Loading ...

Play interactive tourEdit tour

Windows Analysis Report policy#37820.xlsb

Overview

General Information

Sample Name:policy#37820.xlsb
Analysis ID:442547
MD5:f60146ee4fab89ecde8bb1bdb23287b6
SHA1:82bb4929a849deb1860e4c902745a0673c5911c8
SHA256:6ab90a34f6fdfaf1486009f70318816cc61201248c0a5231030b9b3d3e010fe9
Infos:

Most interesting Screenshot:

Detection

RMSRemoteAdmin Hidden Macro 4.0
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (drops PE files)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Contains functionality to create processes via WMI
Creates processes via WMI
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found abnormal large hidden Excel 4.0 Macro sheet
Office process drops PE file
Query firmware table information (likely to detect VMs)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Contains functionality for read data from the clipboard
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the current domain controller via net
Queries the installation date of Windows
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious WMI Execution
Stores large binary data to the registry
Tries to load missing DLLs
Yara detected RMS RemoteAdmin tool

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 5412 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • WMIC.exe (PID: 6388 cmdline: wmic process call create 'C:\Users\Public\Libraries/appscomhost' MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
      • conhost.exe (PID: 6448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • appscomhost (PID: 6596 cmdline: C:\Users\Public\Libraries/appscomhost MD5: 8DF649FAB065908962626C67F247618C)
    • Javelin.exe (PID: 6832 cmdline: 'C:\Users\Public\JavelinNew\Javelin.exe' MD5: AF5879D56594F01794A2C028BC75EC27)
      • Javelin.exe (PID: 7128 cmdline: C:\Users\Public\JavelinNew\Javelin.exe -run_agent -second MD5: AF5879D56594F01794A2C028BC75EC27)
        • cmd.exe (PID: 6308 cmdline: C:\Windows\system32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 4088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • net.exe (PID: 6836 cmdline: net user /domain MD5: DD0561156F62BC1958CE0E370B23711B)
            • net1.exe (PID: 6436 cmdline: C:\Windows\system32\net1 user /domain MD5: B5A26C2BF17222E86B91D26F1247AF3E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\Public\JavelinNew\Javelin.exeJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
    C:\Users\Public\JavelinNew\Javelin.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000008.00000002.300472994.0000000001208000.00000002.00020000.sdmpJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
        00000008.00000000.273261388.0000000001208000.00000002.00020000.sdmpJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
          0000000B.00000003.311749860.000000007D910000.00000004.00000001.sdmpJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
            0000000B.00000003.319348250.000000007E8F0000.00000004.00000001.sdmpJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
              0000000B.00000000.293269223.0000000001208000.00000002.00020000.sdmpJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
                Click to see the 10 entries

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Execution from Suspicious FolderShow sources
                Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\JavelinNew\Javelin.exe' , CommandLine: 'C:\Users\Public\JavelinNew\Javelin.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\JavelinNew\Javelin.exe, NewProcessName: C:\Users\Public\JavelinNew\Javelin.exe, OriginalFileName: C:\Users\Public\JavelinNew\Javelin.exe, ParentCommandLine: C:\Users\Public\Libraries/appscomhost, ParentImage: C:\Users\Public\Libraries\appscomhost, ParentProcessId: 6596, ProcessCommandLine: 'C:\Users\Public\JavelinNew\Javelin.exe' , ProcessId: 6832
                Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
                Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: wmic process call create 'C:\Users\Public\Libraries/appscomhost', CommandLine: wmic process call create 'C:\Users\Public\Libraries/appscomhost', CommandLine|base64offset|contains: h, Image: C:\Windows\SysWOW64\wbem\WMIC.exe, NewProcessName: C:\Windows\SysWOW64\wbem\WMIC.exe, OriginalFileName: C:\Windows\SysWOW64\wbem\WMIC.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 5412, ProcessCommandLine: wmic process call create 'C:\Users\Public\Libraries/appscomhost', ProcessId: 6388
                Sigma detected: Suspicious WMI ExecutionShow sources
                Source: Process startedAuthor: Michael Haag, Florian Roth, juju4, oscd.community: Data: Command: wmic process call create 'C:\Users\Public\Libraries/appscomhost', CommandLine: wmic process call create 'C:\Users\Public\Libraries/appscomhost', CommandLine|base64offset|contains: h, Image: C:\Windows\SysWOW64\wbem\WMIC.exe, NewProcessName: C:\Windows\SysWOW64\wbem\WMIC.exe, OriginalFileName: C:\Windows\SysWOW64\wbem\WMIC.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 5412, ProcessCommandLine: wmic process call create 'C:\Users\Public\Libraries/appscomhost', ProcessId: 6388
                Sigma detected: Net.exe ExecutionShow sources
                Source: Process startedAuthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: net user /domain, CommandLine: net user /domain, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\system32\cmd.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6308, ProcessCommandLine: net user /domain, ProcessId: 6836

