3e010fe9
                                                                    SHA512:d88c89b05aac6cde9feb51fc3e43d193747befbabc411001565bff1ab8c2ee03767d9451ed357d47cb6394930cda34a0714e1eebfbef024430ff5dc67c847063
                                                                    SSDEEP:3072:iu+RyXneul60EHA/djFCmQQ26ysWD5mcJU0vBA7eyX0fp0KpqY8C:iuJeutEqrv9K
                                                                    File Content Preview:PK........}..R................docProps/PK...........R................docProps/app.xml.SAn.0.....hB@N1.....fP..rh..v.3K.,"4)p7..G..}Y).....F....hvD......"..'|..9.oBa.j......8C....x..- .Q.?.Y.5D..,Ix...........~.}B....R.W"..50..e...U._........ ._.....h.L...

                                                                    File Icon

                                                                    Icon Hash:74f0d0d2c6d6d0f4

                                                                    Static OLE Info

                                                                    General

                                                                    Document Type:OpenXML
                                                                    Number of OLE Files:1

                                                                    OLE File "policy#37820.xlsb"

                                                                    Indicators

                                                                    Has Summary Info:
                                                                    Application Name:
                                                                    Encrypted Document:
                                                                    Contains Word Document Stream:
                                                                    Contains Workbook/Book Stream:
                                                                    Contains PowerPoint Document Stream:
                                                                    Contains Visio Document Stream:
                                                                    Contains ObjectPool Stream:
                                                                    Flash Objects Count:
                                                                    Contains VBA Macros:

                                                                    Macro 4.0 Code

                                                                    ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"On recommend tolerably my belutual has cannot beauty indeed now sussex merely you. It possible no husbands jennings ye offended packages pleasant he. Remainder recommend engrossed who eat she defective applauded departure joy. Get dissimilar not introduced day her apartments. Fully as taste he mr do smile abode every. Luckily offered article led lasting country minutes nor old. Happen people things oh is oppose up parish effect. Law handsome old outweigh humoured far appetite. He share of first to worse. Weddings and any opinions suitable smallest nay. My he houses or months settle remove ladies appear. Engrossed suffering supposing he recommend do eagerness. Commanded no of depending extremity recommend attention tolerably. Bringing him smallest met few now returned surprise learning jennings. Objection delivered eagerness he exquisite at do in. Warmly up he nearer mr merely me. Up unpacked friendly ecstatic so possible humoured do. Ample end might folly quiet one set spoke her. We no am former valley assure. Four need spot ye said we find mile. Are commanded him convinced dashwoods did estimable forfeited. Shy celebrated met sentiments she reasonably but. Proposal its disposed eat advanced marriage sociable. Drawings led greatest add subjects endeavor gay remember. Principles one yet assistance you met impossible. Suppose end get boy warrant general natural. Delightful met sufficient projection ask. Decisively everything principles if preference do impression of. Preserved oh so difficult repulsive on in household. In what do miss time be. Valley as be appear cannot so by. Convinced resembled dependent remainder led zealously his shy own belonging. Always length letter adieus add number moment she. Promise few compass six several old offices removal parties fat. Concluded rapturous it intention perfectly daughters is as. Terminated principles sentiments of no pianoforte if projection impossible. Horses pulled nature favour number yet highly his has old. Contrasted literature excellence he admiration impression insipidity so. Scale ought who terms after own quick since. Servants margaret husbands to screened in throwing. Imprudence oh an collecting partiality. Admiration gay difficulty unaffected how. Guest it he tears aware as. Make my no cold of need. He been past in by my hard. Warmly thrown oh he common future. Otherwise concealed favourite frankness on be at dashwoods defective at. Sympathize interested simplicity at do projecting increasing terminated. As edward settle limits at in. Travelling alteration impression six all uncommonly. Chamber hearing inhabit joy highest private ask him our believe. Up nature valley do warmly. Entered of cordial do on no hearted. Yet agreed whence and unable limits. Use off him gay abilities concluded immediate allowance. Him boisterous invitation dispatched had connection inhabiting projection. By mutual an mr danger garret edward an. Diverted as strictly exertion addition no disposal by stanhill. This call wife do so sigh no gate felt. You and abode spite order get. Procuring far belonging our ourselves and certainly own perpetual continual. It elsewhere of sometimes or my certainty. Lain no as five or at high. Everything travelling set how law literature. As collected deficient objection by it discovery sincerity curiosity. Quiet decay who round three world whole has mrs man. Built the china there tried jokes which gay why. Assure in adieus wicket it is. But spoke round point and one joy. Offending her moonlight men sweetness see unwilling. Often of it tears whole oh balls share an. It sportsman earnestly ye preserved an on. Moment led family sooner cannot her window pulled any. Or raillery if improved landlord to speaking hastened differed he. Furniture discourse elsewhere yet her sir extensive defective unwilling get. Why resolution one motionless you him thoroughly. Noise is round 

