Edit tour

Windows Analysis Report
RU419 FEB17 BSRec_InvNet.xlsx

Overview

General Information

Sample Name:	RU419 FEB17 BSRec_InvNet.xlsx
Analysis ID:	562532
MD5:	bb2bdf2659b515eee1f56c0382847fd7
SHA1:	72405dd23abe1d3f97b75e3eb50bcecbf51669f8
SHA256:	a36ec67f835cb7968270d43f151df7b0b3cbd501b5eeb4688b8676758deadb0e
Infos:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

No high impact signatures.

Classification

Process Tree

System is w10x64

EXCEL.EXE (PID: 864 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)

splwow64.exe (PID: 5804 cmdline: C:\Windows\splwow64.exe 12288 MD5: 8D59B31FF375059E3C32B17BF31A76D5)

cleanup

Malware Configuration

⊘No configs have been found

Yara Overview

⊘No yara matches

Sigma Overview

⊘No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: splwow64.exe, 00000002.00000003.727151817.0000000002F93000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000002.00000003.725796275.0000000002F93000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000002.00000003.727939883.0000000002F94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mic-
Source: splwow64.exe, 00000002.00000003.751903725.0000000003E8D000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000002.00000003.728110028.0000000003D8D000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000002.00000003.752108390.0000000003E94000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000002.00000003.728264733.0000000003D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: splwow64.exe, 00000002.00000003.751903725.0000000003E8D000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000002.00000003.728110028.0000000003D8D000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000002.00000003.752108390.0000000003E94000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000002.00000003.728264733.0000000003D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microsoft.
Source: splwow64.exe, 00000002.00000003.727151817.0000000002F93000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000002.00000003.725796275.0000000002F93000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000002.00000003.727939883.0000000002F94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microsoft.c
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: splwow64.exe, 00000002.00000003.749696368.000000000300C000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000002.00000003.735988966.0000000003E5E000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000002.00000003.735894422.0000000003E5D000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000002.00000003.751571773.000000000300C000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000002.00000003.735741916.0000000003E57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.o
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://api.aadrm.com
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://api.office.net
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://augloop.office.com
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://cdn.entity.
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://cortana.ai
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://cr.office.com
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://directory.services.
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://edu-mathreco-prod.trafficmanager.net
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://edu-mathsolver-prod.trafficmanager.net
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://graph.windows.net
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://invites.office.com/
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://login.windows.local
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://management.azure.com
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://management.azure.com/
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://osi.office.net
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://outlook.office.com
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://outlook.office365.com
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://roaming.edog.
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://tasks.office.com
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{D49A8764-90F0-4C06-8D6C-DBF8D17CEECC} - OProcSessId.dat

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: classification engine

Classification label: clean0.winXLSX@3/12@0/0

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet4.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/embeddings/oleObject4.bin
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/drawing4.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/embeddings/oleObject3.bin
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/drawing3.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/vmlDrawing2.vml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/embeddings/oleObject1.bin
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/embeddings/oleObject2.bin
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/drawing5.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/drawing6.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/media/image10.png
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/_rels/drawing2.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/_rels/vmlDrawing2.vml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/_rels/drawing4.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/_rels/drawing5.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/_rels/drawing6.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet19.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet15.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet9.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet3.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet4.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/drawing2.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/media/image5.emf
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet13.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet19.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet18.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet17.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet16.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet15.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet14.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet11.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet10.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet9.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet5.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/media/image3.emf
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/media/image2.emf
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet6.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/media/image1.png
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet7.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet8.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet12.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/externalLink1.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink2.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink7.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink6.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink5.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink4.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink3.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink1.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/externalLink2.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/externalLink7.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/ctrlProps/ctrlProp1.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/ctrlProps/ctrlProp2.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/externalLink6.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/printerSettings/printerSettings4.bin
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/printerSettings/printerSettings5.bin
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/calcChain.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/externalLink3.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/externalLink4.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/printerSettings/printerSettings6.bin
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/externalLink5.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = docProps/custom.xml

Source: RU419 FEB17 BSRec_InvNet.xlsx

Static file information: File size 4768919 > 1048576

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Source: RU419 FEB17 BSRec_InvNet.xlsx

