Edit tour

Windows Analysis Report
22-May-24-document-137bcf45.xll

Overview

General Information

Sample name:	22-May-24-document-137bcf45.xll
Analysis ID:	1445889
MD5:	cbc99f197fd36b22994012714799e4d9
SHA1:	fd280d3c557ab3af725da54f107e013969dc6848
SHA256:	c8e254f7ea199b0e86278bfbe0e6f8ea107031d7503a04e21ca29918a2502ffb
Tags:	xll
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

AI detected suspicious sample

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

PE file contains more sections than normal

PE file contains sections with non-standard names

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Excel Network Connections

Sigma detected: Suspicious Office Outbound Connections

Classification

Process Tree

System is w10x64

cmd.exe (PID: 6848 cmdline: cmd /C "C:\Users\user\Desktop\22-May-24-document-137bcf45.xll" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

EXCEL.EXE (PID: 1068 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" -xlls "C:\Users\user\Desktop\22-May-24-document-137bcf45.xll" MD5: 4A871771235598812032C822E6F68F19)

splwow64.exe (PID: 7944 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)

cleanup

Sigma Signatures

System Summary

Sigma detected: Excel Network Connections

Source: Network Connection

Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 13.107.213.45, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 1068, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49753

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.4, DestinationIsIpv6: false, DestinationPort: 49753, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 1068, Protocol: tcp, SourceIp: 13.107.213.45, SourceIsIpv6: false, SourcePort: 443

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txtmshtaopen1ce83e5d4135b07c0b82afffbe

Avira URL Cloud: Label: malware

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 79.6% probability

Machine Learning detection for sample

Source: 22-May-24-document-137bcf45.xll

Joe Sandbox ML: detected

Source: unknown	HTTPS traffic detected: 13.107.213.45:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.213.45:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.213.45:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.213.45:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.213.45:443 -> 192.168.2.4:49755 version: TLS 1.2

Source: 22-May-24-document-137bcf45.xll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: global traffic	TCP traffic: 192.168.2.4:49754 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49756 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49757 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49753 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49755 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49758 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49759 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49762 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49760 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49761 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49753 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49754 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49753 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49755 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49754 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49755 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49756 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49757 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49756 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49757 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49757 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49753 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49754 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49755 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49756 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49754 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49756 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49757 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49753 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49755 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49754 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49756 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49754 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49757 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49756 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49753 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49755 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49757 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49753 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49755 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49754 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49754 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49754 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49754 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49753 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49753 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49755 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49753 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49753 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49755 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49755 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49758 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49758 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49758 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49756 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49756 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49756 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49759 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49759 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49757 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49759 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49760 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49760 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49757 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49757 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49760 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49761 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49761 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49761 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49762 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49762 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49762 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49759 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49762 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49758 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49760 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49761 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49758 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49759 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49758 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49762 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49759 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49762 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49761 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49760 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49760 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49761 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49758 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49758 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49758 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49762 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49762 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49762 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49759 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49759 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49759 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49760 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49760 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49760 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49761 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49761 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49761 -> 13.107.213.45:443