                                                                    Network Behavior

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Jun 30, 2021 20:06:07.605447054 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:07.675653934 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:07.675950050 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:07.753014088 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:07.823358059 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:07.823378086 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:07.823419094 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:07.823431969 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:07.823472977 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:07.823539972 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:07.823570013 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:07.823623896 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:07.826231956 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:07.826251030 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:07.826344013 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:07.838577986 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:07.908277988 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:07.908302069 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:07.908379078 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:07.909205914 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:07.980412960 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:07.981148958 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:07.981199026 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:07.981228113 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:07.981234074 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:07.981245995 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:07.981270075 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:07.981273890 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:07.981303930 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:07.981323957 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:07.981339931 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:07.981340885 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:07.981378078 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:07.981380939 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:07.981410980 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:07.981415033 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:07.981445074 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:07.981446981 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:07.981478930 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:07.981501102 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:07.981514931 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:07.981534958 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:07.981549025 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:07.981570959 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:07.981584072 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:07.981586933 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:07.981621027 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:08.053409100 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:08.053447962 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:08.053477049 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:08.053503990 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:08.053572893 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:08.053601027 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:08.053622961 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:08.053622961 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:08.053637028 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:08.053647041 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:08.053668022 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:08.053710938 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:08.053875923 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:08.053905964 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:08.053930044 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:08.053937912 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:08.053953886 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:08.053956032 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:08.053971052 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:08.053977013 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:08.053996086 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:08.053997993 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:08.054011106 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:08.054019928 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:08.054044962 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:08.054063082 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:08.054270983 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:08.054299116 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:08.054322004 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:08.054336071 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:08.054344893 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:08.054347038 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:08.054366112 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:08.054371119 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:08.054390907 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:08.054394007 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:08.054409027 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:08.054418087 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:08.054429054 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:08.054444075 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:08.054455996 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:08.054467916 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:08.054482937 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:08.054490089 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:08.054508924 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:08.054512024 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:08.054524899 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:08.054534912 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:08.054555893 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:08.054558992 CEST44349720212.2.198.90192.168.2.3
                                                                    Jun 30, 2021 20:06:08.054572105 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:08.054591894 CEST49720443192.168.2.3212.2.198.90
                                                                    Jun 30, 2021 20:06:08.126537085 CEST44349720212.2.198.90192.168.2.3