                Signature Overview

                Click to jump to signature section

                Show All Signature Results
                Source: 5.1.appscomhost.10000000.2.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                Source: Javelin.exe, 00000008.00000002.300472994.0000000001208000.00000002.00020000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
                Source: unknownHTTPS traffic detected: 212.2.198.90:443 -> 192.168.2.3:49720 version: TLS 1.2
                Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2l-x32\out32dll\ssleay32.pdb0U source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp, Javelin.exe, 00000008.00000002.305461054.000000001203F000.00000002.00020000.sdmp
                Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2l-x32\out32dll\libeay32.pdb source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp, Javelin.exe, 00000008.00000002.304923395.00000000110E7000.00000002.00020000.sdmp
                Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2l-x32\out32dll\ssleay32.pdb source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp, Javelin.exe, 00000008.00000002.305461054.000000001203F000.00000002.00020000.sdmp
                Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2l-x32\out32dll\libeay32.pdb | source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp, Javelin.exe, 00000008.00000002.304923395.00000000110E7000.00000002.00020000.sdmp
                Source: C:\Users\Public\Libraries\appscomhostCode function: 5_2_0040676F FindFirstFileW,FindClose,
                Source: C:\Users\Public\Libraries\appscomhostCode function: 5_2_00405B23 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
                Source: C:\Users\Public\Libraries\appscomhostCode function: 5_2_00402902 FindFirstFileW,

                Software Vulnerabilities:

                barindex
                Document exploit detected (drops PE files)Show sources
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: usa[1].0.drJump to dropped file
                Document exploit detected (UrlDownloadToFile)Show sources
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileA
                Document exploit detected (process start blacklist hit)Show sources
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe
                Source: global trafficDNS query: name: etisalatbuyback.com
                Source: global trafficTCP traffic: 192.168.2.3:49720 -> 212.2.198.90:443
                Source: global trafficTCP traffic: 192.168.2.3:49720 -> 212.2.198.90:443
                Source: excel.exeMemory has grown: Private usage: 1MB later: 104MB
                Source: global trafficTCP traffic: 192.168.2.3:49737 -> 209.205.218.178:5655
                Source: global trafficTCP traffic: 192.168.2.3:49749 -> 198.147.28.34:5655
                Source: Joe Sandbox ViewIP Address: 209.205.218.178 209.205.218.178
                Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                Source: unknownTCP traffic detected without corresponding DNS query: 192.119.14.178
                Source: unknownTCP traffic detected without corresponding DNS query: 192.119.14.178
                Source: unknownTCP traffic detected without corresponding DNS query: 192.119.14.178
                Source: unknownTCP traffic detected without corresponding DNS query: 192.119.14.178
                Source: unknownTCP traffic detected without corresponding DNS query: 192.119.14.178
                Source: unknownTCP traffic detected without corresponding DNS query: 192.119.14.178
                Source: unknownTCP traffic detected without corresponding DNS query: 192.119.14.178
                Source: unknownTCP traffic detected without corresponding DNS query: 192.119.14.178
                Source: unknownTCP traffic detected without corresponding DNS query: 192.119.14.178
                Source: unknownTCP traffic detected without corresponding DNS query: 192.119.14.178
                Source: unknownTCP traffic detected without corresponding DNS query: 192.119.14.178
                Source: unknownTCP traffic detected without corresponding DNS query: 192.119.14.178
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 192.119.14.178
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 192.119.14.178
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownTCP traffic detected without corresponding DNS query: 198.147.28.34
                Source: unknownDNS traffic detected: queries for: etisalatbuyback.com
                Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
                Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
                Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
                Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
                Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                Source: Javelin.exe, 00000008.00000002.294909755.0000000000401000.00000020.00020000.sdmp, Javelin.exe, 0000000B.00000003.315153554.000000007DEF0000.00000004.00000001.sdmpString found in binary or memory: http://madExcept.comU
                Source: appscomhost, 00000005.00000002.284875976.000000000040A000.00000004.00020000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0H
                Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0I
                Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                Source: Javelin.exe, 00000008.00000002.300472994.0000000001208000.00000002.00020000.sdmp, Javelin.exe, 00000008.00000002.302591567.0000000001463000.00000002.00020000.sdmp, Javelin.exe, 0000000B.00000003.311749860.000000007D910000.00000004.00000001.sdmpString found in binary or memory: http://rmansys.ru/internet-id/
                Source: Javelin.exe, 00000008.00000002.294909755.0000000000401000.00000020.00020000.sdmp, Javelin.exe, 0000000B.00000003.315153554.000000007DEF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                Source: Javelin.exe, 00000008.00000002.294909755.0000000000401000.00000020.00020000.sdmpString found in binary or memory: http://update.remoteutilities.net/upgrade.ini
                Source: Javelin.exe, 00000008.00000002.294909755.0000000000401000.00000020.00020000.sdmpString found in binary or memory: http://update.remoteutilities.net/upgrade_beta.ini
                Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                Source: Javelin.exe, 00000008.00000000.272062914.0000000000E01000.00000020.00020000.sdmp, Javelin.exe, 0000000B.00000003.311749860.000000007D910000.00000004.00000001.sdmpString found in binary or memory: http://www.indyproject.org/
                Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp, Javelin.exe, 00000008.00000002.305300851.0000000011149000.00000002.00020000.sdmpString found in binary or memory: http://www.openssl.org/V
                Source: Javelin.exe, 00000008.00000002.304923395.00000000110E7000.00000002.00020000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
                Source: Javelin.exe, 00000008.00000002.304923395.00000000110E7000.00000002.00020000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEPRNG
                Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                Source: unknownHTTPS traffic detected: 212.2.198.90:443 -> 192.168.2.3:49720 version: TLS 1.2
                Source: C:\Users\Public\Libraries\appscomhostCode function: 5_2_004055B8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

                System Summary:

                barindex
                Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
                Source: Screenshot number: 4Screenshot OCR: Enable editing on the yellow bar if the document was downloaded from the Internet. 12 ,, , " 3. C
                Source: Screenshot number: 4Screenshot OCR: Enable content onthe yellow barto run plugin Core decryption. 14 15 16 1 i 17 P 18 19 20 2
                Source: Screenshot number: 8Screenshot OCR: Enable editing on the yellow bar if the document was downloaded from the Internet. , Click Enable
                Source: Screenshot number: 8Screenshot OCR: Enable content onthe yellow barto run plugin Core decryption. Results o o Certifies documents )
                Contains functionality to create processes via WMIShow sources
                Source: WMIC.exe, 00000001.00000002.259206296.0000000000800000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Documents\C:\Windows\SysWOW64\Wbem\wmic.exewmic process call create 'C:\Users\Public\Libraries/appscomhost'C:\Windows\System32\Wbem\wmic.exeWinSta0\Default=::=::\=C:=C:\Users\user\DocumentsALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=4OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=NEBFQQYUSERDOMAIN_ROAMINGPROFILE=computerUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\WindowsU?
                Found abnormal large hidden Excel 4.0 Macro sheetShow sources
                Source: policy#37820.xlsbInitial sample: Sheet size: 230235
                Office process drops PE fileShow sources
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\usa[1]Jump to dropped file
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\Public\Libraries\appscomhostJump to dropped file
                Source: C:\Users\Public\Libraries\appscomhostCode function: 5_2_004034C5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
                Source: C:\Users\Public\JavelinNew\Javelin.exeFile created: C:\Windows\TEMP\Javelin.madExceptJump to behavior
                Source: C:\Users\Public\JavelinNew\Javelin.exeFile deleted: C:\Windows\Temp\Javelin.madExceptJump to behavior
                Source: C:\Users\Public\Libraries\appscomhostCode function: 5_2_00407458
                Source: C:\Users\Public\Libraries\appscomhostCode function: 5_2_00406C81
                Source: Javelin.exe.5.drStatic PE information: Number of sections : 11 > 10
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: Javelin.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: C:\Users\Public\JavelinNew\Javelin.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Users\Public\JavelinNew\Javelin.exeSection loaded: dhcpcsvc.dll
                Source: C:\Users\Public\JavelinNew\Javelin.exeSection loaded: dnsapi.dll
                Source: C:\Users\Public\JavelinNew\Javelin.exeSection loaded: winnsi.dll
                Source: C:\Users\Public\JavelinNew\Javelin.exeSection loaded: rasadhlp.dll
                Source: C:\Users\Public\JavelinNew\Javelin.exeSection loaded: textinputframework.dll
                Source: C:\Users\Public\JavelinNew\Javelin.exeSection loaded: coreuicomponents.dll
                Source: C:\Users\Public\JavelinNew\Javelin.exeSection loaded: coremessaging.dll
                Source: classification engineClassification label: mal96.expl.evad.winXLSB@15/18@4/6
                Source: C:\Users\Public\Libraries\appscomhostCode function: 5_2_004034C5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
                Source: C:\Users\Public\Libraries\appscomhostCode function: 5_2_00404858 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,
                Source: C:\Users\Public\Libraries\appscomhostCode function: 5_2_004021A2 CoCreateInstance,
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
                Source: C:\Users\Public\JavelinNew\Javelin.exeMutant created: \Sessions\1\BaseNamedObjects\HookTThread$1bd8
                Source: C:\Users\Public\JavelinNew\Javelin.exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1bd8
                Source: C:\Users\Public\JavelinNew\Javelin.exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1ab0
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4088:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6448:120:WilError_01
                Source: C:\Users\Public\JavelinNew\Javelin.exeMutant created: \Sessions\1\BaseNamedObjects\HookTThread$1ab0
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{291ED4E2-78EE-480C-BE22-D3277A2D5535} - OProcSessId.datJump to behavior
                Source: Yara matchFile source: 0000000B.00000003.315153554.000000007DEF0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000003.320355698.000000007EED0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000003.309591822.000000007CF10000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.517622759.0000000000401000.00000020.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000000.288998400.0000000000401000.00000020.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.294909755.0000000000401000.00000020.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000000.268064699.0000000000401000.00000020.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: C:\Users\Public\JavelinNew\Javelin.exe, type: DROPPED
                Source: C:\Users\Public\Libraries\appscomhostKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\Public\JavelinNew\Javelin.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\Public\JavelinNew\Javelin.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\Public\JavelinNew\Javelin.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                Source: C:\Users\Public\JavelinNew\Javelin.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Windows\SysWOW64\wbem\WMIC.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: C:\Users\Public\JavelinNew\Javelin.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\Public\JavelinNew\Javelin.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\Public\JavelinNew\Javelin.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process call create 'C:\Users\Public\Libraries/appscomhost'
                Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\Public\Libraries\appscomhost C:\Users\Public\Libraries/appscomhost
                Source: C:\Users\Public\Libraries\appscomhostProcess created: C:\Users\Public\JavelinNew\Javelin.exe 'C:\Users\Public\JavelinNew\Javelin.exe'
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess created: C:\Users\Public\JavelinNew\Javelin.exe C:\Users\Public\JavelinNew\Javelin.exe -run_agent -second
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net user /domain
                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user /domain
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process call create 'C:\Users\Public\Libraries/appscomhost'
                Source: C:\Users\Public\Libraries\appscomhostProcess created: C:\Users\Public\JavelinNew\Javelin.exe 'C:\Users\Public\JavelinNew\Javelin.exe'
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net user /domain
                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user /domain
                Source: C:\Windows\SysWOW64\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
                Source: C:\Users\Public\JavelinNew\Javelin.exeWindow found: window name: TComboBox
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: policy#37820.xlsbInitial sample: OLE zip file path = xl/media/image2.png
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
                Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2l-x32\out32dll\ssleay32.pdb0U source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp, Javelin.exe, 00000008.00000002.305461054.000000001203F000.00000002.00020000.sdmp
                Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2l-x32\out32dll\libeay32.pdb source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp, Javelin.exe, 00000008.00000002.304923395.00000000110E7000.00000002.00020000.sdmp
                Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2l-x32\out32dll\ssleay32.pdb source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp, Javelin.exe, 00000008.00000002.305461054.000000001203F000.00000002.00020000.sdmp
                Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2l-x32\out32dll\libeay32.pdb | source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp, Javelin.exe, 00000008.00000002.304923395.00000000110E7000.00000002.00020000.sdmp
                Source: Javelin.exe.5.drStatic PE information: real checksum: 0xfe775f should be:
                Source: Javelin.exe.5.drStatic PE information: section name: .didata