Source: global traffic	TCP traffic: 192.168.2.4:49753 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49753
Source: global traffic	TCP traffic: 192.168.2.4:49754 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49754
Source: global traffic	TCP traffic: 192.168.2.4:49753 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49755 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49755
Source: global traffic	TCP traffic: 192.168.2.4:49754 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49755 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49756 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49757 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49756
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49757
Source: global traffic	TCP traffic: 192.168.2.4:49756 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49757 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49757 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49753 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49757
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49753
Source: global traffic	TCP traffic: 192.168.2.4:49754 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49754
Source: global traffic	TCP traffic: 192.168.2.4:49755 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49756 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49755
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49756
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49754
Source: global traffic	TCP traffic: 192.168.2.4:49754 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49756
Source: global traffic	TCP traffic: 192.168.2.4:49756 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49757
Source: global traffic	TCP traffic: 192.168.2.4:49757 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49753
Source: global traffic	TCP traffic: 192.168.2.4:49753 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49755
Source: global traffic	TCP traffic: 192.168.2.4:49755 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49754 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49754
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49754
Source: global traffic	TCP traffic: 192.168.2.4:49756 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49756
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49756
Source: global traffic	TCP traffic: 192.168.2.4:49754 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49757 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49757
Source: global traffic	TCP traffic: 192.168.2.4:49756 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49757
Source: global traffic	TCP traffic: 192.168.2.4:49753 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49753
Source: global traffic	TCP traffic: 192.168.2.4:49755 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49755
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49753
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49755
Source: global traffic	TCP traffic: 192.168.2.4:49757 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49753 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49755 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49754
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49755
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49753
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49757
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49756
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49754
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49754
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49754
Source: global traffic	TCP traffic: 192.168.2.4:49754 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49754 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49754 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49754
Source: global traffic	TCP traffic: 192.168.2.4:49754 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49754
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49753
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49753
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49755
Source: global traffic	TCP traffic: 192.168.2.4:49753 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49753
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49753
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49753
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49755
Source: global traffic	TCP traffic: 192.168.2.4:49753 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49755 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49753 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49753
Source: global traffic	TCP traffic: 192.168.2.4:49753 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49753
Source: global traffic	TCP traffic: 192.168.2.4:49755 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49755
Source: global traffic	TCP traffic: 192.168.2.4:49755 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49755
Source: global traffic	TCP traffic: 192.168.2.4:49758 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49758
Source: global traffic	TCP traffic: 192.168.2.4:49758 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49758 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49758
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49756
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49756
Source: global traffic	TCP traffic: 192.168.2.4:49756 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49756 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49756
Source: global traffic	TCP traffic: 192.168.2.4:49756 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49756
Source: global traffic	TCP traffic: 192.168.2.4:49759 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49759
Source: global traffic	TCP traffic: 192.168.2.4:49759 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49757
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49757
Source: global traffic	TCP traffic: 192.168.2.4:49757 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49759 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49759
Source: global traffic	TCP traffic: 192.168.2.4:49760 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49760
Source: global traffic	TCP traffic: 192.168.2.4:49760 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49757 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49757
Source: global traffic	TCP traffic: 192.168.2.4:49757 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49757
Source: global traffic	TCP traffic: 192.168.2.4:49760 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49760
Source: global traffic	TCP traffic: 192.168.2.4:49761 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49761
Source: global traffic	TCP traffic: 192.168.2.4:49761 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49761 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49762 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49761
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49762
Source: global traffic	TCP traffic: 192.168.2.4:49762 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49762 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49762
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49758
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49759
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49762
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49761
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49760
Source: global traffic	TCP traffic: 192.168.2.4:49759 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49762 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49758 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49760 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49761 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49758 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49758
Source: global traffic	TCP traffic: 192.168.2.4:49759 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49759
Source: global traffic	TCP traffic: 192.168.2.4:49758 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49758
Source: global traffic	TCP traffic: 192.168.2.4:49762 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49762
Source: global traffic	TCP traffic: 192.168.2.4:49759 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49762 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49759
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49762
Source: global traffic	TCP traffic: 192.168.2.4:49761 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49761
Source: global traffic	TCP traffic: 192.168.2.4:49760 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49760
Source: global traffic	TCP traffic: 192.168.2.4:49760 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49760
Source: global traffic	TCP traffic: 192.168.2.4:49761 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49761
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49758
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49758
Source: global traffic	TCP traffic: 192.168.2.4:49758 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49758 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49758
Source: global traffic	TCP traffic: 192.168.2.4:49758 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49758
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49762
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49762
Source: global traffic	TCP traffic: 192.168.2.4:49762 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49762 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49762
Source: global traffic	TCP traffic: 192.168.2.4:49762 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49762
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49759
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49759
Source: global traffic	TCP traffic: 192.168.2.4:49759 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49759 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49759
Source: global traffic	TCP traffic: 192.168.2.4:49759 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49759
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49760
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49760
Source: global traffic	TCP traffic: 192.168.2.4:49760 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49760 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49760
Source: global traffic	TCP traffic: 192.168.2.4:49760 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49760
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49761
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49761
Source: global traffic	TCP traffic: 192.168.2.4:49761 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 192.168.2.4:49761 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49761
Source: global traffic	TCP traffic: 192.168.2.4:49761 -> 13.107.213.45:443
Source: global traffic	TCP traffic: 13.107.213.45:443 -> 192.168.2.4:49761

Source: Joe Sandbox View

IP Address: 13.107.213.45 13.107.213.45

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: GET /rules/rule170012v10s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule324001v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule324002v5s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule63067v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule490016v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule324003v5s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule324004v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule324007v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule324005v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule324006v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net

Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.2.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: 22-May-24-document-137bcf45.xll	String found in binary or memory: https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txtmshtaopen1ce83e5d4135b07c0b82afffbe

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756

Source: unknown	HTTPS traffic detected: 13.107.213.45:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.213.45:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.213.45:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.213.45:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.213.45:443 -> 192.168.2.4:49755 version: TLS 1.2