Initial sample: OLE indicators vbamacros = False

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX

Source: C:\Windows\splwow64.exe

Thread delayed: delay time: 120000

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Virtualization/Sandbox Evasion	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://roaming.edog.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
http://schemas.microsoft.c	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	URL Reputation	safe
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	0%	Avira URL Cloud	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://api.aadrm.com	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	URL Reputation	safe
http://schemas.mic-	0%	Avira URL Cloud	safe
http://schemas.micro	0%	URL Reputation	safe
http://www.w3.o	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://login.microsoftonline.com/	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://shell.suite.office.com:1443	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://autodiscover-s.outlook.com/	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://roaming.edog.	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://cdn.entity.	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://clients.config.office.net/user/v1.0/tenantassociationkey	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://powerlift.acompli.net	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false	URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false	URL Reputation: safe	unknown
http://schemas.microsoft.c	splwow64.exe, 00000002.00000003.727151817.0000000002F93000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000002.00000003.725796275.0000000002F93000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000002.00000003.727939883.0000000002F94000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://cortana.ai	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false	URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://api.aadrm.com/	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false	URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false	URL Reputation: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://api.microsoftstream.com/api/	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://cr.office.com	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false	Avira URL Cloud: safe	low
https://portal.office.com/account/?ref=ClientMeControl	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://graph.ppe.windows.net	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false	URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false	URL Reputation: safe	unknown
https://tasks.office.com	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://officeci.azurewebsites.net/api/	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false	URL Reputation: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://store.office.cn/addinstemplate	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false	URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://globaldisco.crm.dynamics.com	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://dev0-api.acompli.net/autodetect	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false	URL Reputation: safe	unknown
https://www.odwebp.svc.ms	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false	URL Reputation: safe	unknown
https://api.diagnosticssdf.office.com/v2/feedback	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://api.powerbi.com/v1.0/myorg/groups	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://web.microsoftstream.com/video/	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://api.addins.store.officeppe.com/addinstemplate	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false	URL Reputation: safe	unknown
https://graph.windows.net	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://dataservice.o365filtering.com/	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false	URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false	URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://ncus.contentsync.	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
http://weather.service.msn.com/data.aspx	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://apis.live.net/v5.0/	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false	URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://management.azure.com	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://outlook.office365.com	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://wus2.contentsync.	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false	URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://clients.config.office.net/user/v1.0/ios	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://insertmedia.bing.office.net/odc/insertmedia	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://api.office.net	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://incidents.diagnosticssdf.office.com	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://asgsmsproxyapi.azurewebsites.net/	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
http://schemas.mic-	splwow64.exe, 00000002.00000003.727151817.0000000002F93000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000002.00000003.725796275.0000000002F93000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000002.00000003.727939883.0000000002F94000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://entitlement.diagnostics.office.com	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
http://schemas.micro	splwow64.exe, 00000002.00000003.751903725.0000000003E8D000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000002.00000003.728110028.0000000003D8D000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000002.00000003.752108390.0000000003E94000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000002.00000003.728264733.0000000003D94000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://substrate.office.com/search/api/v2/init	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://outlook.office.com/	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://outlook.office365.com/	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://webshell.suite.office.com	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://substrate.office.com/search/api/v1/SearchHistory	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://management.azure.com/	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
http://www.w3.o	splwow64.exe, 00000002.00000003.749696368.000000000300C000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000002.00000003.735988966.0000000003E5E000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000002.00000003.735894422.0000000003E5D000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000002.00000003.751571773.000000000300C000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000002.00000003.735741916.0000000003E57000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.windows.net/common/oauth2/authorize	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false	URL Reputation: safe	unknown
https://graph.windows.net/	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://api.powerbi.com/beta/myorg/imports	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://devnull.onenote.com	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://ncus.pagecontentsync.	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false	URL Reputation: safe	unknown
https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://messaging.office.com/	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://augloop.office.com/v2	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false		high
https://skyapi.live.net/Activity/	5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C.0.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	562532
Start date:	29.01.2022
Start time:	01:20:50
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 55s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	RU419 FEB17 BSRec_InvNet.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean0.winXLSX@3/12@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx

Warnings

Max analysis timeout: 600s exceeded, the analysis took too long
Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, MusNotifyIcon.exe, Microsoft.Photos.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 2.20.157.220, 52.109.88.177, 52.109.12.22, 52.109.8.22
Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, prod.configsvc1.live.com.akadns.net, settings-win.data.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, config.officeapps.live.com, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, europe.configsvc1.live.com.akadns.net

Simulations

Behavior and APIs

Time	Type	Description
01:22:05	API Interceptor	11x Sleep call for process: splwow64.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	142098
Entropy (8bit):	5.354734876629519
Encrypted:	false
SSDEEP:	1536:HcQIfgxrBdA3guwQ/Q9DQW+zUk4F77nXmvidZXQE5LWmE9:V8Q9DQW+zwXFU
MD5:	4D2D30320E0FF2EBB190E00ADE9107A9
SHA1:	50761E3502A695D58D1329EFA94A5FC4BD6D78E1
SHA-256:	1649753A06896B3183046837B6ABC949640FA55289B395987056E09BDCAA78BE
SHA-512:	A90327F40016D6BEBFF15A49B522BFED37097D803180F6C1887A2852F99ED813F0C9A5DF088FCCB3DC383A5279E5507AFEEDABDDC33054C7940B352849006390
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2022-01-29T00:22:03">.. Build: 16.0.14923.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\37E97714.emf

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	5364
Entropy (8bit):	4.856335090472488
Encrypted:	false
SSDEEP:	96:QxgBS1YKG5mPKDRv4Og6tO/XP8lEERc0l+e6HK:QxK5mPaRvO/f8lEERdl+e6HK
MD5:	72FEAFCA807874E6742DFBD011C2B2CD
SHA1:	845FFB7468E2B0932848D356D8127CEE249EB712
SHA-256:	F95F6C5360B90FCECB95608C8364FE5BA2D9372166B7F32766C8A9255AA9CDEE
SHA-512:	1A345CF4D4CCCB263893C4C3C7E353E6DAC44E8EDB880DF19264720C35499035A8154A47B468C422E14C0A93AFA89A80FEFA3DF44CE0101640A02F90D868AD6C
Malicious:	false
Reputation:	low
Preview:	....l...0.........../............C..q... EMF................................8.......}................U..H...............................5...R...p...................................S.e.g.o.e. .U.I....................................................vp..&1.5.\.R.o.o.t.\.O.f.f.i.c.e.........mEr........D..Y..........v...v......t...8..........X.wb.P......... ....6....t.....X.t...w...v...Y.................... ...................w...v...Y..............cnEr...............p..&....}.v........dv......%...................................r............................... ... ..................?...........?................l...4........... ... ...(... ... ..... .............................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\50D0390D.emf

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	5356
Entropy (8bit):	2.3390883230088235
Encrypted:	false
SSDEEP:	48:S83IHpHK2g4x//3G7+wJj7IaK0JohkN+DuuHmt:SVHpHK2x//3+xB7IaK0bNIXGt
MD5:	FA14D04AC7BE94D9470D68B5B05326B9
SHA1:	4C15B8938037773793BC22A9008B83935419D8E0
SHA-256:	CEE5C6209A2D15A2E6EA6DE993B547C375E5716A90D472B55789E4553A212FD1
SHA-512:	419BEFFEE7DA34D924C172A3C8144F160C4306316697123BBF431BD357B3A8AB47540AEEF9855030233C9CFD84BEBD8A429CBFBD10C8D34616EA092D9A6E14EC
Malicious:	false
Reputation:	low
Preview:	....l...........................C#...... EMF................................8.......}................U..H...................K.......................................'.......................%...........L...d...................................!..............?...........?................................%...........(...........'.......................%...........L...d...................................!..............?...........?................................%...........(...........'.......................%...........L...d...................................!..............?...........?................................%...........(...........'.......................%...........L...d...................................!..............?...........?................................%...........(...........'.......................%...........L...d...................................!..............?...........?................................%...........(...........'.......................%...........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\5237299F.emf

