Edit tour

Windows Analysis Report
Arixcel_Explorer_v8.7.8793.msi

Overview

General Information

Sample name:	Arixcel_Explorer_v8.7.8793.msi
Analysis ID:	1445900
MD5:	a9fabc2227e5a5ce5aa17c3783e56110
SHA1:	602a2f1521d423a6111e62ff4d38d8353e5e9eae
SHA256:	da7c2031d596747b9afdde61ccfc469977495e3f3406acfbe733b6f598f02a73
Infos:

Detection

Score:	18
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Compliance

Score:	62
Range:	0 - 100

Signatures

Sigma detected: File With Uncommon Extension Created By An Office Application

Checks for available system drives (often done to infect USB drives)

Contains long sleeps (>= 3 min)

Creates files inside the system directory

Deletes files inside the Windows folder

Drops PE files

Found dropped PE file which has not been started or loaded

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Classification

Process Tree

System is w10x64_ra

msiexec.exe (PID: 5452 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Arixcel_Explorer_v8.7.8793.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 6648 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 6860 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding F8241E459A5D63C6243CC8C18663CA0E C MD5: 9D09DC1EDA745A5F87553048E57620CF)

rundll32.exe (PID: 3972 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI8CFF.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6065437 16 ArixcelSetup!Arixcel.Explorer.Setup.CustomActions.CheckSystemRequirements MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 2016 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI8E86.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6065843 22 ArixcelSetup!Arixcel.Explorer.Setup.CustomActions.ResetAllUsers MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6932 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI905C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6066312 28 ArixcelSetup!Arixcel.Explorer.Setup.CustomActions.SetDefaultInstallFolders MD5: 889B99C52A60DD49227C5E485A016679)

msiexec.exe (PID: 6304 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding C01FE4677FFB48E5645FF86B60FEF20B MD5: 9D09DC1EDA745A5F87553048E57620CF)

rundll32.exe (PID: 6664 cmdline: rundll32.exe "C:\Windows\Installer\MSIB910.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6076750 2 ArixcelSetup!Arixcel.Explorer.Setup.CustomActions.RenameExplorer3Registry MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6668 cmdline: rundll32.exe "C:\Windows\Installer\MSIBAF5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6077218 8 ArixcelSetup!Arixcel.Explorer.Setup.CustomActions.RegisterVbaAddin MD5: 889B99C52A60DD49227C5E485A016679)

EXCEL.EXE (PID: 424 cmdline: "C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE" MD5: 4A871771235598812032C822E6F68F19)

cleanup

Sigma Signatures

System Summary

Sigma detected: File With Uncommon Extension Created By An Office Application

Source: File created

Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, ProcessId: 424, TargetFilename: C:\Users\user\AppData\Local\assembly\tmp\ZDZO238B\ArixcelExplorer.DLL

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: Arixcel Explorer 8.7, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\msiexec.exe, ProcessId: 6648, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Excel\Addins\ArixcelExplorer\Description

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Compliance

Creates a software uninstall entry

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C22576F4-B0E1-4CB8-A237-B8F2C5DF3505}

PE / OLE file has a valid certificate

Source: Arixcel_Explorer_v8.7.8793.msi

Static PE information: certificate valid

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Spreading

Source: C:\Windows\System32\msiexec.exe	File opened: z:
Source: C:\Windows\System32\msiexec.exe	File opened: x:
Source: C:\Windows\System32\msiexec.exe	File opened: v:
Source: C:\Windows\System32\msiexec.exe	File opened: t:
Source: C:\Windows\System32\msiexec.exe	File opened: r:
Source: C:\Windows\System32\msiexec.exe	File opened: p:
Source: C:\Windows\System32\msiexec.exe	File opened: n:
Source: C:\Windows\System32\msiexec.exe	File opened: l:
Source: C:\Windows\System32\msiexec.exe	File opened: j:
Source: C:\Windows\System32\msiexec.exe	File opened: h:
Source: C:\Windows\System32\msiexec.exe	File opened: f:
Source: C:\Windows\System32\msiexec.exe	File opened: b:
Source: C:\Windows\System32\msiexec.exe	File opened: y:
Source: C:\Windows\System32\msiexec.exe	File opened: w:
Source: C:\Windows\System32\msiexec.exe	File opened: u:
Source: C:\Windows\System32\msiexec.exe	File opened: s:
Source: C:\Windows\System32\msiexec.exe	File opened: q:
Source: C:\Windows\System32\msiexec.exe	File opened: o:
Source: C:\Windows\System32\msiexec.exe	File opened: m:
Source: C:\Windows\System32\msiexec.exe	File opened: k:
Source: C:\Windows\System32\msiexec.exe	File opened: i:
Source: C:\Windows\System32\msiexec.exe	File opened: g:
Source: C:\Windows\System32\msiexec.exe	File opened: e:
Source: C:\Windows\System32\msiexec.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:

Software Vulnerabilities

Source: excel.exe

Memory has grown: Private usage: 7MB later: 49MB

System Summary

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5cb73a.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{C22576F4-B0E1-4CB8-A237-B8F2C5DF3505}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB8FF.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB910.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBAF5.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5cb73c.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5cb73c.msi
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIB910.tmp-
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIB910.tmp-\ArixcelSetup.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIB910.tmp-\Microsoft.Deployment.WindowsInstaller.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIB910.tmp-\CustomAction.config
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIBAF5.tmp-
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIBAF5.tmp-\ArixcelSetup.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIBAF5.tmp-\Microsoft.Deployment.WindowsInstaller.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIBAF5.tmp-\CustomAction.config