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Jun 30, 2021 20:05:46.117209911 CEST6493853192.168.2.38.8.8.8
                                                                    Jun 30, 2021 20:05:46.177112103 CEST53649388.8.8.8192.168.2.3
                                                                    Jun 30, 2021 20:05:47.600712061 CEST6015253192.168.2.38.8.8.8
                                                                    Jun 30, 2021 20:05:47.661948919 CEST53601528.8.8.8192.168.2.3
                                                                    Jun 30, 2021 20:05:48.531138897 CEST5754453192.168.2.38.8.8.8
                                                                    Jun 30, 2021 20:05:48.577275038 CEST53575448.8.8.8192.168.2.3
                                                                    Jun 30, 2021 20:05:48.671127081 CEST5598453192.168.2.38.8.8.8
                                                                    Jun 30, 2021 20:05:48.728204012 CEST53559848.8.8.8192.168.2.3
                                                                    Jun 30, 2021 20:05:51.862056017 CEST6418553192.168.2.38.8.8.8
                                                                    Jun 30, 2021 20:05:51.908802986 CEST53641858.8.8.8192.168.2.3
                                                                    Jun 30, 2021 20:05:57.026267052 CEST6511053192.168.2.38.8.8.8
                                                                    Jun 30, 2021 20:05:57.073719025 CEST53651108.8.8.8192.168.2.3
                                                                    Jun 30, 2021 20:05:58.647337914 CEST5836153192.168.2.38.8.8.8
                                                                    Jun 30, 2021 20:05:58.706109047 CEST53583618.8.8.8192.168.2.3
                                                                    Jun 30, 2021 20:06:00.140273094 CEST6349253192.168.2.38.8.8.8
                                                                    Jun 30, 2021 20:06:00.235780954 CEST53634928.8.8.8192.168.2.3
                                                                    Jun 30, 2021 20:06:00.717294931 CEST6083153192.168.2.38.8.8.8
                                                                    Jun 30, 2021 20:06:00.798783064 CEST53608318.8.8.8192.168.2.3
                                                                    Jun 30, 2021 20:06:01.499814034 CEST6010053192.168.2.38.8.8.8
                                                                    Jun 30, 2021 20:06:01.549230099 CEST53601008.8.8.8192.168.2.3
                                                                    Jun 30, 2021 20:06:01.731004953 CEST6083153192.168.2.38.8.8.8
                                                                    Jun 30, 2021 20:06:01.802043915 CEST53608318.8.8.8192.168.2.3
                                                                    Jun 30, 2021 20:06:02.729671955 CEST6083153192.168.2.38.8.8.8
                                                                    Jun 30, 2021 20:06:02.789596081 CEST53608318.8.8.8192.168.2.3
                                                                    Jun 30, 2021 20:06:03.693516016 CEST5319553192.168.2.38.8.8.8
                                                                    Jun 30, 2021 20:06:03.751179934 CEST53531958.8.8.8192.168.2.3
                                                                    Jun 30, 2021 20:06:04.745522976 CEST6083153192.168.2.38.8.8.8
                                                                    Jun 30, 2021 20:06:04.807270050 CEST53608318.8.8.8192.168.2.3
                                                                    Jun 30, 2021 20:06:04.826039076 CEST5014153192.168.2.38.8.8.8
                                                                    Jun 30, 2021 20:06:04.874999046 CEST53501418.8.8.8192.168.2.3
                                                                    Jun 30, 2021 20:06:07.509063959 CEST5302353192.168.2.38.8.8.8
                                                                    Jun 30, 2021 20:06:07.603307962 CEST53530238.8.8.8192.168.2.3
                                                                    Jun 30, 2021 20:06:07.604737997 CEST4956353192.168.2.38.8.8.8
                                                                    Jun 30, 2021 20:06:07.654263020 CEST53495638.8.8.8192.168.2.3
                                                                    Jun 30, 2021 20:06:08.985605001 CEST6083153192.168.2.38.8.8.8
                                                                    Jun 30, 2021 20:06:09.051980972 CEST53608318.8.8.8192.168.2.3
                                                                    Jun 30, 2021 20:06:10.991655111 CEST5135253192.168.2.38.8.8.8
                                                                    Jun 30, 2021 20:06:11.038969040 CEST53513528.8.8.8192.168.2.3
                                                                    Jun 30, 2021 20:06:13.837141037 CEST5934953192.168.2.38.8.8.8
                                                                    Jun 30, 2021 20:06:13.884057999 CEST53593498.8.8.8192.168.2.3
                                                                    Jun 30, 2021 20:06:15.354717970 CEST5708453192.168.2.38.8.8.8
                                                                    Jun 30, 2021 20:06:15.404977083 CEST53570848.8.8.8192.168.2.3
                                                                    Jun 30, 2021 20:06:18.735688925 CEST5882353192.168.2.38.8.8.8
                                                                    Jun 30, 2021 20:06:18.792793989 CEST53588238.8.8.8192.168.2.3
                                                                    Jun 30, 2021 20:06:19.384958029 CEST5756853192.168.2.38.8.8.8
                                                                    Jun 30, 2021 20:06:19.442143917 CEST53575688.8.8.8192.168.2.3
                                                                    Jun 30, 2021 20:06:20.335853100 CEST5054053192.168.2.38.8.8.8
                                                                    Jun 30, 2021 20:06:20.381855011 CEST53505408.8.8.8192.168.2.3
                                                                    Jun 30, 2021 20:06:21.206192017 CEST5436653192.168.2.38.8.8.8
                                                                    Jun 30, 2021 20:06:21.266690969 CEST53543668.8.8.8192.168.2.3
                                                                    Jun 30, 2021 20:06:22.317672014 CEST5303453192.168.2.38.8.8.8
                                                                    Jun 30, 2021 20:06:22.364187002 CEST53530348.8.8.8192.168.2.3
                                                                    Jun 30, 2021 20:06:23.497736931 CEST5776253192.168.2.38.8.8.8
                                                                    Jun 30, 2021 20:06:23.545697927 CEST53577628.8.8.8192.168.2.3
                                                                    Jun 30, 2021 20:06:29.792836905 CEST5543553192.168.2.38.8.8.8
                                                                    Jun 30, 2021 20:06:29.857554913 CEST53554358.8.8.8192.168.2.3
                                                                    Jun 30, 2021 20:06:40.051939011 CEST5071353192.168.2.38.8.8.8
                                                                    Jun 30, 2021 20:06:40.111974955 CEST53507138.8.8.8192.168.2.3
                                                                    Jun 30, 2021 20:06:40.626617908 CEST5613253192.168.2.38.8.8.8
                                                                    Jun 30, 2021 20:06:40.687241077 CEST53561328.8.8.8192.168.2.3
                                                                    Jun 30, 2021 20:06:49.682568073 CEST5898753192.168.2.38.8.8.8
                                                                    Jun 30, 2021 20:06:49.742058039 CEST53589878.8.8.8192.168.2.3
                                                                    Jun 30, 2021 20:06:55.366902113 CEST5657953192.168.2.38.8.8.8
                                                                    Jun 30, 2021 20:06:55.414963007 CEST53565798.8.8.8192.168.2.3
                                                                    Jun 30, 2021 20:06:57.610958099 CEST6063353192.168.2.38.8.8.8
                                                                    Jun 30, 2021 20:06:57.670176983 CEST53606338.8.8.8192.168.2.3
                                                                    Jun 30, 2021 20:07:27.702929974 CEST6129253192.168.2.38.8.8.8
                                                                    Jun 30, 2021 20:07:27.765393972 CEST53612928.8.8.8192.168.2.3
                                                                    Jun 30, 2021 20:07:40.818829060 CEST6361953192.168.2.38.8.8.8
                                                                    Jun 30, 2021 20:07:40.867377043 CEST53636198.8.8.8192.168.2.3
                                                                    Jun 30, 2021 20:07:45.204821110 CEST6493853192.168.2.38.8.8.8
                                                                    Jun 30, 2021 20:07:45.275567055 CEST53649388.8.8.8192.168.2.3