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	5996
Entropy (8bit):	2.187911659414248
Encrypted:	false
SSDEEP:	24:YOPJZ7pbkyVbYqpBBBBBBBUBBBBBBqBBBBBBBUBBBBBBqBBBBBBBUBBBBBBqBBBc:9vdbkgbUKOwfnV3UqcZZI6Lae
MD5:	914B8A0FCDE8E024E1614BC59CF4CEF0
SHA1:	121F6CF39B1341AA8AF2EDC312DCAA3B58701A80
SHA-256:	FB25589D52AC2015251A56299D5DBF0A164B8CB78086F76BCE990DC717838804
SHA-512:	1B7E4837C949D8509F35C528D4B574CF74C15ED36180F014838723B4ED792316712C4A4EED8740388A43C99EAA406079F02D1FCFB2E27BC62FDAB955CD8CF42D
Malicious:	false
Reputation:	low
Preview:	....l...........]...J...........9....... EMF....l...........................8.......}................U..H...F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........!.......%.......................................................................'.......................%...........K.......................................M...$... .......?...!... ....... ... ..................?...........?................l...0........... ... ...(... ..."..............................................................?..................................................................................................3...7...7...?.M....... .......?...!... ....... ... ...F.f............?...........?................l...4........... ... ...(... ... ..... .........................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\69015696.emf

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	5232
Entropy (8bit):	4.879542142933512
Encrypted:	false
SSDEEP:	96:59f2pmYKG5mPKDRv4Og6tO/XP8lEEF6+idRm:5Un5mPaRvO/f8lEE5idRm
MD5:	2A31FF37D8F06AB63C08A874B00F78A5
SHA1:	A216FB97942EE30E82D13F8D308F3D34FB0A3451
SHA-256:	9E941032F88F698814AEC1D444A3541591928A804CCDE5769F535C1590B2907F
SHA-512:	6F51504BFA3FDCF895B04197EA0AA670FEC99BB3A3EE199AF85BC56E5748A1D2B6C113F504431883A7C050C9FF6ADB3D28C50E21B64FDAC4036D5CB6C3D30466
Malicious:	false
Reputation:	low
Preview:	....l...#.......9.../...........50..q... EMF....p...........................8.......}................U..H...........................]...5...R...p...................................S.e.g.o.e. .U.I...................................................,ux3S1.5.\.R.o.o.t.\.O.f.f.i.c.e.....,.E..nQp........D..^.........,u8..w......t..E...E.....`.E...........5...E.P.Tu.6....t..E..XTu...w...w...^..U...U..-(......^.......\|t.5.....@.E....w...w...^0.E.........\.E..oQp........L.E.....x3S\.E..},u........dv......%...................................r............................... ... ..................?...........?................l...4........... ... ...(... ... ..... .............................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\6A727948.emf

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	5280
Entropy (8bit):	4.841321930941806
Encrypted:	false
SSDEEP:	96:I0DS0VwurYKG5mPKDRv4Og6tO/XP8lEEHuwL:PDS0G5mPaRvO/f8lEEHuwL
MD5:	E630F750E3440205E6695E75AE1179EB
SHA1:	78DA9D8DF55169C1072618BB97DE5C56517E1329
SHA-256:	E1AAD6F483DEDF11E1156DF09545495BA928CFCF93140B40850420940E6EF11A
SHA-512:	1BE3355C0E87C414D810E0A584BEB0117AB250F1B80F2300E8EB9070D8A17EBE6DB70763CB693948FCCDA4932FEF0C4932DB81CEA9E28E84358146C8515CA9A4
Malicious:	false
Reputation:	low
Preview:	....l...).......u.../...........k9..t... EMF............................@.......4...>..................<...............................5...R...p...................................S.e.g.o.e. .U.I...................................................8v..."1.5.\.R.o.o.t.\.O.f.f.i.c.e.......4..nCq........D.:T.........8v...v.....[vd.4...4.......4........v...v8.....u...u..[v..4.k...........@.........4....v...v....\.u...u..;t.......4.........(zu...4...........4..oCq..........4........"..4..}8v........dv......%...................................r............................... ... ..................?...........?................l...4........... ... ...(... ... ..... .............................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7D410405.png

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 736 x 684, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	39836
Entropy (8bit):	7.878450113177619
Encrypted:	false
SSDEEP:	768:kR74Xfv6IM98GeWrL2PBB/HZTv4PC2zWVJVshLAw0Y7Sx:kRcXfv6HqGeA+BfmP2gL7Sx
MD5:	2E2CD6F2A3F8A14E0E8CA21FA1BB4B4B
SHA1:	198375E14FF80A94D82DC0CA20F4105DA7109344
SHA-256:	63245936D251A15D85F9CDABE06E3BB1CFEB16E9A7F02C7B72E72EB7D75B6C5A
SHA-512:	340638281E60773A893BC2508031506F3D460D846D95228096E0EADC7E18FF943C906AC1675FC15F7717CC13FD35C5C9ED955C6E26ADE8BCFBF45F3385939791
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR..............D......sRGB.........gAMA......a.....pHYs..........o.d...1IDATx^.1..>....'.\|b.._....H...^fw....w.9......{P ...U$...".....".T.. .k^...7.............0..8.....@........A..............0..8.....@.........................x.....+s........1.g..A...@...c ........XO.@........]....<........`=..y....8..t.z:...0?.p....t...`~..........3.. .......1.g..A...@...c ........XO.@........]....<........`=..y....8..t.z:...0?.p....t...`~~].....>.q.ZK..y...??......}......?r.....-...b.~....j...o.:.vd..S...E0..{.pU.~..C...'..k.k..#..N.....T...........>#;.Q...&:.p..U.\...pO..>..%.{.^.y....>...\....I..V..N....}......I...H.......a..g......l]..U.d.wtn(._.._T....G.mx=..`~.....l!(BMD.~.d...f..V...p....}..p"Z..Y..x.K.....uZ./........r_..!.......5....r...<.S....PVa.=}V.^...\..x.e.P...}l.mt\|..6.k.p].~..C...'..k.+.."Z.0{[..........+..D.>3...~...I.'...q8..{.^.y....>...X.....p....c".Y..z.q..k.......^........K.M..5m~..............<..Ot...W,.....".?..B...."`w}8.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\9658063C.emf

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	5348
Entropy (8bit):	2.333641896616443
Encrypted:	false
SSDEEP:	48:SE3IHpHK2g4x//3G7+wJj7IaK0pNCedxpc1:SNHpHK2x//3+xB7IaK0pUop8
MD5:	10CC58B3B22AD2D5A9BE889181790552
SHA1:	75D40D411B3A3D288E735A4C628DA44C4C39FA3C
SHA-256:	4A2DDC7AE24E1F9277476B6ACD369F53D0250FC329C9BD3B93B6AE64A17B15F5
SHA-512:	F3407353135BC0DD9A1C3861627D1574CA7DC1609514E32BC47892A84D81B133D1AECEF3C85DAE36B32DE0D53560B8CD36EEEA451F382831E2E387AEB7E608A1
Malicious:	false
Preview:	....l...........................C#...... EMF................................8.......}................U..H...................K.......................................'.......................%...........L...d...................................!..............?...........?................................%...........(...........'.......................%...........L...d...................................!..............?...........?................................%...........(...........'.......................%...........L...d...................................!..............?...........?................................%...........(...........'.......................%...........L...d...................................!..............?...........?................................%...........(...........'.......................%...........L...d...................................!..............?...........?................................%...........(...........'.......................%...........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\A39313AA.png

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 539 x 117, 1-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	1813
Entropy (8bit):	7.760708246194418
Encrypted:	false
SSDEEP:	24:/LprG0vhs2thEn3DXJamqANnRiTbPYyg5EUZEaJ5mCpL3kUGNKZK0vQYrYhWuVrB:l1KTXJaDKnRiTbP7UxHj5FxYEadD9ey
MD5:	B7CD4B4DB1368FFC7BED8E8945EA26DA
SHA1:	D2A9B1759322AA7FD625982F9BA546F8B4912515
SHA-256:	1233CE40FB6D8E7D2128FEB5B274E5369037C6CE4F05E08420EC8979FA9BE4BD
SHA-512:	04A9C57CBADF8DA660BA8F83399BAE02DCF30C7A4FAEEFBC024583DABADF7992EB87E52B3B4E6CA1978396D1A196D123D99C5AEB2C5D54C570BF5CAB4180DEAD
Malicious:	false
Preview:	.PNG........IHDR.......u............sRGB.........gAMA......a.... cHRM..z&..............u0...`..:....p..Q<....PLTE......U..~....pHYs..!...!.........lIDATh...Mn.6..p.Zp.......(G..z.........,r..]tY.YD...3..~..}..ta......(j8.h..........9.."3!...9.)...b...O.Y`.{f...G.. \|.....8 .....F.b.3..&.>\D..H..v.v...H....~.q..]S.\|....+......xD..j. r...=w...I..+.x..... .9Ev....C...#2..Td...n!8~= ...p.A....".4....j...".."D...\..t..N..s.G>0b.#.+./}....R.....7..m.wO.+b..p...r.-q..yC..1F]......"}j....#..D./w.6w.>pH..(<....)F\|.. .!+]........pP$g.H...y.i.[.H...rI..[H.. ."_Xt..zbD... ..x@(:"....+..F.4F."....;KK.%.....3...cC.M.2.#+b8..."{E.y...g.....6.....u....}A.....E. .....*.."b+...I.....Xo ...rzZ.^..&Bc..$.9.w7...P.-..8.Ft<EfM...;.z&ct..!{M.<.....:.~sr..M..G..9.n#.~.zD.$..!..tW.}.tC.9E..n..C..?ej...<.$).]..~.<..2..z&.H.....1K..B>A..D8.xx....vd.J~z=bx.r.....6,....s.r.m..H.!...B.%MXe..=.._m.BO8~.0)..-.y.IF\.O.e.:.f-d<.2.,/.>.\|..X....Q2.t..I..bY.4.d$.U.&#..D)...@.6.. ..)..TN. .

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\D3E7BBA3.jpeg

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 660x137, frames 3
Category:	dropped
Size (bytes):	25938
Entropy (8bit):	7.833218523254594
Encrypted:	false
SSDEEP:	768:RPdG3S2uAu5LAbvlGVzYO00pQlDSmM57dx7SiWIKLvW1:RP88Ap+cZ02kpCiWDg
MD5:	B5BB6A7EF0B322467A20AB38ABC07B97
SHA1:	47B724835E4C7B3DDB0FA32BE2D00CBFD43BADBC
SHA-256:	9CB8D86A1195C6A0C7E2B3FAE92C988BFFB85E24CD245872C543BB3B8295DCBE
SHA-512:	C90C1FF27F5179A9C3CC55C0C72E9B95377902B1F91CE216729BA9BEE899A07671506F4533D759DF3C5351B4263FCCEEA66AECE86E72E15093E361624BC4F0FA
Malicious:	false
Preview:	......JFIF.............C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....+3@..(..s....k.....A..>.....(..M.\|-.O..M+..#B.G.7....2M.~!......[........O....o...9..5......{...g.3...H.....5.c.+.....f......"k!.....\|...8_.....M~..5...K$......ZP.>X.Fd..........+@&.+.Z...&..C..W...'..._..\|6+....<K.yg*t.R{]...a\....W...-..Q.Bh.G.......X5y.T....z..?....R.........),...n...8#..N...E....F2.._..B?..........#..v.m......5.i..7.KY..M._.v.fc.9R