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: 22-May-24-document-137bcf45.xll

Source: 22-May-24-document-137bcf45.xll

Static PE information: Number of sections : 11 > 10

Source: classification engine

Classification label: mal60.winXLL@7/1@0/1

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\mso8B7D.tmp

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6872:120:WilError_03

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{1339892B-586D-4B6F-80F3-D14E6E4BFF9D} - OProcSessId.dat

Jump to behavior

Source: 22-May-24-document-137bcf45.xll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\cmd.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C "C:\Users\user\Desktop\22-May-24-document-137bcf45.xll"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" -xlls "C:\Users\user\Desktop\22-May-24-document-137bcf45.xll"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" -xlls "C:\Users\user\Desktop\22-May-24-document-137bcf45.xll"	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: 22-May-24-document-137bcf45.xll

Static PE information: Image base 0x2c32b0000 > 0x60000000

Source: 22-May-24-document-137bcf45.xll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: 22-May-24-document-137bcf45.xll

Static PE information: section name: .xdata

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\splwow64.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" -xlls "C:\Users\user\Desktop\22-May-24-document-137bcf45.xll"

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Exploitation for Client Execution	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	11 System Information Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
22-May-24-document-137bcf45.xll	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txtmshtaopen1ce83e5d4135b07c0b82afffbe	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
part-0017.t-0009.t-msedge.net	13.107.213.45	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txtmshtaopen1ce83e5d4135b07c0b82afffbe	22-May-24-document-137bcf45.xll	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
13.107.213.45	part-0017.t-0009.t-msedge.net	United States		8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1445889
Start date and time:	2024-05-22 18:01:56 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	22-May-24-document-137bcf45.xll
Detection:	MAL
Classification:	mal60.winXLL@7/1@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .xll Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.32.97, 52.113.194.132, 52.109.89.19, 88.221.125.185, 2.16.100.168, 88.221.110.91, 20.42.73.31
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.afd.azureedge.net, weu-azsc-000.roaming.officeapps.live.com, a767.dspw65.akamai.net, eur.roaming1.live.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, onedscolprdeus21.eastus.cloudapp.azure.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, osiprod-weu-buff-azsc-000.westeurope.cloudapp.azure.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, ukw-azsc-config.officeapps.live.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edges
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 22-May-24-document-137bcf45.xll

