File name:	_b8ef959a9176aef07fdca8705254a163b50b49a17217a4ff0107487f59d4a35d.xls
Full analysis:	https://app.any.run/tasks/1673014c-8545-4431-9af6-00fbfb043568
Verdict:	Malicious activity
Analysis date:	July 08, 2025, 17:10:43
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	macros
MIME:	application/vnd.ms-excel
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Inc. Intuit, Create Time/Date: Wed Oct 13 10:08:56 2021, Last Saved Time/Date: Wed Oct 13 10:08:59 2021, Security: 0
MD5:	E63DEAEA51F7CC2064FF808E11E1AD55
SHA1:	4D58EC4C978988F16468CDA2323103AE62B2BAEA
SHA256:	B8EF959A9176AEF07FDCA8705254A163B50B49A17217A4FF0107487F59D4A35D
SSDEEP:	1536:LFk3hbdlylKsgqopeJBWhZFGkE+cL2NdAA5eSUPIbjB59ZYiosYvvXvTWbxgXTPE:LFk3hbdlylKsgqopeJBWhZFGkE+cL2NZ

.xls	\|	Microsoft Excel sheet (48)
.xls	\|	Microsoft Excel sheet (alternate) (39.2)

Author:	Inc. Intuit
LastModifiedBy:	-
CreateDate:	2021:10:13 10:08:56
ModifyDate:	2021:10:13 10:08:59
Security:	None
CodePage:	Windows Latin 1 (Western European)
Company:	-
AppVersion:	16
ScaleCrop:	No
LinksUpToDate:	No
SharedDoc:	No
HyperlinksChanged:	No
TitleOfParts:	10_13_2021
HeadingPairs:	Worksheets 1
CompObjUserTypeLen:	32
CompObjUserType:	Microsoft Excel 2003 Worksheet


(PID) Process:	(2976) EXCEL.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:	write	Name:	1
Value: 01D014000000001000B24E9A3E02000000000000000600000000000000
(PID) Process:	(2976) EXCEL.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\StartupItems
Operation:	write	Name:	wm.
Value: 776D2E00A00B00000100000000000000B66DB2452BF0DB0100000000
(PID) Process:	(2976) EXCEL.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel
Operation:	write	Name:	FontInfoCache
Value: 6000000060000000F5FFFFFF0000000000000000000000009001000000000000000000205400610068006F006D00610000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000050000001B000000000000000D0000000B000000020000000200000000000000330000000000000000000000F5FFFFFF0000000000000000000000009001000000000000000000205300650067006F006500200055004900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000001C000000000000000D0000000B000000020000000200000000000000330000000000000000000000F5FFFFFF000000000000000000000000BC02000000000000000000205400610068006F006D006100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000600000020000000000000000D0000000B000000020000000200000000000000330000000000000000000000F3FFFFFF0000000000000000000000009001000000000000000000005400610068006F006D00610000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000002000000000000000100000000D000000030000000300000000000000330000000000000000000000F3FFFFFF000000000000000000000000E803000000000000000000005400610068006F006D00610000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000070000002600000000000000100000000D000000030000000300000000000000330000000000000000000000F1FFFFFF000000000000000000000000900100000000000000000000430061006C0069006200720069000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000001A00000000000000120000000E000000040000000300000000000000330000000000000000000000F3FFFFFF0000000000000000000000009001000000000000000000005300650067006F006500200055004900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000070000002100000000000000110000000E000000030000000400000000000000330000000000000000000000F3FFFFFF000000000000000000000000BC02000000000000000000005300650067006F006500200055004900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000002100000000000000110000000E000000030000000400000000000000330000000000000000000000F3FFFFFF0000000000000000000000009001000000000000000000205300650067006F006500200055004900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000070000002100000000000000110000000E000000030000000400000000000000330000000000000000000000F3FFFFFF000000000000000000000000BC02000000000000000000205300650067006F006500200055004900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000002100000000000000110000000E000000030000000400000000000000330000000000000000000000F5FFFFFF0000000000000000000000009001000000000000000000205300650067006F006500200055004900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000001C000000000000000D0000000B000000020000000200000000000000330000000000000000000000F1FFFFFF000000000000000000000000900100000000000000000000430061006C0069006200720069000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000001A00000000000000120000000E000000040000000300000000000000330000000000000000000000F5FFFFFF0000000000000000000000009001000000000000000000205300650067006F006500200055004900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000001C000000000000000D0000000B000000020000000200000000000000330000000000000000000000F5FFFFFF0000000000000000000000009001000000000000000000205400610068006F006D00610000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000050000001B000000000000000D0000000B000000020000000200000000000000330000000000000000000000F5FFFFFF000000000000000000000000BC02000000000000000000205300650067006F006500200055004900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000001C000000000000000D0000000B000000020000000200000000000000330000000000000000000000F1FFFFFF000000000000000000000000900100000000000000000000430061006C0069006200720069000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000001A00000000000000120000000E000000040000000300000000000000330000000000000000000000F3FFFFFF000000000000000000000000BC02000000000000000000005300650067006F006500200055004900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000002100000000000000110000000E000000030000000400000000000000330000000000000000000000
(PID) Process:	(2976) EXCEL.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Roaming
Operation:	write	Name:	RoamingConfigurableSettings
Value: DC00000000000000803A0900E90707000200080011000A003A00F801000000000000000000000000201C0000201C00008051010080510100805101008051010080F4030080F4030080F403002C01000084030000805101000000000084030000805101000A0000001E0000001E000000000000000000000080510100010000000100000000000000000000000000000000000000008D2700008D2700008D2700010000000A000000805101000000300000003000000030000000000084030000805101001E0000008403000080510100050000000500000005000000
(PID) Process:	(2976) EXCEL.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\StartupItems
Operation:	delete value	Name:	wm.
Value: 海.஠
(PID) Process:	(2976) EXCEL.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\StartupItems
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(2976) EXCEL.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(2976) EXCEL.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\StartupItems
Operation:	write	Name:	ko.
Value: 6B6F2E00A00B000000000040010000005C7B03462BF0DB01CA00000002000000BA0000000400000063003A005C00750073006500720073005C00610064006D0069006E005C006400650073006B0074006F0070005C005F0062003800650066003900350039006100390031003700360061006500660030003700660064006300610038003700300035003200350034006100310036003300620035003000620034003900610031003700320031003700610034006600660030003100300037003400380037006600350039006400340061003300350064002E0078006C007300000000000000
(PID) Process:	(2976) EXCEL.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\17736C
Operation:	write	Name:	17736C
Value: 04000000A00B00005C00000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C005F0062003800650066003900350039006100390031003700360061006500660030003700660064006300610038003700300035003200350034006100310036003300620035003000620034003900610031003700320031003700610034006600660030003100300037003400380037006600350039006400340061003300350064002E0078006C007300000000001700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C000100000000000000506803462BF0DB016C7317006C73170000000000E0020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2976) EXCEL.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\17736C
Operation:	write	Name:	17736C
Value: 04000000A00B00005C00000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C005F0062003800650066003900350039006100390031003700360061006500660030003700660064006300610038003700300035003200350034006100310036003300620035003000620034003900610031003700320031003700610034006600660030003100300037003400380037006600350039006400340061003300350064002E0078006C007300000000001700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C000100000000000000506803462BF0DB016C7317006C73170000000000E0020000001800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