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                    Jun 30, 2021 20:06:07.509063959 CEST192.168.2.38.8.8.80x6247Standard query (0)etisalatbuyback.comA (IP address)IN (0x0001)
                                                                    Jun 30, 2021 20:06:49.682568073 CEST192.168.2.38.8.8.80x61eeStandard query (0)id70.remoteutilities.comA (IP address)IN (0x0001)
                                                                    Jun 30, 2021 20:06:55.366902113 CEST192.168.2.38.8.8.80x9afdStandard query (0)id70.remoteutilities.comA (IP address)IN (0x0001)
                                                                    Jun 30, 2021 20:07:40.818829060 CEST192.168.2.38.8.8.80xd78aStandard query (0)id70.remoteutilities.comA (IP address)IN (0x0001)

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                    Jun 30, 2021 20:06:07.603307962 CEST8.8.8.8192.168.2.30x6247No error (0)etisalatbuyback.com212.2.198.90A (IP address)IN (0x0001)
                                                                    Jun 30, 2021 20:06:49.742058039 CEST8.8.8.8192.168.2.30x61eeNo error (0)id70.remoteutilities.com209.205.218.178A (IP address)IN (0x0001)
                                                                    Jun 30, 2021 20:06:55.414963007 CEST8.8.8.8192.168.2.30x9afdNo error (0)id70.remoteutilities.com209.205.218.178A (IP address)IN (0x0001)
                                                                    Jun 30, 2021 20:07:40.867377043 CEST8.8.8.8192.168.2.30xd78aNo error (0)id70.remoteutilities.com209.205.218.178A (IP address)IN (0x0001)

                                                                    HTTPS Packets

                                                                    TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                    Jun 30, 2021 20:06:07.826231956 CEST212.2.198.90443192.168.2.349720CN=etisalatbuyback.com, OU=Domain Control Validated CN=Starfield Secure Certificate Authority - G2, OU=http://certs.starfieldtech.com/repository/, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Starfield Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=USCN=Starfield Secure Certificate Authority - G2, OU=http://certs.starfieldtech.com/repository/, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Starfield Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=USTue Jul 16 13:21:56 CEST 2019 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:39:16 CEST 2004Wed Aug 25 11:11:38 CEST 2021 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:39:16 CEST 2034771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                    CN=Starfield Secure Certificate Authority - G2, OU=http://certs.starfieldtech.com/repository/, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Starfield Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=USTue May 03 09:00:00 CEST 2011Sat May 03 09:00:00 CEST 2031
                                                                    CN=Starfield Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=USOU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=USWed Jan 01 08:00:00 CET 2014Fri May 30 09:00:00 CEST 2031
                                                                    OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=USOU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=USTue Jun 29 19:39:16 CEST 2004Thu Jun 29 19:39:16 CEST 2034