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
13.107.213.45	Re_ Bridge Drainage Enquiry.eml	Get hash	malicious	HTMLPhisher	Browse
	https://m.exactag.com/ai.aspx?tc=d9069973bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253Aroyalweddingsktm.com%2Fimgs%2F37534%2Fsin3qp16kb%2FbWFyYy5zbWl0aEB6YmV0YS5jb20=	Get hash	malicious	HTMLPhisher	Browse
	https://weblaunch.blifax.com/listener3/redirect?l=e6df36b9-5af1-4758-b7e4-83fbf7f30dfb&id=e0d346f1-f241-ee11-acc4-000c295a2555&u=http%253Aeyesontheguys.com%2Fwinner%2F03013%2F%2FYnJhbmRvbi5nYXJjaWFAZ3RmY3Uub3Jn	Get hash	malicious	HTMLPhisher	Browse
	https://u44480879.ct.sendgrid.net/ls/click?upn=u001.K3PKLmjBF8yuYObBAUhMhoYgMCf2QPF8-2BZI72vFIksvq5gv1YdeLmebXIjmharYkUcFgg0gxX-2FWnhhIuwG1v7hZ1jSPSflMHjG28wduJ6WYURJRkvoZYkrpgydIv6UCw7t1grI-2FOHPnDvS00ShpX9xXHYT95jO14dPyhKlpfAgbiguCssCUSGyzsUXoj0i5OD5WgRtFSbHv5xA6nkt2-2BnV2PahLYLwt63WRXCeSfWq4QVMqO-2BJ19jNeGlkPsSJ7LjTRQ_i2l0JY0a-2B5IHliMJOpuAQskejvIIAloJuWpirDIyAKvqXPSxi-2BJFNs3s-2BBhNyt3IuemV4R9vgK4lniAodKDuO5I3mYVK4xxASVKvZBnT0EvvqLHkUoab3uOwe13cn6mNyhQaL1Vcdvxd7XZ0GFfTZ9aBlD2GiHfinlIyB6vRF7bjNGZmtvLv3o0jYjOgY4RXF495TuUjjBZNoMguN8rUGoiNOkgNXvc2IiDsbNfgghazj2fwqVSs1vbmTcZe0zePKD2UCPQB-2F0HgPY4-2FJ1DTehOrWMbxZ-2FvJVCWppZOFHMlDv0TKEyx1-2FUlF330qgqw9RpmfgzpuSa3QNju2XxovCzCQMgiykbvuS-2BASB-2BwolLPpkcOYAm2PSCx0uDNQdWPLOarKIcv5eBG38XDZm38U-2BPUlNv7WKbMtJQtnyTRX26RGa2QEgMJJEg7pVaW1E3fNSFtUzV-2B9TRB6AR-2F0dQVDjN-2BDXbuC2wdD8XIcTiR0x13qN9Ue7Uy0B1mkdyBFM-2F-2FLCkULNCj3vHyywuiz7XFtD80zjdMZ6p7qRnJvTxE0OErqVvXV7ExeSfPpIkvRb2vtYGXyPwsJU84YitEGasTuan1Qb7qY-2BCjK-2BGu2OF5qtxAM4ffvs-2FAs5ymdEqvJZV5Bn1jeQjLz6wDOoEy-2B8bZnhDZ-2BAPDyVjfuq0GObtbYn-2Fb4GPUYaWbH-2F93IuGgnTByDILI-2FWE9MVp3RKV-2F-2BBryOsBGlBUQrWR2ImfTNzWzMbBrj-2BKqW5yNH1deqIdAglTH68WrBSO0mlGYUjctN4j364ck9SzZdvU5uN2VirSfK9wZwGXR-2B6p-2FOHwxd9cjm1b-2BjZRFALK9cu3efthTs-2BPI5tXAxrm5lL9s-2B9SEQz4IW6nJ3DWzdxXvZ4LC5H5taTAQj2lceiCXaxhPNI6PfuuInsvKiGXyFdparkshCJAzM5SH0o7fpSAMjEQa7MyV8onNW	Get hash	malicious	HTMLPhisher	Browse
	http://rest.cdntoswitchspirit.com	Get hash	malicious	Unknown	Browse
	https://docsend.com/view/mdchukx3ui72iuwy	Get hash	malicious	HTMLPhisher	Browse
	https://ipfs.io/ipfs/bafkreiaifz4xo7tqmc7x3hbuqb4wsvlnyylklzgwnldgkszguv3ly2jdoy#YOUREMAIL	Get hash	malicious	Unknown	Browse
	http://shivamgangrade24.github.io/microsoft2	Get hash	malicious	Unknown	Browse
	0af4a52e.0cce76886785b0ff1283f346.workers.devemailantonio.cataneo@axactor.com.msg	Get hash	malicious	HTMLPhisher	Browse
	Pepsico LLC Company Profile.xls	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
part-0017.t-0009.t-msedge.net	https://mev-web.ca/?f=QeYBR2wfYK3JYIrbEQZr1C%2bgf3gU%2fmUvL9ovUEhJVZnxPIANQz6rboUW4U4PnItNOSuc98KvirQj3pwhsBFRc8hSk5YuKckp9PXbo9m%2baI9y9BiUYstagDwEu3371ebTwoTckHFX6OqMDkbqHH4mz6uY9e9M%2f9uY9zyYLM%2f9CmDvFT2uK2iCdJwzdbXIyiq2%2b9ClzMjyENFwui3qHuWODETmn%2b6yk0qQuV9sQ%2fGi6URseZjJRDXWcmWLNhvjc38WMu6H6e6u2IwMZcnl78FMfEZPvqt9omZdBVKeliCJX88SZ7m5zXYeBaIXu8XXIgDTSHNQrcMQ6iWL3ktNU9KNVy2%2fbL15XB8sLGGe1uVAbQ9hwGnOnoH4sBJOe3%2fpYYneZARrLcwphZSIduyqT3At%2f6Bzn57i7UC9z7ZDalFnOM1dZy5wNqsV62py1LJecHSNYxeFwHwj8D54XILdKl0BfW7sHpba1eyZjI%2bO8%2bGRE69nPLRa%2ffTy6B9wpFibF3RT	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://bizzerba.com/?ksoxtyqh&qrc=eaastsales@tronicsamerica.com	Get hash	malicious	HTMLPhisher	Browse	13.107.213.45
	Re_ Bridge Drainage Enquiry.eml	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	Re_ Enquiry.eml	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://m.exactag.com/ai.aspx?tc=d9069973bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253Aroyalweddingsktm.com%2Fimgs%2F37534%2Fsin3qp16kb%2FbWFyYy5zbWl0aEB6YmV0YS5jb20=	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://portal.confideshare.com/ice/anonymouspdf?ZDc1YmM4ZTAtODI3OS00ZGQ3LTlhNDEtNjNiMTA1NjE5MDdlL2NhYzQ1MWM0LWUwY2MtNGRmMC1iMmEyLTExODM4MGY5NzRkNi8xL1VTIC0gRWFzdA==	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://weblaunch.blifax.com/listener3/redirect?l=e6df36b9-5af1-4758-b7e4-83fbf7f30dfb&id=e0d346f1-f241-ee11-acc4-000c295a2555&u=http%253Aeyesontheguys.com%2Fwinner%2F03013%2F%2FYnJhbmRvbi5nYXJjaWFAZ3RmY3Uub3Jn	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	2024-05-17_416001036.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://u44480879.ct.sendgrid.net/ls/click?upn=u001.K3PKLmjBF8yuYObBAUhMhoYgMCf2QPF8-2BZI72vFIksvq5gv1YdeLmebXIjmharYkUcFgg0gxX-2FWnhhIuwG1v7hZ1jSPSflMHjG28wduJ6WYURJRkvoZYkrpgydIv6UCw7t1grI-2FOHPnDvS00ShpX9xXHYT95jO14dPyhKlpfAgbiguCssCUSGyzsUXoj0i5OD5WgRtFSbHv5xA6nkt2-2BnV2PahLYLwt63WRXCeSfWq4QVMqO-2BJ19jNeGlkPsSJ7LjTRQ_i2l0JY0a-2B5IHliMJOpuAQskejvIIAloJuWpirDIyAKvqXPSxi-2BJFNs3s-2BBhNyt3IuemV4R9vgK4lniAodKDuO5I3mYVK4xxASVKvZBnT0EvvqLHkUoab3uOwe13cn6mNyhQaL1Vcdvxd7XZ0GFfTZ9aBlD2GiHfinlIyB6vRF7bjNGZmtvLv3o0jYjOgY4RXF495TuUjjBZNoMguN8rUGoiNOkgNXvc2IiDsbNfgghazj2fwqVSs1vbmTcZe0zePKD2UCPQB-2F0HgPY4-2FJ1DTehOrWMbxZ-2FvJVCWppZOFHMlDv0TKEyx1-2FUlF330qgqw9RpmfgzpuSa3QNju2XxovCzCQMgiykbvuS-2BASB-2BwolLPpkcOYAm2PSCx0uDNQdWPLOarKIcv5eBG38XDZm38U-2BPUlNv7WKbMtJQtnyTRX26RGa2QEgMJJEg7pVaW1E3fNSFtUzV-2B9TRB6AR-2F0dQVDjN-2BDXbuC2wdD8XIcTiR0x13qN9Ue7Uy0B1mkdyBFM-2F-2FLCkULNCj3vHyywuiz7XFtD80zjdMZ6p7qRnJvTxE0OErqVvXV7ExeSfPpIkvRb2vtYGXyPwsJU84YitEGasTuan1Qb7qY-2BCjK-2BGu2OF5qtxAM4ffvs-2FAs5ymdEqvJZV5Bn1jeQjLz6wDOoEy-2B8bZnhDZ-2BAPDyVjfuq0GObtbYn-2Fb4GPUYaWbH-2F93IuGgnTByDILI-2FWE9MVp3RKV-2F-2BBryOsBGlBUQrWR2ImfTNzWzMbBrj-2BKqW5yNH1deqIdAglTH68WrBSO0mlGYUjctN4j364ck9SzZdvU5uN2VirSfK9wZwGXR-2B6p-2FOHwxd9cjm1b-2BjZRFALK9cu3efthTs-2BPI5tXAxrm5lL9s-2B9SEQz4IW6nJ3DWzdxXvZ4LC5H5taTAQj2lceiCXaxhPNI6PfuuInsvKiGXyFdparkshCJAzM5SH0o7fpSAMjEQa7MyV8onNW	Get hash	malicious	HTMLPhisher	Browse	13.107.213.45
	http://rest.cdntoswitchspirit.com	Get hash	malicious	Unknown	Browse	13.107.213.45

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	2T6MGxlKZT.exe	Get hash	malicious	SmokeLoader	Browse	20.42.73.29
	https://mev-web.ca/?f=QeYBR2wfYK3JYIrbEQZr1C%2bgf3gU%2fmUvL9ovUEhJVZnxPIANQz6rboUW4U4PnItNOSuc98KvirQj3pwhsBFRc8hSk5YuKckp9PXbo9m%2baI9y9BiUYstagDwEu3371ebTwoTckHFX6OqMDkbqHH4mz6uY9e9M%2f9uY9zyYLM%2f9CmDvFT2uK2iCdJwzdbXIyiq2%2b9ClzMjyENFwui3qHuWODETmn%2b6yk0qQuV9sQ%2fGi6URseZjJRDXWcmWLNhvjc38WMu6H6e6u2IwMZcnl78FMfEZPvqt9omZdBVKeliCJX88SZ7m5zXYeBaIXu8XXIgDTSHNQrcMQ6iWL3ktNU9KNVy2%2fbL15XB8sLGGe1uVAbQ9hwGnOnoH4sBJOe3%2fpYYneZARrLcwphZSIduyqT3At%2f6Bzn57i7UC9z7ZDalFnOM1dZy5wNqsV62py1LJecHSNYxeFwHwj8D54XILdKl0BfW7sHpba1eyZjI%2bO8%2bGRE69nPLRa%2ffTy6B9wpFibF3RT	Get hash	malicious	Unknown	Browse	20.104.163.113
	https://cs-server-s2s.yellowblue.io/sync-iframe	Get hash	malicious	Unknown	Browse	13.107.42.14
	11650000000026213681.exe	Get hash	malicious	DBatLoader	Browse	150.171.41.11
	11650000000026213681.exe	Get hash	malicious	DBatLoader	Browse	13.107.137.11
	http://adsbymediavine.com	Get hash	malicious	Unknown	Browse	13.107.42.14
	ZAMOWIEN.EXE.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse	13.107.139.11
	https://internal--alert-teamapp-site.ipns.dweb.link/#YW1hbmRhLm1vcnJpc29uQG9uZWFtZXJpY2EuY29t	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
	https://markkaleelcpa-my.sharepoint.com/:b:/p/mark/EdMYrJ-SJnZMoOxQFVo0rPIBwnXkE3DnasKEJCVIoBuoZQ?e=sy8Kb5&xsdata=MDV8MDJ8Z29yZGl5ZW5rby5hbmFzdGFzaWFAZGVtZS1ncm91cC5jb218ZjBmNzUyMDgyMTI5NDQ5MjJlMDkwOGRjN2E0OTQ1ZTZ8NGUyY2JmNjJjY2ZiNDNhN2JlM2Y3ZWI3YTg1OGJjZWN8MHwwfDYzODUxOTcwMjM0NzEwNDE0NHxVbmtub3dufFRXRnBiR1pzYjNkOGV5SldJam9pTUM0d0xqQXdNREFpTENKUUlqb2lWMmx1TXpJaUxDSkJUaUk2SWsxaGFXd2lMQ0pYVkNJNk1uMD18MHx8fA%3d%3d&sdata=YmpzRTZlMXNTdjk2Z0dONFAwYlNkVWtJU3A1MmdrUEFmSkNuaVBVeGtVZz0%3d	Get hash	malicious	HTMLPhisher	Browse	52.104.71.55

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	https://forfbidrecrossboot.pages.dev/503.js	Get hash	malicious	Unknown	Browse	13.107.213.45
	file.exe	Get hash	malicious	Unknown	Browse	13.107.213.45
	11650000000026213681.exe	Get hash	malicious	DBatLoader	Browse	13.107.213.45
	GF87654456789900..DOC.exe	Get hash	malicious	Remcos, DBatLoader	Browse	13.107.213.45
	11650000000026213681.exe	Get hash	malicious	DBatLoader	Browse	13.107.213.45
	ZAMOWIEN.EXE.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse	13.107.213.45
	1.exe	Get hash	malicious	Mimic	Browse	13.107.213.45
	ORDEN_NR2405073.exe	Get hash	malicious	DBatLoader	Browse	13.107.213.45
	ORDEN_NR2405073.exe	Get hash	malicious	DBatLoader	Browse	13.107.213.45

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	338
Entropy (8bit):	3.461007218574996
Encrypted:	false
SSDEEP:	6:kKZC8avJFN+SkQlPlEGYRMY9z+s3Ql2DUevat:0skPlE99SCQl2DUevat
MD5:	10D53010C73A99C43DC8E2978227646C
SHA1:	11C9F1CC3D8E6218742F1D4D1C3E4E6412620A76
SHA-256:	B43EB2AD108238EF65992DE8B27DFACABCCC32EDBA75588E20CC3F2BE98A9935
SHA-512:	734A178E3CB30D06FC530BB231185E5DA9063AC8BEB616113106BA45980FB5AD7D65FC41AF70FF9D0AD1648093C8EEEEBD293F3AE8A5935F7105624A487B1890
Malicious:	false
Reputation:	low
Preview:	p...... ..........}a...(..................................................@... .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

Static File Info

General

File type:	PE32+ executable (DLL) (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	4.284357171021609
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	22-May-24-document-137bcf45.xll
File size:	12'288 bytes
MD5:	cbc99f197fd36b22994012714799e4d9
SHA1:	fd280d3c557ab3af725da54f107e013969dc6848
SHA256:	c8e254f7ea199b0e86278bfbe0e6f8ea107031d7503a04e21ca29918a2502ffb
SHA512:	7eb45a7fdd2fc7386cf681e650f82a757e4d597b48c038152e2dce1d7b9e9be5f56fe9d1483bfd1c43156c3ee70eae61ff60bcd2edc200e6870c312170d80c53
SSDEEP:	192:IL29RBzDzeobchBj8JONSONPruKrEPEjr7AhJ:G29jnbcvYJOP5uKvr7CJ
TLSH:	5D42C60EBB6356BCC816D178C1EB9771F1F2B41112268B2D07B0DB371EB1A69562DD09
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Mf..........."...$.....,......P.........+.....................................h.....`... ............................

Static PE Info

General

Entrypoint:	0x2c32b1350
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x2c32b0000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED, DLL
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x664DF1F6 [Wed May 22 13:24:06 2024 UTC]
TLS Callbacks:	0xc32b1510, 0x2, 0xc32b14e0, 0x2
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b96aec3ffae7ee03e83bfcd97f055c55

Entrypoint Preview

Instruction
dec eax
mov eax, dword ptr [00002FE9h]
mov dword ptr [eax], 00000000h
jmp 00007FD4A0F31713h
nop word ptr [eax+eax+00000000h]
nop dword ptr [eax]
dec eax
mov edx, ecx
dec eax
lea ecx, dword ptr [00005C86h]
jmp 00007FD4A0F32646h
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007FD4A0F31859h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
dec eax
sub esp, 38h
inc ebp
xor ecx, ecx
xor ecx, ecx
dec esp
lea eax, dword ptr [00002C50h]
dec eax
lea edx, dword ptr [00002C81h]
dec eax
mov dword ptr [esp+20h], 00000000h
call 00007FD4A0F318B0h
mov dword ptr [esp+28h], 00000000h
xor ecx, ecx
dec esp
lea ecx, dword ptr [00002CE6h]
dec eax
mov dword ptr [esp+20h], 00000000h
dec esp
lea eax, dword ptr [00002C1Ah]
dec eax
lea edx, dword ptr [00002CDBh]
call dword ptr [00007E11h]
xor eax, eax
dec eax
add esp, 38h
ret
nop
nop
nop
nop
nop
nop
jmp dword ptr [00007E0Eh]
nop
nop
nop dword ptr [eax+eax+00000000h]
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [000000F5h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x8000	0x5a	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9000	0x414	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x5000	0x1c8	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc000	0x58	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4120	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9144	0xe0	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1328	0x1400	84742be1709f3898044d3fb82aed35a4	False	0.580859375	data	5.916462105665358	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x3000	0x40	0x200	cda821da9e0c70780df6c456ea7f69b5	False	0.05859375	data	0.322541603835012	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x4000	0x350	0x400	2918faead45a2eacdbd70a2d2c2283ef	False	0.3759765625	data	3.3192438105804567	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.pdata	0x5000	0x1c8	0x200	feb44b7e1d9d7a1f5c38c8e31cf91009	False	0.5390625	data	3.428853958367466	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.xdata	0x6000	0x130	0x200	5ffb25ed738474db92f0d755615a5bf1	False	0.322265625	data	2.629423229714015	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0x7000	0xe0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x8000	0x5a	0x200	ea9c36120a47a856f64f45590abaf449	False	0.166015625	data	0.9418501569517403	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.idata	0x9000	0x414	0x600	676ff18ee333ec1f2c163635315b5480	False	0.283203125	data	2.7697675983474315	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0xa000	0x58	0x200	9437081104df94aef17f86f971c6a06d	False	0.056640625	data	0.25323120180391656	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xb000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0xc000	0x58	0x200	aaef006c86288ce5a1f076c63d4dc69f	False	0.17578125	data	0.9130963814717786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	DeleteCriticalSection, EnterCriticalSection, GetLastError, InitializeCriticalSection, LeaveCriticalSection, Sleep, TlsGetValue, VirtualProtect, VirtualQuery
msvcrt.dll	__iob_func, _amsg_exit, _initterm, _lock, _unlock, abort, calloc, free, fwrite, realloc, strlen, strncmp, vfprintf
SHELL32.dll	ShellExecuteW
urlmon.dll	URLDownloadToFileW