PID	Process	Filename		Type
7020	DWWIN.EXE	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_EXCEL.EXE_f0ba593678c823b3c7333937273fe7d2c1fa42_00000000_93fe19da-3dac-49fa-8b97-b320d8e38e4a\Report.wer		—
		MD5:—	SHA256:—
2976	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_41.ttf		pi2
		MD5:A807151D5747F6460143DC1FD2C3195F	SHA256:C0C3B354480E34CCC0C25D371B30D0272DB86C786AF6438C217998B0A30E5EB0
7020	DWWIN.EXE	C:\ProgramData\Microsoft\Windows\WER\Temp\WER8713.tmp.xml		xml
		MD5:F71028C8EBC01F402474409A526FDC2C	SHA256:ED2EB7F5F0DC953CE542201C5960DDE3E10EA5FD751BAEC6A726F7BFC544A628
2976	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres		binary
		MD5:DD3828FB8020BEDE8DF966474043FE7B	SHA256:4104710F094184026A309282F5AFA6C5FB179EC75519CB21526DB09CBF920E72
2976	EXCEL.EXE	C:\Users\admin\AppData\Local\Temp\~DF9043EA3EE334635B.TMP		gmc
		MD5:BF619EAC0CDF3F68D496EA9344137E8B	SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
2976	EXCEL.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\_b8ef959a9176aef07fdca8705254a163b50b49a17217a4ff0107487f59d4a35d.xls.LNK		lnk
		MD5:26134BAF7443A45FA5A89C64F752E220	SHA256:3E6CAEC0177F4335380141916C99F445C6D0A1293AE87D534E1AFDC4F6F874D9
2976	EXCEL.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3KK26ED4HM87ZM8UYK0X.temp		binary
		MD5:4FCB2A3EE025E4A10D21E1B154873FE2	SHA256:90BF6BAA6F968A285F88620FBF91E1F5AA3E66E2BAD50FD16F37913280AD8228
2976	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\Personalization\Governance\Anonymous\floodgatecampaigns.json		tss
		MD5:308B5A1F5138608A5E231269DB621E72	SHA256:33DEBAC7B1F51E23B1440FE356846C902ADC89F986B2A94E250F1DC25B4A1180
2976	EXCEL.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms~RF17b73a.TMP		binary
		MD5:E4A1661C2C886EBB688DEC494532431C	SHA256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
2976	EXCEL.EXE	C:\Users\admin\AppData\Local\Temp\~DF78EB5104C0CBFDB4.TMP		document
		MD5:C9AC1DA214474EDE4F194221CDA83A5D	SHA256:EF9133F140CBA3DF6E65E9DAF059518D00DCB6CA7E4767DC186779232A299885