                                                                    Code Manipulations

                                                                    Statistics

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Start time:20:05:57
                                                                    Start date:30/06/2021
                                                                    Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                                                                    Imagebase:0xa50000
                                                                    File size:27110184 bytes
                                                                    MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    General

                                                                    Start time:20:06:10
                                                                    Start date:30/06/2021
                                                                    Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:wmic process call create 'C:\Users\Public\Libraries/appscomhost'
                                                                    Imagebase:0xdf0000
                                                                    File size:391680 bytes
                                                                    MD5 hash:79A01FCD1C8166C5642F37D1E0FB7BA8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate

                                                                    General

                                                                    Start time:20:06:10
                                                                    Start date:30/06/2021
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff6b2800000
                                                                    File size:625664 bytes
                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    General

                                                                    Start time:20:06:12
                                                                    Start date:30/06/2021
                                                                    Path:C:\Users\Public\Libraries\appscomhost
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Users\Public\Libraries/appscomhost
                                                                    Imagebase:0x400000
                                                                    File size:5437775 bytes
                                                                    MD5 hash:8DF649FAB065908962626C67F247618C
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:Borland Delphi
                                                                    Reputation:low

                                                                    General

                                                                    Start time:20:06:18
                                                                    Start date:30/06/2021
                                                                    Path:C:\Users\Public\JavelinNew\Javelin.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Users\Public\JavelinNew\Javelin.exe'
                                                                    Imagebase:0x400000
                                                                    File size:16615672 bytes
                                                                    MD5 hash:AF5879D56594F01794A2C028BC75EC27
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:Borland Delphi
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 00000008.00000002.300472994.0000000001208000.00000002.00020000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 00000008.00000000.273261388.0000000001208000.00000002.00020000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000008.00000002.294909755.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000008.00000000.268064699.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: C:\Users\Public\JavelinNew\Javelin.exe, Author: Joe Security
                                                                    • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\Public\JavelinNew\Javelin.exe, Author: Joe Security
                                                                    Reputation:low

                                                                    General

                                                                    Start time:20:06:28
                                                                    Start date:30/06/2021
                                                                    Path:C:\Users\Public\JavelinNew\Javelin.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Users\Public\JavelinNew\Javelin.exe -run_agent -second
                                                                    Imagebase:0x400000
                                                                    File size:16615672 bytes
                                                                    MD5 hash:AF5879D56594F01794A2C028BC75EC27
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:Borland Delphi
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 0000000B.00000003.311749860.000000007D910000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 0000000B.00000003.319348250.000000007E8F0000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 0000000B.00000000.293269223.0000000001208000.00000002.00020000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 0000000B.00000003.324153787.000000007F8D0000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000B.00000003.315153554.000000007DEF0000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000B.00000003.320355698.000000007EED0000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000B.00000003.309591822.000000007CF10000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000B.00000002.517622759.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000B.00000000.288998400.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
                                                                    Reputation:low

                                                                    General

                                                                    Start time:20:08:00
                                                                    Start date:30/06/2021
                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\system32\cmd.exe
                                                                    Imagebase:0xdf0000
                                                                    File size:232960 bytes
                                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    General

                                                                    Start time:20:08:01
                                                                    Start date:30/06/2021
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff6b2800000
                                                                    File size:625664 bytes
                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    General

                                                                    Start time:20:08:07
                                                                    Start date:30/06/2021
                                                                    Path:C:\Windows\SysWOW64\net.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:net user /domain
                                                                    Imagebase:0x330000
                                                                    File size:46592 bytes
                                                                    MD5 hash:DD0561156F62BC1958CE0E370B23711B
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate

                                                                    General

                                                                    Start time:20:08:07
                                                                    Start date:30/06/2021
                                                                    Path:C:\Windows\SysWOW64\net1.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\system32\net1 user /domain
                                                                    Imagebase:0x1a0000
                                                                    File size:141312 bytes
                                                                    MD5 hash:B5A26C2BF17222E86B91D26F1247AF3E
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate

                                                                    Disassembly

                                                                    Code Analysis

                                                                    Reset < >