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\DC2AD8A9.emf

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	5220
Entropy (8bit):	4.886315397806876
Encrypted:	false
SSDEEP:	96:F04WAPlYKG5mPKDRv4Og6tO/XP8lEEu6KdRE:i4G5mPaRvO/f8lEE+dRE
MD5:	CFC2EB922357AFC2E08B818DF59D2DB4
SHA1:	8123513647762ABFC4460CEFB958BD4A64ECF759
SHA-256:	CCE3BE7E4559A991BA398CBC436519D5B25B07AC458A454D62288A3C31BD35A0
SHA-512:	FA046F388ADD71D6A0819422C1232D44B9F126DEA55FD4761DB00B52299301CADFE744E06CF4DF8B14A5D10EA7BF10C305AE95594165E0ED232EDED3C07D9DF4
Malicious:	false
Preview:	....l...".......0.../...............t... EMF....d.......................@.......4...>..................<...........................S...5...R...p...................................S.e.g.o.e. .U.I....................................................t..].1.5.\.R.o.o.t.\.O.f.f.i.c.e..........n.q........D..P..........t..w.....4v............H...EX;w................6...4v.....X.v..6w...w...P............\.......................(.....6w...w...P............D....o.q........4.........].D....}.t........dv......%...................................r............................... ... ..................?...........?................l...4........... ... ...(... ... ..... .............................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$RU419 FEB17 BSRec_InvNet.xlsx

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.6081032063576088
Encrypted:	false
SSDEEP:	3:RFXI6dtt:RJ1
MD5:	7AB76C81182111AC93ACF915CA8331D5
SHA1:	68B94B5D4C83A6FB415C8026AF61F3F8745E2559
SHA-256:	6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
SHA-512:	A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7
Malicious:	false
Preview:	.pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General

File type:	Microsoft Excel 2007+
Entropy (8bit):	7.9948250784848955
TrID:	Excel Microsoft Office Open XML Format document (40004/1) 83.33% ZIP compressed archive (8000/1) 16.67%
File name:	RU419 FEB17 BSRec_InvNet.xlsx
File size:	4768919
MD5:	bb2bdf2659b515eee1f56c0382847fd7
SHA1:	72405dd23abe1d3f97b75e3eb50bcecbf51669f8
SHA256:	a36ec67f835cb7968270d43f151df7b0b3cbd501b5eeb4688b8676758deadb0e
SHA512:	9c19fc7b871fbdbb46b7af3c50dc29436ffbd28f94d9ed91dbfcb8e1830210be7b66115012dbd67564afa1132107186e22f8d1c839681ed439d487aa49bc5b00
SSDEEP:	98304:zV40bHJu4znpW5DYAY+5HA0MefCaeCtu2qc60yHkOriCbm2:54A04TpADFYUMfvCtH7f0iCD
File Content Preview:	PK..........!...5#....^.......[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	74ecd0d2d6d6d0dc

Static OLE Info

General

Document Type:	OpenXML
Number of OLE Files:	7

OLE File "/opt/package/joesandbox/database/analysis/562532/sample/RU419 FEB17 BSRec_InvNet.xlsx"

Indicators

Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	False
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Summary

Author:	Gut, Mateusz
Last Saved By:	Bernas, Justyna
Create Time:	2012-08-13T15:44:29Z
Last Saved Time:	2017-03-29T09:51:12Z
Creating Application:	Microsoft Excel
Security:	0

Document Summary

Thumbnail Scaling Desired:	false
Company:	Boart Longyear
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	15.0300

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 76

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	76
Entropy:	3.09344952647
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . O L E P a c k a g e . . . . . . . . . P a c k a g e . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 0c 00 03 00 00 00 00 00 c0 00 00 00 00 00 00 46 0c 00 00 00 4f 4c 45 20 50 61 63 6b 61 67 65 00 00 00 00 00 08 00 00 00 50 61 63 6b 61 67 65 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x1Ole10Native, File Type: data, Stream Size: 91443

General
Stream Path:	\x1Ole10Native
File Type:	data
Stream Size:	91443
Entropy:	5.35403120266
Base64 Encoded:	True
Data ASCII:	/ e . . . . R E E M E A G o o d s I n T r a n s i t o l d e r t h a n 9 0 d a y s R U . m s g . C : \\ U s e r s \\ j u s t y n a . b e r n a s \\ D e s k t o p \\ R e c o n M A R - 2 0 1 6 \\ m o j e \\ S E P - 1 6 \\ r a p o r t y \\ R E E M E A G o o d s I n T r a n s i t o l d e r t h a n 9 0 d a y s R U . m s g . . . . . ` . . . C : \\ U s e r s \\ J U S T Y N ~ 1 . B E R \\ A p p D a t a \\ L o c a l \\ T e m p \\ R E E M E A G o o d s I n T r a n s i t o l d e r t
Data Raw:	2f 65 01 00 02 00 52 45 20 45 4d 45 41 20 47 6f 6f 64 73 20 49 6e 20 54 72 61 6e 73 69 74 20 6f 6c 64 65 72 20 74 68 61 6e 20 39 30 20 64 61 79 73 20 52 55 2e 6d 73 67 00 43 3a 5c 55 73 65 72 73 5c 6a 75 73 74 79 6e 61 2e 62 65 72 6e 61 73 5c 44 65 73 6b 74 6f 70 5c 52 65 63 6f 6e 20 4d 41 52 2d 32 30 31 36 5c 6d 6f 6a 65 5c 53 45 50 2d 31 36 5c 72 61 70 6f 72 74 79 5c 52 45 20 45

OLE File "/opt/package/joesandbox/database/analysis/562532/sample/RU419 FEB17 BSRec_InvNet.xlsx"

Indicators

Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	False
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Summary

Author:	Gut, Mateusz
Last Saved By:	Bernas, Justyna
Create Time:	2012-08-13T15:44:29Z
Last Saved Time:	2017-03-29T09:51:12Z
Creating Application:	Microsoft Excel
Security:	0

Document Summary

Thumbnail Scaling Desired:	false
Company:	Boart Longyear
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	15.0300

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 76

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	76
Entropy:	3.09344952647
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . O L E P a c k a g e . . . . . . . . . P a c k a g e . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 0c 00 03 00 00 00 00 00 c0 00 00 00 00 00 00 46 0c 00 00 00 4f 4c 45 20 50 61 63 6b 61 67 65 00 00 00 00 00 08 00 00 00 50 61 63 6b 61 67 65 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x1Ole10Native, File Type: data, Stream Size: 91443

General
Stream Path:	\x1Ole10Native
File Type:	data
Stream Size:	91443
Entropy:	5.35403120266
Base64 Encoded:	True
Data ASCII:	/ e . . . . R E E M E A G o o d s I n T r a n s i t o l d e r t h a n 9 0 d a y s R U . m s g . C : \\ U s e r s \\ j u s t y n a . b e r n a s \\ D e s k t o p \\ R e c o n M A R - 2 0 1 6 \\ m o j e \\ S E P - 1 6 \\ r a p o r t y \\ R E E M E A G o o d s I n T r a n s i t o l d e r t h a n 9 0 d a y s R U . m s g . . . . . ` . . . C : \\ U s e r s \\ J U S T Y N ~ 1 . B E R \\ A p p D a t a \\ L o c a l \\ T e m p \\ R E E M E A G o o d s I n T r a n s i t o l d e r t
Data Raw:	2f 65 01 00 02 00 52 45 20 45 4d 45 41 20 47 6f 6f 64 73 20 49 6e 20 54 72 61 6e 73 69 74 20 6f 6c 64 65 72 20 74 68 61 6e 20 39 30 20 64 61 79 73 20 52 55 2e 6d 73 67 00 43 3a 5c 55 73 65 72 73 5c 6a 75 73 74 79 6e 61 2e 62 65 72 6e 61 73 5c 44 65 73 6b 74 6f 70 5c 52 65 63 6f 6e 20 4d 41 52 2d 32 30 31 36 5c 6d 6f 6a 65 5c 53 45 50 2d 31 36 5c 72 61 70 6f 72 74 79 5c 52 45 20 45

OLE File "/opt/package/joesandbox/database/analysis/562532/sample/RU419 FEB17 BSRec_InvNet.xlsx"

Indicators

Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	False
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Summary

Author:	Gut, Mateusz
Last Saved By:	Bernas, Justyna
Create Time:	2012-08-13T15:44:29Z
Last Saved Time:	2017-03-29T09:51:12Z
Creating Application:	Microsoft Excel
Security:	0

Document Summary

Thumbnail Scaling Desired:	false
Company:	Boart Longyear
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	15.0300

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 76

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	76
Entropy:	3.09344952647
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . O L E P a c k a g e . . . . . . . . . P a c k a g e . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 0c 00 03 00 00 00 00 00 c0 00 00 00 00 00 00 46 0c 00 00 00 4f 4c 45 20 50 61 63 6b 61 67 65 00 00 00 00 00 08 00 00 00 50 61 63 6b 61 67 65 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x1Ole10Native, File Type: data, Stream Size: 91443

General
Stream Path:	\x1Ole10Native
File Type:	data
Stream Size:	91443
Entropy:	5.35403120266
Base64 Encoded:	True
Data ASCII:	/ e . . . . R E E M E A G o o d s I n T r a n s i t o l d e r t h a n 9 0 d a y s R U . m s g . C : \\ U s e r s \\ j u s t y n a . b e r n a s \\ D e s k t o p \\ R e c o n M A R - 2 0 1 6 \\ m o j e \\ S E P - 1 6 \\ r a p o r t y \\ R E E M E A G o o d s I n T r a n s i t o l d e r t h a n 9 0 d a y s R U . m s g . . . . . ` . . . C : \\ U s e r s \\ J U S T Y N ~ 1 . B E R \\ A p p D a t a \\ L o c a l \\ T e m p \\ R E E M E A G o o d s I n T r a n s i t o l d e r t
Data Raw:	2f 65 01 00 02 00 52 45 20 45 4d 45 41 20 47 6f 6f 64 73 20 49 6e 20 54 72 61 6e 73 69 74 20 6f 6c 64 65 72 20 74 68 61 6e 20 39 30 20 64 61 79 73 20 52 55 2e 6d 73 67 00 43 3a 5c 55 73 65 72 73 5c 6a 75 73 74 79 6e 61 2e 62 65 72 6e 61 73 5c 44 65 73 6b 74 6f 70 5c 52 65 63 6f 6e 20 4d 41 52 2d 32 30 31 36 5c 6d 6f 6a 65 5c 53 45 50 2d 31 36 5c 72 61 70 6f 72 74 79 5c 52 45 20 45

OLE File "/opt/package/joesandbox/database/analysis/562532/sample/RU419 FEB17 BSRec_InvNet.xlsx"

Indicators

Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	False
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Summary

Author:	Gut, Mateusz
Last Saved By:	Bernas, Justyna
Create Time:	2012-08-13T15:44:29Z
Last Saved Time:	2017-03-29T09:51:12Z
Creating Application:	Microsoft Excel
Security:	0

Document Summary

Thumbnail Scaling Desired:	false
Company:	Boart Longyear
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	15.0300

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 76

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	76
Entropy:	3.09344952647
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . O L E P a c k a g e . . . . . . . . . P a c k a g e . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 0c 00 03 00 00 00 00 00 c0 00 00 00 00 00 00 46 0c 00 00 00 4f 4c 45 20 50 61 63 6b 61 67 65 00 00 00 00 00 08 00 00 00 50 61 63 6b 61 67 65 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x1Ole10Native, File Type: data, Stream Size: 121286

General
Stream Path:	\x1Ole10Native
File Type:	data
Stream Size:	121286
Entropy:	5.36470100495
Base64 Encoded:	True
Data ASCII:	. . . . . . R E A c c o u n t 1 2 2 8 0 0 r e c o n c i l i a t i o n ( I n v e n t o r y - E x p e n s e s t o b e l a n d e d ) . m s g . C : \\ U s e r s \\ j u s t y n a . b e r n a s \\ D e s k t o p \\ t y m c z a s o w y \\ d o r e c o n o w \\ R E A c c o u n t 1 2 2 8 0 0 r e c o n c i l i a t i o n ( I n v e n t o r y - E x p e n s e s t o b e l a n d e d ) . m s g . . . . . r . . . C : \\ U s e r s \\ J U S T Y N ~ 1 . B E R \\ A p p D a t a \\ L o c a l \\ T e m p \\ R
Data Raw:	c2 d9 01 00 02 00 52 45 20 41 63 63 6f 75 6e 74 20 31 32 32 38 30 30 20 72 65 63 6f 6e 63 69 6c 69 61 74 69 6f 6e 20 28 49 6e 76 65 6e 74 6f 72 79 20 2d 20 45 78 70 65 6e 73 65 73 20 74 6f 20 62 65 20 6c 61 6e 64 65 64 29 2e 6d 73 67 00 43 3a 5c 55 73 65 72 73 5c 6a 75 73 74 79 6e 61 2e 62 65 72 6e 61 73 5c 44 65 73 6b 74 6f 70 5c 74 79 6d 63 7a 61 73 6f 77 79 5c 64 6f 20 72 65 63

OLE File "/opt/package/joesandbox/database/analysis/562532/sample/RU419 FEB17 BSRec_InvNet.xlsx"

Indicators

Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	False
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Summary

Author:	Gut, Mateusz
Last Saved By:	Bernas, Justyna
Create Time:	2012-08-13T15:44:29Z
Last Saved Time:	2017-03-29T09:51:12Z
Creating Application:	Microsoft Excel
Security:	0

Document Summary

Thumbnail Scaling Desired:	false
Company:	Boart Longyear
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	15.0300

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 76

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	76
Entropy:	3.09344952647
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . O L E P a c k a g e . . . . . . . . . P a c k a g e . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 0c 00 03 00 00 00 00 00 c0 00 00 00 00 00 00 46 0c 00 00 00 4f 4c 45 20 50 61 63 6b 61 67 65 00 00 00 00 00 08 00 00 00 50 61 63 6b 61 67 65 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x1Ole10Native, File Type: data, Stream Size: 91431

General
Stream Path:	\x1Ole10Native
File Type:	data
Stream Size:	91431
Entropy:	5.35400764395
Base64 Encoded:	True
Data ASCII:	# e . . . . R E E M E A G o o d s I n T r a n s i t o l d e r t h a n 9 0 d a y s R U . m s g . C : \\ U s e r s \\ j u s t y n a . b e r n a s \\ D e s k t o p \\ R e c o n M A R - 2 0 1 6 \\ m o j e \\ S E P - 1 6 \\ r a p o r t y \\ R E E M E A G o o d s I n T r a n s i t o l d e r t h a n 9 0 d a y s R U . m s g . . . . . \\ . . . C : \\ U s e r s \\ J U S T Y N ~ 1 . B E R \\ A p p D a t a \\ L o c a l \\ T e m p \\ R E E M E A G o o d s I n T r a n s i t o l d e r t
Data Raw:	23 65 01 00 02 00 52 45 20 45 4d 45 41 20 47 6f 6f 64 73 20 49 6e 20 54 72 61 6e 73 69 74 20 6f 6c 64 65 72 20 74 68 61 6e 20 39 30 20 64 61 79 73 20 52 55 2e 6d 73 67 00 43 3a 5c 55 73 65 72 73 5c 6a 75 73 74 79 6e 61 2e 62 65 72 6e 61 73 5c 44 65 73 6b 74 6f 70 5c 52 65 63 6f 6e 20 4d 41 52 2d 32 30 31 36 5c 6d 6f 6a 65 5c 53 45 50 2d 31 36 5c 72 61 70 6f 72 74 79 5c 52 45 20 45

OLE File "/opt/package/joesandbox/database/analysis/562532/sample/RU419 FEB17 BSRec_InvNet.xlsx"

Indicators

Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	False
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Summary

Author:	Gut, Mateusz
Last Saved By:	Bernas, Justyna
Create Time:	2012-08-13T15:44:29Z
Last Saved Time:	2017-03-29T09:51:12Z
Creating Application:	Microsoft Excel
Security:	0

Document Summary

Thumbnail Scaling Desired:	false
Company:	Boart Longyear
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	15.0300

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 76

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	76
Entropy:	3.09344952647
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . O L E P a c k a g e . . . . . . . . . P a c k a g e . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 0c 00 03 00 00 00 00 00 c0 00 00 00 00 00 00 46 0c 00 00 00 4f 4c 45 20 50 61 63 6b 61 67 65 00 00 00 00 00 08 00 00 00 50 61 63 6b 61 67 65 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x1Ole10Native, File Type: data, Stream Size: 169303

General
Stream Path:	\x1Ole10Native
File Type:	data
Stream Size:	169303
Entropy:	7.19148621744
Base64 Encoded:	True
Data ASCII:	S . . . . . I n v o i c e 2 5 0 2 1 3 0 0 1 2 6 3 5 K T C - b o o k i n g w i t h 1 2 0 2 0 0 a c c o u n t . m s g . C : \\ U s e r s \\ j u s t y n a . b e r n a s \\ D e s k t o p \\ R e c o n M A R - 2 0 1 6 \\ m o j e \\ A U G - 1 6 \\ I n v o i c e 2 5 0 2 1 3 0 0 1 2 6 3 5 K T C - b o o k i n g w i t h 1 2 0 2 0 0 a c c o u n t . m s g . . . . . d . . . C : \\ U s e r s \\ J U S T Y N ~ 1 . B E R \\ A p p D a t a \\ L o c a l \\ T e m p \\ I n v o i c e 2 5 0 2 1 3 0 0 1 2 6 3 5 K T C
Data Raw:	53 95 02 00 02 00 49 6e 76 6f 69 63 65 20 32 35 30 32 31 33 30 30 31 32 36 33 35 4b 54 43 20 2d 20 62 6f 6f 6b 69 6e 67 20 77 69 74 68 20 31 32 30 32 30 30 20 61 63 63 6f 75 6e 74 2e 6d 73 67 00 43 3a 5c 55 73 65 72 73 5c 6a 75 73 74 79 6e 61 2e 62 65 72 6e 61 73 5c 44 65 73 6b 74 6f 70 5c 52 65 63 6f 6e 20 4d 41 52 2d 32 30 31 36 5c 6d 6f 6a 65 5c 41 55 47 2d 31 36 5c 49 6e 76 6f

OLE File "/opt/package/joesandbox/database/analysis/562532/sample/RU419 FEB17 BSRec_InvNet.xlsx"

Indicators

Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	False
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Summary

Author:	Gut, Mateusz
Last Saved By:	Bernas, Justyna
Create Time:	2012-08-13T15:44:29Z
Last Saved Time:	2017-03-29T09:51:12Z
Creating Application:	Microsoft Excel
Security:	0

Document Summary

Thumbnail Scaling Desired:	false
Company:	Boart Longyear
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	15.0300

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 76

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	76
Entropy:	3.09344952647
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . O L E P a c k a g e . . . . . . . . . P a c k a g e . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 0c 00 03 00 00 00 00 00 c0 00 00 00 00 00 00 46 0c 00 00 00 4f 4c 45 20 50 61 63 6b 61 67 65 00 00 00 00 00 08 00 00 00 50 61 63 6b 61 67 65 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x1Ole10Native, File Type: data, Stream Size: 35605

General
Stream Path:	\x1Ole10Native
File Type:	data
Stream Size:	35605
Entropy:	3.8995864265
Base64 Encoded:	True
Data ASCII:	. . . . . . E M E A G o o d s I n T r a n s i t o l d e r t h a n 9 0 d a y s I N M . m s g . C : \\ U s e r s \\ j u s t y n a . b e r n a s \\ D e s k t o p \\ R e c o n M A R - 2 0 1 6 \\ m o j e \\ A U G - 1 6 \\ R a p o r t y \\ E M E A G o o d s I n T r a n s i t o l d e r t h a n 9 0 d a y s I N M . m s g . . . . . Z . . . C : \\ U s e r s \\ J U S T Y N ~ 1 . B E R \\ A p p D a t a \\ L o c a l \\ T e m p \\ E M E A G o o d s I n T r a n s i t o l d e r t h a n 9 0
Data Raw:	11 8b 00 00 02 00 45 4d 45 41 20 47 6f 6f 64 73 20 49 6e 20 54 72 61 6e 73 69 74 20 6f 6c 64 65 72 20 74 68 61 6e 20 39 30 20 64 61 79 73 20 49 4e 4d 2e 6d 73 67 00 43 3a 5c 55 73 65 72 73 5c 6a 75 73 74 79 6e 61 2e 62 65 72 6e 61 73 5c 44 65 73 6b 74 6f 70 5c 52 65 63 6f 6e 20 4d 41 52 2d 32 30 31 36 5c 6d 6f 6a 65 5c 41 55 47 2d 31 36 5c 52 61 70 6f 72 74 79 5c 45 4d 45 41 20 47

Network Behavior

⊘No network behavior found

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXEPID: 864, Parent PID: 800

General

Target ID:	0
Start time:	01:22:02
Start date:	29/01/2022
Path:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
Imagebase:	0xeb0000
File size:	27110184 bytes
MD5 hash:	5D6638F2C8F8571C593999C58866007E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: splwow64.exePID: 5804, Parent PID: 864

General

Target ID:	2
Start time:	01:22:05
Start date:	29/01/2022
Path:	C:\Windows\splwow64.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\splwow64.exe 12288
Imagebase:	0x7ff7801e0000
File size:	130560 bytes
MD5 hash:	8D59B31FF375059E3C32B17BF31A76D5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

⊘No disassembly

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RU419 FEB17 BSRec_InvNet.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\5FA6FEA0-CB2C-4F8E-9780-03CCC61C3B5C

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\37E97714.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\50D0390D.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\5237299F.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\69015696.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\6A727948.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7D410405.png

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\9658063C.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\A39313AA.png

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\D3E7BBA3.jpeg

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\DC2AD8A9.emf

C:\Users\user\Desktop\~$RU419 FEB17 BSRec_InvNet.xlsx

Static File Info

General

File Icon

Static OLE Info

General

OLE File "/opt/package/joesandbox/database/analysis/562532/sample/RU419 FEB17 BSRec_InvNet.xlsx"

Indicators

Summary

Document Summary

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 76

General

Stream Path: \x1Ole10Native, File Type: data, Stream Size: 91443

General

OLE File "/opt/package/joesandbox/database/analysis/562532/sample/RU419 FEB17 BSRec_InvNet.xlsx"

Indicators

Summary

Document Summary

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 76

General

Windows Analysis Report
RU419 FEB17 BSRec_InvNet.xlsx