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1268	svchost.exe	GET	200	2.16.168.124:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2140	RUXIMICS.exe	GET	200	2.16.168.124:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	2.16.168.124:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2140	RUXIMICS.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	52.109.28.46:443	https://officeclient.microsoft.com/config16/?lcid=1033&syslcid=1033&uilcid=1033&build=16.0.16026&crev=3	unknown	—	181 Kb	whitelisted
—	—	GET	200	23.197.142.186:443	https://fs.microsoft.com/fs/4.41/flatFontAssets.pkg	unknown	compressed	496 Kb	whitelisted
—	—	GET	200	52.123.129.14:443	https://ecs.office.com/config/v2/Office/excel/16.0.16026.20146/Production/CC?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=excel&Platform=win32&Version=16.0.16026.20146&MsoVersion=16.0.16026.20002&SDX=fa000000002.2.0.1907.31003&SDX=fa000000005.1.0.1909.30011&SDX=fa000000006.1.0.1909.13002&SDX=fa000000008.1.0.1908.16006&SDX=fa000000009.1.0.1908.6002&SDX=fa000000016.1.0.1810.13001&SDX=fa000000029.1.0.1906.25001&SDX=fa000000033.1.0.1908.24001&SDX=wa104381125.1.0.1810.9001&ProcessName=excel.exe&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&LicenseCategory=6&LicenseSKU=Professional2019Retail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7b60B99F60-B07A-47BA-BA57-B6CD6A096086%7d&LabMachine=false	unknown	binary	389 Kb	whitelisted
—	—	GET	200	52.111.231.8:443	https://messaging.engagement.office.com/campaignmetadataaggregator?app=1&platform=10&OFC_CHANNEL=CC&OFC_AUDIENCE=Production&OFC_FLIGHTS=ofsh6c2b1tla1a31%3Bofcrui4yvdulbf31%3Bofhpex3jznepoo31%3Bofpioygfqmufst31%3Bofaa1msspvo2xw31&ver=16.0.16026.20002&hwid=04111-083-043729AED3&OSVersion=10.0.19045&country=US&locale=en-US&OFC_LICENSECATEGORY=6&OFC_LICENSESKU=Professional2019Retail&ContentType=CampaignContent	unknown	binary	16.4 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1268	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2140	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1268	svchost.exe	2.16.168.124:80	crl.microsoft.com	Akamai International B.V.	RU	whitelisted
2140	RUXIMICS.exe	2.16.168.124:80	crl.microsoft.com	Akamai International B.V.	RU	whitelisted
5944	MoUsoCoreWorker.exe	2.16.168.124:80	crl.microsoft.com	Akamai International B.V.	RU	whitelisted
1268	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
2140	RUXIMICS.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 20.73.194.208	whitelisted
google.com	142.250.185.110	whitelisted
crl.microsoft.com	2.16.168.124 2.16.168.114 23.216.77.16 23.216.77.20 23.216.77.22 23.216.77.25 23.216.77.15 23.216.77.13 23.216.77.18 23.216.77.23 23.216.77.26	whitelisted
www.microsoft.com	95.101.149.131 23.35.229.160	whitelisted
officeclient.microsoft.com	52.109.89.18	whitelisted
ecs.office.com	52.123.128.14 52.123.129.14	whitelisted
fs.microsoft.com	104.102.63.189	whitelisted
login.live.com	20.190.160.20 20.190.160.17 40.126.32.133 20.190.160.65 40.126.32.74 40.126.32.72 40.126.32.140 20.190.160.3	whitelisted
messaging.engagement.office.com	52.111.232.15	whitelisted
messaging.lifecycle.office.com	52.111.236.4	whitelisted

General Info

_b8ef959a9176aef07fdca8705254a163b50b49a17217a4ff0107487f59d4a35d.xls

E63DEAEA51F7CC2064FF808E11E1AD55

4D58EC4C978988F16468CDA2323103AE62B2BAEA

B8EF959A9176AEF07FDCA8705254A163B50B49A17217A4FF0107487F59D4A35D

1536:LFk3hbdlylKsgqopeJBWhZFGkE+cL2NdAA5eSUPIbjB59ZYiosYvvXvTWbxgXTPE:LFk3hbdlylKsgqopeJBWhZFGkE+cL2NZ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Unusual execution from MS Office

Calls Win API functions (MACROS)

SUSPICIOUS

INFO

Reads Microsoft Office registry keys

Creates files in the program directory

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings