ID: 435551 Sample Name: GENERAL ATLANTIC LLC FILES.xlsx Cookbook: defaultwindowsofficecookbook.jbs Time: 16:48:09 Date: 16/06/2021 Version: 32.0.0 Black Diamond Table of Contents

Table of Contents 2 Windows Analysis Report GENERAL ATLANTIC LLC FILES.xlsx 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Process Tree 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 4 Signature Overview 4 Software Vulnerabilities: 5 Stealing of Sensitive Information: 5 Mitre Att&ck Matrix 5 Behavior Graph 5 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 7 Domains and IPs 9 Contacted Domains 9 URLs from Memory and Binaries 9 Contacted IPs 9 General Information 9 Simulations 10 Behavior and APIs 10 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 10 Dropped Files 10 Created / dropped Files 10 Static File Info 11 General 11 File Icon 12 Network Behavior 12 Network Port Distribution 12 UDP Packets 12 Code Manipulations 12 Statistics 12 Behavior 12 System Behavior 12 Analysis Process: EXCEL.EXE PID: 6912 Parent PID: 792 12 General 12 File Activities 13 File Created 13 File Written 13 File Read 13 Registry Activities 13 Key Created 13 Key Value Created 13 Analysis Process: Microsoft.Mashup.Container.NetFX40.exe PID: 5756 Parent PID: 6912 13 General 13 File Activities 13 File Created 13 File Read 13 Analysis Process: Microsoft.Mashup.Container.NetFX40.exe PID: 3908 Parent PID: 6912 13 General 13 File Activities 14 File Created 14 File Read 14 Analysis Process: Microsoft.Mashup.Container.NetFX40.exe PID: 6452 Parent PID: 6912 14 General 14 File Activities 14 File Created 14 File Read 14 Analysis Process: Microsoft.Mashup.Container.NetFX40.exe PID: 5440 Parent PID: 6912 14 General 14 File Activities 15 File Created 15 File Read 15 Disassembly 15 Copyright Joe Security LLC 2021 Page 2 of 15 Copyright Joe Security LLC 2021 Page 3 of 15 Windows Analysis Report GENERAL ATLANTIC LLC FILE…S.xlsx

Overview

General Information Detection Signatures Classification

Sample GENERAL ATLANTIC LLC Name: FILES.xlsx DDooccuumeennttt eexxpplllooiiittt ddeettteeccttteedd (((pprrroocceessss…

Analysis ID: 435551 ODpopeceunnmss nenenetttw weoxorrprkkl o ssihth adarerreetesscted (process MD5: 1156b4a00a10d2… AOAlllplllooeccnaasttte ensse ataw bboiiigrgk a asmhaooruuennsttt oofff meemoorrryy (((pp…

SHA1: 2e06be6f8e346fd… Ransomware CACololonnctttaaiitinness lllaoo nnbggig ss allleemeepopsus n (((>t> o==f 33m memiiinn)o))ry (p Miner Spreading SHA256: cb8e1dfbae2c4c7… ECEnonanabtballeeinsss d dleoebnbugug gs plperreiivvpiilslee g(g>ee=ss 3 min) EEnnaabbllleess ddeebbuugg pprrriiivviiillleeggeess mmaallliiiccciiioouusss Infos: malicious Evader Phishing

sssuusssppiiiccciiioouusss FEFonouaunbndlde asa hdhieiiggbhhu ngnu upmribvbeielerrr g ooefff s Wiiinnddooww /// UUss… suspicious

Most interesting Screenshot: cccllleeaann clean MFoaauyyn ssdllle eaee php i g(((eehvv naaussimiivvebe e llloor ooppf ssW))) tittono d hhoiiinwndd /ee Urrr …s

Exploiter Banker QMuaueyerr risiieeless e ttthphe e( e vvvooalllusumivee liiionnofffooprrrsm) aatotttiii oohnnin (((dnneaarm …

SQSaaumerppielllees eethxxee ccvuuotttliiiuoomnn esst ttoionppfoss r wmwhhaiiitllleieo npp rrr(oonccaeem… Spyware Trojan / Bot

Adware Sample execution stops while proce Score: 48 Range: 0 - 100 Whitelisted: false Confidence: 100%

Process Tree

System is w10x64 EXCEL.EXE (PID: 6912 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E) Microsoft.Mashup.Container.NetFX40.exe (PID: 5756 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Micros oft.Mashup.Container.NetFX40.exe' 5476 5488 0ebd7e21-4aac-430a-88a1-df7a2aebac5c 1 MD5: CE454F6689F1658ADB94F1F58B6316DB) Microsoft.Mashup.Container.NetFX40.exe (PID: 3908 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Micros oft.Mashup.Container.NetFX40.exe' 5584 5596 0ebd7e21-4aac-430a-88a1-df7a2aebac5c 2 MD5: CE454F6689F1658ADB94F1F58B6316DB) Microsoft.Mashup.Container.NetFX40.exe (PID: 6452 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Micros oft.Mashup.Container.NetFX40.exe' 4840 5640 0ebd7e21-4aac-430a-88a1-df7a2aebac5c 3 MD5: CE454F6689F1658ADB94F1F58B6316DB) Microsoft.Mashup.Container.NetFX40.exe (PID: 5440 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Micros oft.Mashup.Container.NetFX40.exe' 5696 5692 0ebd7e21-4aac-430a-88a1-df7a2aebac5c 4 MD5: CE454F6689F1658ADB94F1F58B6316DB) cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Copyright Joe Security LLC 2021 Page 4 of 15 Click to jump to signature section

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Stealing of Sensitive Information:

Opens network shares

Mitre Att&ck Matrix

Remote Initial Privilege Credential Lateral Command Network Service Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Valid Exploitation Path Process Masquerading 1 OS Network Share Remote Data from Exfiltration Data Eavesdrop on Remotely Accounts for Client Interception Injection 1 Credential Discovery 1 Services Local Over Other Obfuscation Insecure Track Device Execution 1 Dumping System Network Network Without Medium Communication Authorization Default Scheduled Boot or Extra Virtualization/Sandbox LSASS Process Discovery 1 Remote Data from Exfiltration Junk Data Exploit SS7 to Remotely Accounts Task/Job Logon Window Evasion 2 1 Memory Desktop Removable Over Redirect Phone Wipe Data Initialization Memory Protocol Media Bluetooth Calls/SMS Without Scripts Injection 1 Authorization Domain At (Linux) Logon Script Logon Process Injection 1 Security Virtualization/Sandbox SMB/Windows Data from Automated Steganography Exploit SS7 to Obtain Accounts (Windows) Script Account Evasion 2 1 Admin Shares Network Exfiltration Track Device Device (Windows) Manager Shared Location Cloud Drive Backups Local At Logon Script Logon Extra Window NTDS Application Window Distributed Input Scheduled Protocol SIM Card Accounts (Windows) (Mac) Script Memory Injection 1 Discovery 1 Component Capture Transfer Impersonation Swap (Mac) Object Model Cloud Cron Network Network Software Packing LSA File and Directory SSH Keylogging Data Fallback Manipulate Accounts Logon Script Logon Secrets Discovery 1 Transfer Channels Device Script Size Limits Communication

Replication Launchd Rc.common Rc.common Steganography Cached System Information VNC GUI Input Exfiltration Multiband Jamming or Through Domain Discovery 1 1 Capture Over C2 Communication Denial of Removable Credentials Channel Service Media

Behavior Graph

Copyright Joe Security LLC 2021 Page 5 of 15 Hide Legend Legend: Process Signature Created File DNS/IP Info Behavior Graph Is Dropped ID: 435551 Sample: GENERAL ATLANTIC LLC FILES.xlsx Is Windows Process Startdate: 16/06/2021 Architecture: WINDOWS Number of created Registry Values Score: 48 Number of created Files

Visual Basic

Document exploit detected (process start blacklist started Delphi hit) Java

.Net C# or VB.NET EXCEL.EXE C, C++ or other language

Is malicious 38 55 Internet

started started started started

Microsoft.Mashup.Container.NetFX40.exe Microsoft.Mashup.Container.NetFX40.exe Microsoft.Mashup.Container.NetFX40.exe Microsoft.Mashup.Container.NetFX40.exe

2 2 2 2

Opens network shares

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright Joe Security LLC 2021 Page 6 of 15 Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link GENERAL ATLANTIC LLC FILES.xlsx 0% Virustotal Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link https://cdn.entity. 0% URL Reputation safe https://cdn.entity. 0% URL Reputation safe https://cdn.entity. 0% URL Reputation safe https://cdn.entity. 0% URL Reputation safe

Copyright Joe Security LLC 2021 Page 7 of 15 Source Detection Scanner Label Link https://powerlift.acompli.net 0% URL Reputation safe https://powerlift.acompli.net 0% URL Reputation safe https://powerlift.acompli.net 0% URL Reputation safe https://powerlift.acompli.net 0% URL Reputation safe https://rpsticket.partnerservices.getmicrosoftkey.com 0% URL Reputation safe https://rpsticket.partnerservices.getmicrosoftkey.com 0% URL Reputation safe https://rpsticket.partnerservices.getmicrosoftkey.com 0% URL Reputation safe https://rpsticket.partnerservices.getmicrosoftkey.com 0% URL Reputation safe https://cortana.ai 0% URL Reputation safe https://cortana.ai 0% URL Reputation safe https://cortana.ai 0% URL Reputation safe https://cortana.ai 0% URL Reputation safe https://api.aadrm.com/ 0% URL Reputation safe https://api.aadrm.com/ 0% URL Reputation safe https://api.aadrm.com/ 0% URL Reputation safe https://api.aadrm.com/ 0% URL Reputation safe https://ofcrecsvcapi-int.azurewebsites.net/ 0% Virustotal Browse https://ofcrecsvcapi-int.azurewebsites.net/ 0% Avira URL Cloud safe https://res.getmicrosoftkey.com/api/redemptionevents 0% URL Reputation safe https://res.getmicrosoftkey.com/api/redemptionevents 0% URL Reputation safe https://res.getmicrosoftkey.com/api/redemptionevents 0% URL Reputation safe https://res.getmicrosoftkey.com/api/redemptionevents 0% URL Reputation safe https://powerlift-frontdesk.acompli.net 0% URL Reputation safe https://powerlift-frontdesk.acompli.net 0% URL Reputation safe https://powerlift-frontdesk.acompli.net 0% URL Reputation safe https://powerlift-frontdesk.acompli.net 0% URL Reputation safe https://officeci.azurewebsites.net/api/ 0% Virustotal Browse https://officeci.azurewebsites.net/api/ 0% Avira URL Cloud safe https://store.office.cn/addinstemplate 0% URL Reputation safe https://store.office.cn/addinstemplate 0% URL Reputation safe https://store.office.cn/addinstemplate 0% URL Reputation safe https://store.office.cn/addinstemplate 0% URL Reputation safe https://store.officeppe.com/addinstemplate 0% URL Reputation safe https://store.officeppe.com/addinstemplate 0% URL Reputation safe https://store.officeppe.com/addinstemplate 0% URL Reputation safe https://store.officeppe.com/addinstemplate 0% URL Reputation safe https://dev0-api.acompli.net/autodetect 0% URL Reputation safe https://dev0-api.acompli.net/autodetect 0% URL Reputation safe https://dev0-api.acompli.net/autodetect 0% URL Reputation safe https://dev0-api.acompli.net/autodetect 0% URL Reputation safe https://www.odwebp.svc.ms 0% URL Reputation safe https://www.odwebp.svc.ms 0% URL Reputation safe https://www.odwebp.svc.ms 0% URL Reputation safe https://www.odwebp.svc.ms 0% URL Reputation safe https://dataservice.o365filtering.com/ 0% URL Reputation safe https://dataservice.o365filtering.com/ 0% URL Reputation safe https://dataservice.o365filtering.com/ 0% URL Reputation safe https://dataservice.o365filtering.com/ 0% URL Reputation safe https://officesetup.getmicrosoftkey.com 0% URL Reputation safe https://officesetup.getmicrosoftkey.com 0% URL Reputation safe https://officesetup.getmicrosoftkey.com 0% URL Reputation safe https://officesetup.getmicrosoftkey.com 0% URL Reputation safe https://prod-global-autodetect.acompli.net/autodetect 0% URL Reputation safe https://prod-global-autodetect.acompli.net/autodetect 0% URL Reputation safe https://prod-global-autodetect.acompli.net/autodetect 0% URL Reputation safe https://prod-global-autodetect.acompli.net/autodetect 0% URL Reputation safe https://ncus.contentsync. 0% URL Reputation safe https://ncus.contentsync. 0% URL Reputation safe https://ncus.contentsync. 0% URL Reputation safe https://ncus.contentsync. 0% URL Reputation safe https://apis.live.net/v5.0/ 0% URL Reputation safe https://apis.live.net/v5.0/ 0% URL Reputation safe https://apis.live.net/v5.0/ 0% URL Reputation safe https://apis.live.net/v5.0/ 0% URL Reputation safe

Copyright Joe Security LLC 2021 Page 8 of 15 Source Detection Scanner Label Link https://wus2.contentsync. 0% URL Reputation safe https://wus2.contentsync. 0% URL Reputation safe https://wus2.contentsync. 0% URL Reputation safe https://wus2.contentsync. 0% URL Reputation safe https://asgsmsproxyapi.azurewebsites.net/ 0% Virustotal Browse https://asgsmsproxyapi.azurewebsites.net/ 0% Avira URL Cloud safe https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile 0% URL Reputation safe https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile 0% URL Reputation safe https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile 0% URL Reputation safe https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile 0% URL Reputation safe https://ncus.pagecontentsync. 0% URL Reputation safe https://ncus.pagecontentsync. 0% URL Reputation safe https://ncus.pagecontentsync. 0% URL Reputation safe https://ncus.pagecontentsync. 0% URL Reputation safe https://skyapi.live.net/Activity/ 0% URL Reputation safe https://skyapi.live.net/Activity/ 0% URL Reputation safe https://skyapi.live.net/Activity/ 0% URL Reputation safe https://skyapi.live.net/Activity/ 0% URL Reputation safe https://dataservice.o365filtering.com 0% URL Reputation safe https://dataservice.o365filtering.com 0% URL Reputation safe https://dataservice.o365filtering.com 0% URL Reputation safe https://dataservice.o365filtering.com 0% URL Reputation safe https://api.cortana.ai 0% URL Reputation safe https://api.cortana.ai 0% URL Reputation safe https://api.cortana.ai 0% URL Reputation safe https://api.cortana.ai 0% URL Reputation safe https://ovisualuiapp.azurewebsites.net/pbiagave/ 0% Virustotal Browse https://ovisualuiapp.azurewebsites.net/pbiagave/ 0% Avira URL Cloud safe https://directory.services. 0% URL Reputation safe https://directory.services. 0% URL Reputation safe https://directory.services. 0% URL Reputation safe https://directory.services. 0% URL Reputation safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version: 32.0.0 Black Diamond Analysis ID: 435551 Start date: 16.06.2021 Start time: 16:48:09 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 4m 37s Hypervisor based Inspection enabled: false Report type: light Sample file name: GENERAL ATLANTIC LLC FILES.xlsx Cookbook file name: defaultwindowsofficecookbook.jbs Copyright Joe Security LLC 2021 Page 9 of 15 Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Run name: Potential for more IOCs and behavior Number of analysed new started processes 25 analysed: Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: MAL Classification: mal48.spyw.expl.winXLSX@9/3@0/0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer Warnings: Show All

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\PowerQuery\Cache\Cache.Version Process: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File Type: data

Copyright Joe Security LLC 2021 Page 10 of 15 C:\Users\user\AppData\Local\Microsoft\Office\16.0\PowerQuery\Cache\Cache.Version Category: dropped Size (bytes): 16 Entropy (8bit): 0.3372900666170139 Encrypted: false SSDEEP: 3:El:M MD5: 08FB3033AE0E817A46E80A2E0D757D01 SHA1: 031EE8071545C35FFDC0AA20DA07CE2E36CE543F SHA-256: 9D34149FBD1FE777EB238799054C8CBFBCE372255F219F8740838DEF9BFD02DB SHA-512: 7C823875903E1EAA0FAAF0011AF6781E94A2B858C2E96D0F8A49584476456D567CD43F2ED04A38CC3F13385DD296FAA65ECC589CCB8B651D3EA2812958BA7E41 Malicious: false Reputation: low Preview: ......

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\918E59FF-57E4-4569-AE7A-AD80E82D8124 Process: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File Type: XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 134863 Entropy (8bit): 5.364821205442825 Encrypted: false SSDEEP: 1536:3cQIKNEeBxA3gBwlpQ9DQW+z7Y34ZliKWXboOilX5E6LWME9:VEQ9DQW+zLXO1 MD5: E6EB051346976E08651CC7F6FAFC6846 SHA1: E872008DC0B1A1293322D9374E52707E222CC606 SHA-256: 5FB192CC4835756FAF4157D8A4C3632E1A6C57225E29E4135960A22708E5D456 SHA-512: 2CA306C52759F01D07E034F4ABA06AC8ACB99D9B75CFBE9816214064A42D7818D72BF8DE595F66A902793416C25A6B869E99C6DE3696EDE3F67BA6FE96A9CC0 4 Malicious: false Reputation: low Preview: .... .. Build: 16.0.14214.30526-->.. .. .. .. .. https://rr.office.microsoft.com/research/query.asmx.. .. .. https://o15.officeredir.microsoft.com/r.. .. .. https://o15.officeredir.microsoft.com/r.. .. .. https://[MAX.BaseHost]/client/results.. .. .. https://[MAX.BaseHost]/client/results.. .. .. https://ocsa.office.microsoft.com/client/15/help/template.. ..

C:\Users\user\Desktop\~$GENERAL ATLANTIC LLC FILES.xlsx Process: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File Type: data Category: dropped Size (bytes): 165 Entropy (8bit): 1.6081032063576088 Encrypted: false SSDEEP: 3:RFXI6dtt:RJ1 MD5: 7AB76C81182111AC93ACF915CA8331D5 SHA1: 68B94B5D4C83A6FB415C8026AF61F3F8745E2559 SHA-256: 6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF SHA-512: A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C 7 Malicious: false Reputation: high, very likely benign file Preview: .pratesh ..p.r.a.t.e.s.h......

Static File Info

General File type: Microsoft Excel 2007+ Entropy (8bit): 7.430432101343294 TrID: Excel Microsoft Office Open XML Format document (40004/1) 83.33% ZIP compressed archive (8000/1) 16.67% File name: GENERAL ATLANTIC LLC FILES.xlsx File size: 21452 Copyright Joe Security LLC 2021 Page 11 of 15 General MD5: 1156b4a00a10d249dbe6163c761bd472 SHA1: 2e06be6f8e346fd87328d2aab74cb794ee239ae0 SHA256: cb8e1dfbae2c4c71e2833e4d57ee48e25d1e5f4bee97e2a ce3a71242c73de8fc SHA512: db0394021aa68970557dabb5c00ed4e79822dc10615f52 c4362ea494063592e5305ceacf2aaaa4326ca4afcd38b81 0a0c53f2364132c67ce2022c997002257b8 SSDEEP: 384:6KitzKUlM9zIv7v5uyLyyNgpyDwO3kqtQ/54pWdpC hym34u1J2:6KitzKxituiN0yDw2kiI4pWzO3Hy File Content Preview: PK...... !.NDF...../...... [Content_Types].xml ...(......

File Icon

Icon Hash: 74ecd0d2d6d6d0dc

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 6912 Parent PID: 792

General

Start time: 16:49:03 Start date: 16/06/2021 Path: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Wow64 process (32bit): true Commandline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding Imagebase: 0x10d0000 File size: 27110184 bytes MD5 hash: 5D6638F2C8F8571C593999C58866007E

Copyright Joe Security LLC 2021 Page 12 of 15 Has elevated privileges: true Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: high

File Activities Show Windows behavior

File Created

File Written

File Read

Registry Activities Show Windows behavior

Key Created

Key Value Created

Analysis Process: Microsoft.Mashup.Container.NetFX40.exe PID: 5756 Parent PID: 6912

General

Start time: 16:50:02 Start date: 16/06/2021 Path: C:\Program Files (x86)\Microsoft Office\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe Wow64 process (32bit): true Commandline: 'C:\Program Files (x86)\Microsoft Office\Office16\ADDINS\Microsoft Power Query for Excel I ntegrated\bin\Microsoft.Mashup.Container.NetFX40.exe' 5476 5488 0ebd7e21-4aac-430a- 88a1-df7a2aebac5c 1 Imagebase: 0x880000 File size: 27384 bytes MD5 hash: CE454F6689F1658ADB94F1F58B6316DB Has elevated privileges: true Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: low

File Activities Show Windows behavior

File Created

File Read

Analysis Process: Microsoft.Mashup.Container.NetFX40.exe PID: 3908 Parent PID: 6912

General

Start time: 16:50:03 Start date: 16/06/2021 Path: C:\Program Files (x86)\Microsoft Office\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe Wow64 process (32bit): true Commandline: 'C:\Program Files (x86)\Microsoft Office\Office16\ADDINS\Microsoft Power Query for Excel I ntegrated\bin\Microsoft.Mashup.Container.NetFX40.exe' 5584 5596 0ebd7e21-4aac-430a- 88a1-df7a2aebac5c 2

Copyright Joe Security LLC 2021 Page 13 of 15 Imagebase: 0x6c0000 File size: 27384 bytes MD5 hash: CE454F6689F1658ADB94F1F58B6316DB Has elevated privileges: true Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: low

File Activities Show Windows behavior

File Created

File Read

Analysis Process: Microsoft.Mashup.Container.NetFX40.exe PID: 6452 Parent PID: 6912

General

Start time: 16:50:06 Start date: 16/06/2021 Path: C:\Program Files (x86)\Microsoft Office\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe Wow64 process (32bit): true Commandline: 'C:\Program Files (x86)\Microsoft Office\Office16\ADDINS\Microsoft Power Query for Excel I ntegrated\bin\Microsoft.Mashup.Container.NetFX40.exe' 4840 5640 0ebd7e21-4aac-430a- 88a1-df7a2aebac5c 3 Imagebase: 0xad0000 File size: 27384 bytes MD5 hash: CE454F6689F1658ADB94F1F58B6316DB Has elevated privileges: true Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: low

File Activities Show Windows behavior

File Created

File Read

Analysis Process: Microsoft.Mashup.Container.NetFX40.exe PID: 5440 Parent PID: 6912

General

Start time: 16:50:15 Start date: 16/06/2021 Path: C:\Program Files (x86)\Microsoft Office\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe Wow64 process (32bit): true Commandline: 'C:\Program Files (x86)\Microsoft Office\Office16\ADDINS\Microsoft Power Query for Excel I ntegrated\bin\Microsoft.Mashup.Container.NetFX40.exe' 5696 5692 0ebd7e21-4aac-430a- 88a1-df7a2aebac5c 4 Imagebase: 0xa10000 File size: 27384 bytes MD5 hash: CE454F6689F1658ADB94F1F58B6316DB Has elevated privileges: true Has administrator privileges: true Programmed in: .Net C# or VB.NET

Copyright Joe Security LLC 2021 Page 14 of 15 Reputation: low

File Activities Show Windows behavior

File Created

File Read

Disassembly

Copyright Joe Security LLC Joe Sandbox Cloud Basic 32.0.0 Black Diamond

Copyright Joe Security LLC 2021 Page 15 of 15