                Persistence and Installation Behavior:

                barindex
                Creates processes via WMIShow sources
                Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\usa[1]Jump to dropped file
                Source: C:\Users\Public\Libraries\appscomhostFile created: C:\Users\user\AppData\Local\Temp\nso349F.tmp\nsis7z.dllJump to dropped file
                Source: C:\Users\Public\Libraries\appscomhostFile created: C:\Users\user\AppData\Local\Temp\nso349F.tmp\registry.dllJump to dropped file
                Source: C:\Users\Public\Libraries\appscomhostFile created: C:\Users\user\AppData\Local\Temp\nso349F.tmp\NSISList.dllJump to dropped file
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\Public\Libraries\appscomhostJump to dropped file
                Source: C:\Users\Public\Libraries\appscomhostFile created: C:\Users\Public\JavelinNew\Javelin.exeJump to dropped file
                Source: C:\Users\Public\Libraries\appscomhostFile created: C:\Users\user\AppData\Local\Temp\nso349F.tmp\System.dllJump to dropped file
                Source: C:\Users\Public\Libraries\appscomhostFile created: C:\Users\Public\JavelinNew\ssleay32.dllJump to dropped file
                Source: C:\Users\Public\Libraries\appscomhostFile created: C:\Users\Public\JavelinNew\libeay32.dllJump to dropped file
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\usa[1]Jump to dropped file
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\Public\Libraries\appscomhostJump to dropped file
                Source: C:\Users\Public\Libraries\appscomhostRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                Source: C:\Users\Public\Libraries\appscomhostKey value created or modified: HKEY_CURRENT_USER\Software\Postapocalyptic rundlet\Host\Parameters GeneralJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\appscomhostProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\appscomhostProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\appscomhostProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\appscomhostProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\appscomhostProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\appscomhostProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\appscomhostProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\appscomhostProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\Public\JavelinNew\Javelin.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX

                Malware Analysis System Evasion:

                bar