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIB910.tmp

Source: classification engine

Classification label: clean18.winMSI@17/47@0/5

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Programs

Source: C:\Windows\SysWOW64\rundll32.exe

Mutant created: NULL

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSI8C71.tmp

Source: C:\Windows\System32\msiexec.exe

File read: C:\Windows\win.ini

Source: C:\Windows\System32\msiexec.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI8CFF.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6065437 16 ArixcelSetup!Arixcel.Explorer.Setup.CustomActions.CheckSystemRequirements

Source: Arixcel_Explorer_v8.7.8793.msi

Static file information: TRID: Microsoft Windows Installer (60509/1) 88.31%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Arixcel_Explorer_v8.7.8793.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F8241E459A5D63C6243CC8C18663CA0E C
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI8CFF.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6065437 16 ArixcelSetup!Arixcel.Explorer.Setup.CustomActions.CheckSystemRequirements
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI8E86.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6065843 22 ArixcelSetup!Arixcel.Explorer.Setup.CustomActions.ResetAllUsers
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI905C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6066312 28 ArixcelSetup!Arixcel.Explorer.Setup.CustomActions.SetDefaultInstallFolders
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F8241E459A5D63C6243CC8C18663CA0E C
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI8CFF.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6065437 16 ArixcelSetup!Arixcel.Explorer.Setup.CustomActions.CheckSystemRequirements
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI8E86.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6065843 22 ArixcelSetup!Arixcel.Explorer.Setup.CustomActions.ResetAllUsers
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI905C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6066312 28 ArixcelSetup!Arixcel.Explorer.Setup.CustomActions.SetDefaultInstallFolders
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C01FE4677FFB48E5645FF86B60FEF20B
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIB910.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6076750 2 ArixcelSetup!Arixcel.Explorer.Setup.CustomActions.RenameExplorer3Registry
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIBAF5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6077218 8 ArixcelSetup!Arixcel.Explorer.Setup.CustomActions.RegisterVbaAddin
Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C01FE4677FFB48E5645FF86B60FEF20B
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIB910.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6076750 2 ArixcelSetup!Arixcel.Explorer.Setup.CustomActions.RenameExplorer3Registry
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIBAF5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6077218 8 ArixcelSetup!Arixcel.Explorer.Setup.CustomActions.RegisterVbaAddin

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: riched20.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: usp10.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msls31.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d96a05-f192-11d4-a65f-0040963251e5}\InProcServer32

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File written: C:\Users\user\AppData\Local\assembly\tmp\ZDZO238B\__AssemblyInfo__.ini

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Checks if Microsoft Office is installed

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Options

Creates a software uninstall entry

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C22576F4-B0E1-4CB8-A237-B8F2C5DF3505}

PE / OLE file has a valid certificate

Source: Arixcel_Explorer_v8.7.8793.msi

Static PE information: certificate valid

Submission file is bigger than most known malware samples

Source: Arixcel_Explorer_v8.7.8793.msi

Static file information: File size 2240512 > 1048576

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Persistence and Installation Behavior

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Arixcel Explorer\Arixcel.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Arixcel Explorer\System.Numerics.Vectors.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Arixcel Explorer\ArixcelExplorer.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Arixcel Explorer\System.Memory.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Arixcel Explorer\System.Threading.Channels.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Arixcel Explorer\System.Buffers.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Arixcel Explorer\Microsoft.Office.Tools.Common.v4.0.Utilities.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI8C71.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Arixcel Explorer\System.Threading.Tasks.Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI905C.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSI8CFF.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Arixcel Explorer\Arixcel.Controls.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Arixcel Explorer\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Arixcel Explorer\log4net.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Arixcel Explorer\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSI8E86.tmp-\ArixcelSetup.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Arixcel Explorer\Aga.Controls.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Arixcel Explorer\Arixcel.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Arixcel Explorer\System.Numerics.Vectors.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Arixcel Explorer\ArixcelExplorer.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Arixcel Explorer\System.Memory.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Arixcel Explorer\System.Buffers.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Arixcel Explorer\System.Threading.Channels.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Arixcel Explorer\Microsoft.Office.Tools.Common.v4.0.Utilities.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI8C71.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Arixcel Explorer\System.Threading.Tasks.Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI905C.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI8CFF.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Arixcel Explorer\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Arixcel Explorer\Arixcel.Controls.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Arixcel Explorer\log4net.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Arixcel Explorer\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI8E86.tmp-\ArixcelSetup.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Arixcel Explorer\Aga.Controls.dll	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Anti Debugging

Source: C:\Windows\SysWOW64\rundll32.exe

Memory allocated: page read and write | page guard

Language, Device and Operating System Detection

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSI8CFF.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSI8CFF.tmp-\ArixcelSetup.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSI8E86.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSI8E86.tmp-\ArixcelSetup.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSI905C.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSI905C.tmp-\ArixcelSetup.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIB910.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIB910.tmp-\ArixcelSetup.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIBAF5.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIBAF5.tmp-\ArixcelSetup.dll VolumeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	Windows Management Instrumentation	1 Windows Service	1 Windows Service	11 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Process Injection	1 Disable or Modify Tools	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	Security Account Manager	11 Peripheral Device Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Extra Window Memory Injection	1 Process Injection	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	14 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Extra Window Memory Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Source	Detection	Scanner	Label	Link
Arixcel_Explorer_v8.7.8793.msi	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\MSI8C71.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI8CFF.tmp-\Microsoft.Deployment.WindowsInstaller.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI8E86.tmp-\ArixcelSetup.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI905C.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Arixcel Explorer\Aga.Controls.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Arixcel Explorer\Arixcel.Common.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Arixcel Explorer\Arixcel.Controls.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Arixcel Explorer\ArixcelExplorer.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Arixcel Explorer\Microsoft.Office.Tools.Common.v4.0.Utilities.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Arixcel Explorer\Newtonsoft.Json.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Arixcel Explorer\System.Buffers.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Arixcel Explorer\System.Memory.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Arixcel Explorer\System.Numerics.Vectors.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Arixcel Explorer\System.Runtime.CompilerServices.Unsafe.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Arixcel Explorer\System.Threading.Channels.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Arixcel Explorer\System.Threading.Tasks.Extensions.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Arixcel Explorer\log4net.dll	0%	ReversingLabs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
52.113.194.132	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.109.28.46	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
20.42.73.25	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
2.18.97.153	unknown	European Union	20940	AKAMAI-ASN1EU	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1445900
Start date and time:	2024-05-22 18:23:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	Arixcel_Explorer_v8.7.8793.msi
Detection:	CLEAN
Classification:	clean18.winMSI@17/47@0/5
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 52.109.28.46, 52.113.194.132, 2.18.97.153, 20.42.73.25
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: Arixcel_Explorer_v8.7.8793.msi

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	13212
Entropy (8bit):	5.785527605783875
Encrypted:	false
SSDEEP:
MD5:	2BF7B634835B6252D3B35BBA342E762E
SHA1:	1A831E1541B53659B8963EBB553B89D71B4E030F
SHA-256:	8481D4665D3375281714260CA347B110157E7ED7CED234F90A52807FB73EA588
SHA-512:	AC5E2A39BEE716C798CC08748CD0514CC012D54FC431330040AE6525E746F00175D85B7A7EC96ADF77BA9478B6FE6CC7927BEE87567F93BBE8DEE51CD48B176E
Malicious:	false
Reputation:	unknown
Preview:	...@IXOS.@.....@.b.X.@.....@.....@.....@.....@.....@......&.{C22576F4-B0E1-4CB8-A237-B8F2C5DF3505}..Arixcel Explorer 8.7..Arixcel_Explorer_v8.7.8793.msi.@.....@Y"...@.....@......arixcel.ico..&.{536F3CBA-F2A0-411E-AC41-4EE4C94EE2D8}.....@.....@.....@.....@.......@.....@.....@.......@......Arixcel Explorer 8.7......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{B3A90744-DCEB-59FB-9F0D-C6A0CEB2F0CA}&.{C22576F4-B0E1-4CB8-A237-B8F2C5DF3505}.@......&.{F8541F6E-59B7-517A-8AA0-05A6BEE218E5}&.{C22576F4-B0E1-4CB8-A237-B8F2C5DF3505}.@......&.{1A931256-68FD-5C0A-979E-B093D2036F91}&.{C22576F4-B0E1-4CB8-A237-B8F2C5DF3505}.@......&.{BBFD4F7D-EBFD-5CE7-992A-96CE43B046F2}&.{C22576F4-B0E1-4CB8-A237-B8F2C5DF3505}.@......&.{BB60335A-5CA8-5606-A68B-0D4E4AFA14C8}&.{C22576F4-B0E1-4CB8-A237-B8F2C5DF3505}.@......&.{1170262E-21F1-5322-B992-E212B692EEF2}&.{C22576F4-B0E1-4CB8-A237-B8F2C5DF3505}.@......&.{7DC3913F-0CF

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	Microsoft Excel 2007+
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	F28F5450F58DB67D3C8B4ECA5073B510
SHA1:	93F93332DD371EEE059BF067B58E6520D68D533C
SHA-256:	F57DE678FE332BD2E287E5103643E3340BAB59FBD236182A0CF09F2D345B41F4
SHA-512:	2BEA0C31CEED4EA1B0CD841C61F383F2C925BAFCE089227507C0E1ADA6ED913D1C12DCDD2C7AC52B6117A82F381B9B3FE7B607A6C020854C8771F8DF4835C6CC
Malicious:	false
Reputation:	unknown
Preview:	PK..........!..T..............[Content_Types].xml ...(...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................Qo.0...'.;D~...M.D...{.V...}...l....lh.M@(.%.$....l.n.)V.v.dW\|....)m.%...e..!.U`..m0....7..M...h.JV..\|."..k..5h....."..s.\.........F.q......p.K...5..u2.......d.4FK.dT...u...LK.)<x..edb..G.:...<........MxG9. .7....S..VX<........./..-.q.]..h8(Z!^...... ...}vx....D.]....0.+'.5. ..GPY.6<e..;\|D.&(..r.Y.....`.9.h.....1z:P..x......".].....;,x-.;. .J.+0K\|...v.)D..q..E...P...e.g..{d.yJ. ..n}..,...`.mE........S/.....*'-.N.........^....D

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1500
Entropy (8bit):	4.7443746690988435
Encrypted:	false
SSDEEP:
MD5:	82FACDCE498CD0F186C355760C5CF0EC
SHA1:	EEA81CE69BE03DF9B8670FC8B4DE53BEBC5E7972
SHA-256:	B46DB7ED88826F9D30C4DBDA37BA5C021C94A16A144FF889E1D5BBD77B0B0D71
SHA-512:	062736405F51D957BFD206618E755E02E3129826C70F6DB179FD77EB4E893016515162F8EDB4AFF4480B99C836C302344311CADE58010F06FF863E928EE03A2E
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Arixcel Explorer Installer, Author: Arixcel Ltd, Keywords: Arixcel Installer, Comments: Arixcel Explorer is a spreadsheet analysis add-in for Microsoft Excel., Template: x64;1033, Revision Number: {536F3CBA-F2A0-411E-AC41-4EE4C94EE2D8}, Create Time/Date: Sun Jan 28 20:44:34 2024, Last Saved Time/Date: Sun Jan 28 20:44:34 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.0.5722), Security: 2
Entropy (8bit):	7.638717425789046
TrID:	Microsoft Windows Installer (60509/1) 88.31% Generic OLE2 / Multistream Compound File (8008/1) 11.69%
File name:	Arixcel_Explorer_v8.7.8793.msi
File size:	2'240'512 bytes
MD5:	a9fabc2227e5a5ce5aa17c3783e56110
SHA1:	602a2f1521d423a6111e62ff4d38d8353e5e9eae
SHA256:	da7c2031d596747b9afdde61ccfc469977495e3f3406acfbe733b6f598f02a73
SHA512:	1bd2344cce7955fcd505141fbf3caf83486a450f3490a45281a6bb2718e18bed3b89b8897ff93c9a1ebdaceb79cb5e47a848357d1c1be2a14271e44e8dc48bf7
SSDEEP:	49152:TAn5ftVvJ6FDzPbNjrhbwwtIWGfPn13vcOSu3R+f:E5V6FnR9UuGfPnFVSuB+f
TLSH:	C9A5022472918031E26B17344935F6955B3EFD219AB0C98B738DF67D2FB16C0DA36B22
File Content Preview:	........................>......................................................................................................................................................................................................................................

Has Summary Info:
Application Name:	Windows Installer XML Toolset (3.14.0.5722)
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	False

Code Page:	1252
Title:	Installation Database
Subject:	Arixcel Explorer Installer
Author:	Arixcel Ltd
Keywords:	Arixcel Installer
Comments:	Arixcel Explorer is a spreadsheet analysis add-in for Microsoft Excel.
Template:	x64;1033
Revion Number:	{536F3CBA-F2A0-411E-AC41-4EE4C94EE2D8}
Create Time:	2024-01-28 20:44:34
Last Saved Time:	2024-01-28 20:44:34
Number of Pages:	200
Number of Words:	2
Creating Application:	Windows Installer XML Toolset (3.14.0.5722)
Security:	2

General
Stream Path:	\x5DigitalSignature
CLSID:
File Type:	data
Stream Size:	11775
Entropy:	7.651740637009454
Base64 Encoded:	True
Data ASCII:	0 - . . * H . . . . - 0 - . . . 1 . 0 . . . ` H . e . . . . . . 0 w . . + . . . . 7 . . . i 0 g 0 2 . . + . . . . 7 . . . 0 $ . . . . . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . 0 1 0 . . . ` H . e . . . . . . . N , : @ . * j . . . ( p . . ` 0 . 0 . x . . . . . . . . W ! 2 9 . w u \\ 0 . . . * H . . . . . . 0 b 1 . 0 . . . U . . . . U S 1 . 0 . . . U . . . . D i g i C e r t I n c 1 . 0 . . . U . . . . w w w . d i g i c e r t . c o m 1 ! 0 . . . U . . . . D i g i C e r t T r u s t e d
Data Raw:	30 82 2d fb 06 09 2a 86 48 86 f7 0d 01 07 02 a0 82 2d ec 30 82 2d e8 02 01 01 31 0f 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 30 77 06 0a 2b 06 01 04 01 82 37 02 01 04 a0 69 30 67 30 32 06 0a 2b 06 01 04 01 82 37 02 01 1e 30 24 02 01 02 04 10 f1 10 0c 00 00 00 00 00 c0 00 00 00 00 00 00 46 02 01 00 02 01 00 02 01 00 02 01 00 02 01 00 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01

General
Stream Path:	\x5MsiDigitalSignatureEx
CLSID:
File Type:	data
Stream Size:	32
Entropy:	4.875
Base64 Encoded:	False
Data ASCII:	I f T . . . . " 0 * s R v a c A 3 0 P 8 Y \\ .
Data Raw:	49 66 54 01 1c 2e 02 22 88 30 2a a2 73 52 76 61 63 f2 41 fa 33 ed 30 50 d2 38 fa 59 5c 1d da c8

General
Stream Path:	\x5SummaryInformation
CLSID:
File Type:	dBase III DBT, version number 0, next free block index 65534, 1st item "olset (3.14.0.5722)"
Stream Size:	540
Entropy:	4.668543893004074
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D . . . . . . . X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I n s t a l l a t i o n D a t a b a s e . . . . . . . . . . . A r i x c e l E x p l o r e r I n s t a l l e r . . . . . . . . . . A r i x c e l L t d . . . . . . . . . A r i x c e l
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 ec 01 00 00 0e 00 00 00 01 00 00 00 78 00 00 00 02 00 00 00 80 00 00 00 03 00 00 00 a0 00 00 00 04 00 00 00 c4 00 00 00 05 00 00 00 d8 00 00 00 06 00 00 00 f4 00 00 00 07 00 00 00 44 01 00 00 09 00 00 00 58 01 00 00 0c 00 00 00 88 01 00 00

General
Stream Path:	\x16678\x14437\x16830\x16740
CLSID:
File Type:	Microsoft Cabinet archive data, many, 1464256 bytes, 18 files, at 0x2c +A "Aga.Controls.dll" +A "Arixcel.Common.dll", number 1, 103 datablocks, 0x1 compression
Stream Size:	1464256
Entropy:	7.997986179388627
Base64 Encoded:	True
Data ASCII:	M S C F . . . . W . . . . . . , . . . . . . . . . . . . . . . . . . . . . . . g . . . . Z . . . . . . . . < X v . A g a . C o n t r o l s . d l l . . V . . . Z . . . . < X v . A r i x c e l . C o m m o n . d l l . . . . . . . . . < X v . A r i x c e l . C o n t r o l s . d l l . . . . . . . . . < X w . A r i x c e l E x p l o r e r . d l l . . . . . & . . . . T . A r i x c e l E x p l o r e r . d l l . c o n f i g . . . . . ( . . . . < X . A r i x c e l E x p l o r e r . d l l . m a n i f e s t
Data Raw:	4d 53 43 46 00 00 00 00 c0 57 16 00 00 00 00 00 2c 00 00 00 00 00 00 00 03 01 01 00 12 00 00 00 00 00 00 00 14 03 00 00 67 00 01 00 00 5a 02 00 00 00 00 00 00 00 3c 58 76 a1 20 00 41 67 61 2e 43 6f 6e 74 72 6f 6c 73 2e 64 6c 6c 00 00 56 07 00 00 5a 02 00 00 00 3c 58 76 a1 20 00 41 72 69 78 63 65 6c 2e 43 6f 6d 6d 6f 6e 2e 64 6c 6c 00 00 ec 00 00 00 b0 09 00 00 00 3c 58 76 a1 20 00

General
Stream Path:	\x16786\x17522\x16702\x17205\x16827\x17384\x17214\x17574
CLSID:
File Type:	MS Windows icon resource - 4 icons, 32x32, 32 bits/pixel, 24x24, 32 bits/pixel
Stream Size:	9622
Entropy:	2.126126989614935
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . v . . . . . . . . . . h . . . . ! . . ( . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	00 00 01 00 04 00 20 20 00 00 01 00 20 00 a8 10 00 00 46 00 00 00 18 18 00 00 01 00 20 00 88 09 00 00 ee 10 00 00 14 14 00 00 01 00 20 00 b8 06 00 00 76 1a 00 00 10 10 00 00 01 00 20 00 68 04 00 00 2e 21 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	\x17163\x16689\x18229\x15038\x17205\x16827\x17384\x16924\x17975\x18483
CLSID:
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
Stream Size:	258045
Entropy:	6.256870163299765
Base64 Encoded:	True
Data ASCII:	M Z . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . L ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ . . . . . . . . . j h j h j h . k ` h . m h . l x h 8 l z h 8 k { h 8 m K h . i a h j i . h m m h h k h . k h j k h j k h R i c h j h . . . . . . . . P E . . L . . . . R K a . . . . . . . . . . ! . . . . . P . . . \| . . . . . . . M . . . . . . . ` . . . . . . . . . . . . . . . . . . . .
Data Raw:	4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00

General
Stream Path:	\x17163\x16689\x18229\x16190\x17896\x17354\x16303\x16950\x17845
CLSID:
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Stream Size:	156888
Entropy:	6.031305225900342
Base64 Encoded:	True
Data ASCII:	M Z . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . L ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ . . . . . . . c J . ' + ' + ' + k 6 + . h ! + h & + i . + h T + . S % $ + . S 5 > + ' + + i 1 + l & + o & + ' + 1 & + j & + R i c h ' + . . . . . . . . P E . . L . . . U . . . . . . . . . . ! . . . . . J . . . . . . . . . . F . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00

General
Stream Path:	\x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x15103\x17508\x16945\x18485
CLSID:
File Type:	PNG image data, 493 x 58, 8-bit/color RGBA, non-interlaced
Stream Size:	23203
Entropy:	3.8934084550757597
Base64 Encoded:	True
Data ASCII:	P N G . . . . . . . . I H D R . . . . . . : . . . . . . . . . . p H Y s . . . . . . . . . . . . . . O i C C P P h o t o s h o p I C C p r o f i l e . . x . S g T S . = B K K o R . . R B . & * ! . . J ! . Q . E E . . . . . Q , . . . ! { k . > . . . H 3 Q 5 . B . . . @ . $ p . . . d ! s # . . ~ < < + " . . . x . . . M 0 . . B \\ . . t 8 K . . . @ z B . @ F . & S . . . ` c b . P - . ` ' . . { . . [ ! . . . . e D . h ; . V E . X 0 . . f K 9 . - . 0 I W f H . . . . . . . . 0 Q ) . . { . ` # # x . . . F W
Data Raw:	89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 01 ed 00 00 00 3a 08 06 00 00 00 9d f8 01 d8 00 00 00 09 70 48 59 73 00 00 0b 13 00 00 0b 13 01 00 9a 9c 18 00 00 0a 4f 69 43 43 50 50 68 6f 74 6f 73 68 6f 70 20 49 43 43 20 70 72 6f 66 69 6c 65 00 00 78 da 9d 53 67 54 53 e9 16 3d f7 de f4 42 4b 88 80 94 4b 6f 52 15 08 20 52 42 8b 80 14 91 26 2a 21 09 10 4a 88 21 a1 d9 15 51 c1

General
Stream Path:	\x18496\x15167\x17394\x17464\x17841
CLSID:
File Type:	data
Stream Size:	1352
Entropy:	4.99030390093225
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . " . " . " . ) . ) . ) . * . * . * . + . + . , . , . 1 . 1 . 5 . 5 . 9 . 9 . 9 . 9 . 9 . 9 . ? . ? . ? . G . G . G . G . G . G . G . G . G . G . G . G . I . I . I . I . I . I . I . I . I . I . [ . [ . [ . [ . b . b . b . b . b . b . k . k . k . k . k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 22 00 22 00 22 00 29 00 29 00 29 00 2a 00 2a 00 2a 00 2b 00 2b 00 2c 00 2c 00 31 00 31 00 35 00 35 00 39 00 39 00 39 00 39 00 39 00 39 00 3f 00 3f 00 3f 00 47 00 47 00 47 00 47 00 47 00 47 00 47 00 47 00 47 00 47 00 47 00 47 00 49 00 49 00 49 00 49 00 49 00 49 00 49 00 49 00 49 00 49 00 5b 00 5b 00 5b 00 5b 00 62 00 62 00

General
Stream Path:	\x18496\x15518\x16925\x17915
CLSID:
File Type:	MS Windows COFF Alpha object file
Stream Size:	204
Entropy:	4.35680956267016
Base64 Encoded:	False
Data ASCII:	. B . C . D . E . F . G . I . K . M . O . Q . S . U . X . Z . \\ . ^ . ` . b . d . f . h . j . l . n . p . r . t . v . x . z . \| . ~ . . . . . . . . . . . . . . . . . . W . . . C . D . E . F . H . J . L . N . P . R . T . V . Y . [ . ] . _ . a . c . e . g . i . k . m . o . q . s . u . w . y . { . } . . . . . . . . . . . . . . . . . . . .
Data Raw:	84 01 42 03 43 03 44 03 45 03 46 03 47 03 49 03 4b 03 4d 03 4f 03 51 03 53 03 55 03 58 03 5a 03 5c 03 5e 03 60 03 62 03 64 03 66 03 68 03 6a 03 6c 03 6e 03 70 03 72 03 74 03 76 03 78 03 7a 03 7c 03 7e 03 80 03 82 03 84 03 86 03 88 03 8a 03 8c 03 8e 03 90 03 92 03 94 03 96 03 98 03 9a 03 9c 03 9e 03 a0 03 57 03 00 00 43 03 44 03 45 03 46 03 48 03 4a 03 4c 03 4e 03 50 03 52 03 54 03

General
Stream Path:	\x18496\x16191\x17783\x17516\x15210\x17892\x18468
CLSID:
File Type:	ASCII text, with very long lines (20240), with CRLF line terminators
Stream Size:	96881
Entropy:	5.311327990914525
Base64 Encoded:	True
Data ASCII:	N a m e T a b l e T y p e C o l u m n V a l u e _ V a l i d a t i o n N P r o p e r t y I d _ S u m m a r y I n f o r m a t i o n D e s c r i p t i o n S e t C a t e g o r y K e y C o l u m n M a x V a l u e N u l l a b l e K e y T a b l e M i n V a l u e I d e n t i f i e r N a m e o f t a b l e N a m e o f c o l u m n Y ; N W h e t h e r t h e c o l u m n i s n u l l a b l e Y M i n i m u m v a l u e a l l o w e d M a x i m u m v a l u e a l l o w e d F o r f o r e i g n k e y
Data Raw:	4e 61 6d 65 54 61 62 6c 65 54 79 70 65 43 6f 6c 75 6d 6e 56 61 6c 75 65 5f 56 61 6c 69 64 61 74 69 6f 6e 4e 50 72 6f 70 65 72 74 79 49 64 5f 53 75 6d 6d 61 72 79 49 6e 66 6f 72 6d 61 74 69 6f 6e 44 65 73 63 72 69 70 74 69 6f 6e 53 65 74 43 61 74 65 67 6f 72 79 4b 65 79 43 6f 6c 75 6d 6e 4d 61 78 56 61 6c 75 65 4e 75 6c 6c 61 62 6c 65 4b 65 79 54 61 62 6c 65 4d 69 6e 56 61 6c 75 65

General
Stream Path:	\x18496\x16191\x17783\x17516\x15978\x17586\x18479
CLSID:
File Type:	data
Stream Size:	3736
Entropy:	3.5027214583325175
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . . . . . . . . . . . . . . . . . L . . . . . . . . . 6 . . . $ . . . . . . . . . . . . ~ . . . . . . . . . . . . . . . . B . . . . . . . . . . . . . . o . . . . . . . . . . . . . . . . . . . ( . . . . . . . 5 . . . . . . . . . . ' . . . . . . . . . . . . . . . ( . . . . . . . * . . . . . . . ; . . . . . . . . . . . > . . . . . . . . . . . . . . .
Data Raw:	e4 04 00 00 04 00 0a 00 05 00 02 00 00 00 00 00 04 00 06 00 06 00 02 00 05 00 0b 00 0b 00 15 00 01 00 67 00 0a 00 01 00 13 00 02 00 0b 00 1c 00 03 00 02 00 08 00 02 00 09 00 02 00 08 00 02 00 08 00 02 00 08 00 02 00 08 00 02 00 0a 00 36 00 0d 00 01 00 0e 00 01 00 03 00 01 00 1e 00 01 00 01 00 4c 00 15 00 01 00 15 00 01 00 36 00 01 00 24 00 01 00 f5 00 01 00 0f 00 01 00 04 00 7e 00

General
Stream Path:	\x18496\x16255\x16740\x16943\x18486
CLSID:
File Type:	data
Stream Size:	68
Entropy:	3.7051099000738668
Base64 Encoded:	False
Data ASCII:	. . " . ) . * . + . , . 1 . 5 . 9 . ? . G . I . [ . b . k . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	07 00 22 00 29 00 2a 00 2b 00 2c 00 31 00 35 00 39 00 3f 00 47 00 49 00 5b 00 62 00 6b 00 8a 00 8f 00 9d 00 a2 00 b0 00 b3 00 b4 00 b5 00 b8 00 be 00 ca 00 d5 00 de 00 e8 00 eb 00 ee 00 ff 00 09 01 0c 01

General
Stream Path:	\x18496\x16383\x17380\x16876\x17892\x17580\x18481
CLSID:
File Type:	data
Stream Size:	4104
Entropy:	2.5282386464409887
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . " . " . " . ) . ) . ) . * . * . * . + . + . , . , . 1 . 1 . 5 . 5 . 9 . 9 . 9 . 9 . 9 . 9 . ? . ? . ? . G . G . G . G . G . G . G . G . G . G . G . G . I . I . I . I . I . I . I . I . I . I . [ . [ . [ . [ . b . b . b . b . b . b . k . k . k . k . k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 0a 00 0a 00 22 00 22 00 22 00 29 00 29 00 29 00 2a 00 2a 00 2a 00 2b 00 2b 00 2c 00 2c 00 31 00 31 00 35 00 35 00 39 00 39 00 39 00 39 00 39 00 39 00 3f 00 3f 00 3f 00 47 00 47 00 47 00 47 00 47 00 47 00 47 00 47 00 47 00 47 00 47 00 47 00 49 00 49 00 49 00 49 00 49 00 49 00 49 00 49 00 49 00 49 00 5b 00 5b 00 5b 00 5b 00

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Arixcel_Explorer_v8.7.8793.msi

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Software Vulnerabilities

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Created / dropped Files

C:\Config.Msi\5cb73b.rbs

C:\Users\user\AppData\Local\Arixcel Explorer\Aga.Controls.dll

C:\Users\user\AppData\Local\Arixcel Explorer\Arixcel.Common.dll

C:\Users\user\AppData\Local\Arixcel Explorer\Arixcel.Controls.dll

C:\Users\user\AppData\Local\Arixcel Explorer\ArixcelExplorer.dll

C:\Users\user\AppData\Local\Arixcel Explorer\ArixcelExplorer.dll.config

C:\Users\user\AppData\Local\Arixcel Explorer\ArixcelExplorer.dll.manifest

C:\Users\user\AppData\Local\Arixcel Explorer\ArixcelExplorer.log4net

C:\Users\user\AppData\Local\Arixcel Explorer\ArixcelExplorer.vsto

C:\Users\user\AppData\Local\Arixcel Explorer\ArixcelExplorer.xlam

C:\Users\user\AppData\Local\Arixcel Explorer\Microsoft.Office.Tools.Common.v4.0.Utilities.dll

C:\Users\user\AppData\Local\Arixcel Explorer\Newtonsoft.Json.dll

C:\Users\user\AppData\Local\Arixcel Explorer\System.Buffers.dll

C:\Users\user\AppData\Local\Arixcel Explorer\System.Memory.dll

C:\Users\user\AppData\Local\Arixcel Explorer\System.Numerics.Vectors.dll

C:\Users\user\AppData\Local\Arixcel Explorer\System.Runtime.CompilerServices.Unsafe.dll

C:\Users\user\AppData\Local\Arixcel Explorer\System.Threading.Channels.dll

C:\Users\user\AppData\Local\Arixcel Explorer\System.Threading.Tasks.Extensions.dll

C:\Users\user\AppData\Local\Arixcel Explorer\log4net.dll

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1D601E47.tmp (copy)

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\6O27WT20.log

C:\Users\user\AppData\Local\Temp\ArixcelExplorer.log

C:\Users\user\AppData\Local\Temp\MSI8C71.tmp

C:\Users\user\AppData\Local\Temp\MSI8CFF.tmp-\CustomAction.config

C:\Users\user\AppData\Local\Temp\MSI8CFF.tmp-\Microsoft.Deployment.WindowsInstaller.dll

C:\Users\user\AppData\Local\Temp\MSI8E86.tmp-\ArixcelSetup.dll

C:\Users\user\AppData\Local\Temp\MSI905C.tmp

C:\Users\user\AppData\Local\Temp\~DF1BF63C73D47F646D.TMP

C:\Users\user\AppData\Local\Temp\~DFD2AA41CFBB79474C.TMP

C:\Users\user\AppData\Local\assembly\tmp\2YQK1WIO\__AssemblyInfo__.ini

C:\Users\user\AppData\Local\assembly\tmp\9WIRSJYC\__AssemblyInfo__.ini

C:\Users\user\AppData\Local\assembly\tmp\FNYW4YDD\__AssemblyInfo__.ini

C:\Users\user\AppData\Local\assembly\tmp\HWC6L5O8\__AssemblyInfo__.ini

C:\Users\user\AppData\Local\assembly\tmp\OCUJWGU0\__AssemblyInfo__.ini

C:\Users\user\AppData\Local\assembly\tmp\PFAA2LU0\__AssemblyInfo__.ini

Windows Analysis Report
Arixcel_Explorer_v8.7.8793.msi

C:\Users\user\AppData\Local\assembly\tmp\2YQK1WIO\AssemblyInfo.ini

C:\Users\user\AppData\Local\assembly\tmp\9WIRSJYC\AssemblyInfo.ini

C:\Users\user\AppData\Local\assembly\tmp\FNYW4YDD\AssemblyInfo.ini

C:\Users\user\AppData\Local\assembly\tmp\HWC6L5O8\AssemblyInfo.ini

C:\Users\user\AppData\Local\assembly\tmp\OCUJWGU0\AssemblyInfo.ini

C:\Users\user\AppData\Local\assembly\tmp\PFAA2LU0\AssemblyInfo.ini

C:\Users\user\AppData\Local\assembly\tmp\QMQ4QZ9O\AssemblyInfo.ini

C:\Users\user\AppData\Local\assembly\tmp\V1H78IGM\AssemblyInfo.ini

C:\Users\user\AppData\Local\assembly\tmp\ZDZO238B\AssemblyInfo.ini

General
Stream Path:	\x18496\x16661\x17528\x17126\x17548\x16881\x17900\x17580\x18481
CLSID:
File Type:	data
Stream Size:	8
Entropy:	1.75
Base64 Encoded:	False
Data ASCII:	. . . . . . .
Data Raw:	ba 02 03 03 02 03 04 03

General
Stream Path:	\x18496\x16667\x17191\x15090\x17912\x17591\x18481
CLSID:
File Type:	data
Stream Size:	72
Entropy:	3.6098900164775847
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . < ' ' ' ' . . . . . . . . . . . . . . . . . . . .
Data Raw:	b9 01 b9 01 11 02 11 02 01 80 02 80 01 80 02 80 18 03 1c 03 8d 02 8e 02 00 80 00 80 00 80 00 80 00 80 14 80 00 80 3c 80 27 81 27 81 27 81 27 81 10 80 10 80 10 80 10 80 1b 03 1d 03 1e 03 1f 03 00 00 00 00 00 00 00 00

General
Stream Path:	\x18496\x16786\x17522
CLSID:
File Type:	data
Stream Size:	4
Entropy:	2.0
Base64 Encoded:	False
Data ASCII:	. . .
Data Raw:	ed 02 01 00

General
Stream Path:	\x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934
CLSID:
File Type:	PDP-11 overlaid separate executable not stripped
Stream Size:	48
Entropy:	3.5275690110927505
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . < .
Data Raw:	19 01 1a 01 1b 01 1c 01 1d 01 1e 01 1f 01 20 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 83 84 83 e8 83 78 85 dc 85 3c 8f a0 8f c8 99

General
Stream Path:	\x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472
CLSID:
File Type:	PDP-11 overlaid separate executable not stripped
Stream Size:	42
Entropy:	3.428883414027889
Base64 Encoded:	False
Data ASCII:	. . . . . . ! . " . # . $ . . . . . . . . . . . . . . . . . . .
Data Raw:	19 01 1a 01 1b 01 21 01 22 01 23 01 24 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 83 84 83 e8 83 fd 7f fe 7f ff 7f 14 85

General
Stream Path:	\x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472
CLSID:
File Type:	PDP-11 overlaid separate executable not stripped
Stream Size:	42
Entropy:	3.338630675432784
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . % . & . . . . . . . . . . . . . . . x . . .
Data Raw:	19 01 1b 01 1c 01 1d 01 20 01 25 01 26 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 83 e8 83 78 85 dc 85 c8 99 9c 98 00 99

General
Stream Path:	\x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486
CLSID:
File Type:	data
Stream Size:	108
Entropy:	3.188721875540867
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . 5 . 8 . : . < . > . @ . B . D . F . H . J . L . N . P . R . T . V . X . Z . _ . b . e . g . k . o . s . w .
Data Raw:	d1 02 d1 02 d1 02 d1 02 d1 02 d1 02 d1 02 d1 02 d1 02 d1 02 d1 02 d1 02 d1 02 d1 02 d1 02 d1 02 d1 02 d1 02 d1 02 d1 02 d1 02 d1 02 d1 02 d1 02 d1 02 d1 02 d1 02 35 01 38 01 3a 01 3c 01 3e 01 40 01 42 01 44 01 46 01 48 01 4a 01 4c 01 4e 01 50 01 52 01 54 01 56 01 58 01 5a 01 5f 01 62 01 65 01 67 01 6b 01 6f 01 73 01 77 01

General
Stream Path:	\x18496\x16911\x17892\x17784\x18472
CLSID:
File Type:	data
Stream Size:	16
Entropy:	2.1774212838293647
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . .
Data Raw:	d1 02 00 00 d2 02 00 00 02 80 01 80 00 00 00 80

General
Stream Path:	\x18496\x16918\x17191\x18468
CLSID:
File Type:	MIPSEB Ucode
Stream Size:	14
Entropy:	1.9502120649147472
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . .
Data Raw:	01 80 12 00 00 80 00 00 05 03 00 00 00 00

General
Stream Path:	\x18496\x16923\x15722\x16818\x17892\x17778
CLSID:
File Type:	data
Stream Size:	10
Entropy:	2.7219280948873625
Base64 Encoded:	False
Data ASCII:	( . . 3 . 4 . .
Data Raw:	28 01 02 80 33 03 34 03 02 80