Exports

Name	Ordinal	Address
hash	1	0x2c32b3000
xlAutoOpen	2	0x2c32b13a0

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 22, 2024 18:03:53.584762096 CEST	49753	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:53.584793091 CEST	443	49753	13.107.213.45	192.168.2.4
May 22, 2024 18:03:53.584824085 CEST	49754	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:53.584829092 CEST	443	49754	13.107.213.45	192.168.2.4
May 22, 2024 18:03:53.584913015 CEST	49753	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:53.584913015 CEST	49755	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:53.584948063 CEST	443	49755	13.107.213.45	192.168.2.4
May 22, 2024 18:03:53.584955931 CEST	49754	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:53.585087061 CEST	49755	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:53.585383892 CEST	49756	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:53.585383892 CEST	49757	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:53.585422039 CEST	443	49756	13.107.213.45	192.168.2.4
May 22, 2024 18:03:53.585436106 CEST	443	49757	13.107.213.45	192.168.2.4
May 22, 2024 18:03:53.585488081 CEST	49756	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:53.585488081 CEST	49757	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:53.586132050 CEST	49757	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:53.586134911 CEST	49753	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:53.586142063 CEST	443	49757	13.107.213.45	192.168.2.4
May 22, 2024 18:03:53.586143017 CEST	443	49753	13.107.213.45	192.168.2.4
May 22, 2024 18:03:53.586411953 CEST	49754	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:53.586416960 CEST	443	49754	13.107.213.45	192.168.2.4
May 22, 2024 18:03:53.586762905 CEST	49755	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:53.586769104 CEST	49756	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:53.586770058 CEST	443	49755	13.107.213.45	192.168.2.4
May 22, 2024 18:03:53.586781025 CEST	443	49756	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.287197113 CEST	443	49754	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.287314892 CEST	49754	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.287537098 CEST	443	49756	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.287600994 CEST	49756	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.289227009 CEST	443	49757	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.289457083 CEST	49757	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.289684057 CEST	443	49753	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.289747953 CEST	49753	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.290529966 CEST	443	49755	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.290604115 CEST	49755	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.339010000 CEST	49754	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.339037895 CEST	443	49754	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.339340925 CEST	443	49754	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.340425968 CEST	49756	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.340497971 CEST	443	49756	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.340795040 CEST	443	49756	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.341389894 CEST	49754	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.341954947 CEST	49757	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.341976881 CEST	443	49757	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.342463970 CEST	49756	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.343007088 CEST	443	49757	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.343610048 CEST	49753	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.343622923 CEST	443	49753	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.343792915 CEST	49755	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.343803883 CEST	443	49755	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.343961000 CEST	443	49753	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.344696999 CEST	443	49755	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.344789982 CEST	49757	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.345155954 CEST	49753	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.345994949 CEST	49755	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.386492014 CEST	443	49754	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.386503935 CEST	443	49755	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.386511087 CEST	443	49753	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.386518002 CEST	443	49757	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.390505075 CEST	443	49756	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.446702003 CEST	443	49754	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.446719885 CEST	443	49754	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.446780920 CEST	443	49754	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.446814060 CEST	49754	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.446886063 CEST	49754	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.447988033 CEST	49754	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.448004007 CEST	443	49754	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.448016882 CEST	49754	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.448023081 CEST	443	49754	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.459806919 CEST	443	49753	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.459830046 CEST	443	49753	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.459884882 CEST	443	49755	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.459897041 CEST	49753	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.459898949 CEST	443	49753	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.459944963 CEST	443	49753	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.459956884 CEST	443	49753	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.459960938 CEST	443	49755	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.459997892 CEST	49753	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.460082054 CEST	49755	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.460588932 CEST	49753	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.460593939 CEST	443	49753	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.460607052 CEST	49753	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.460609913 CEST	443	49753	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.461508989 CEST	49755	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.461512089 CEST	443	49755	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.461523056 CEST	49755	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.461525917 CEST	443	49755	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.466175079 CEST	49758	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.466216087 CEST	443	49758	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.466294050 CEST	49758	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.466883898 CEST	49758	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.466897011 CEST	443	49758	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.468338966 CEST	443	49756	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.468406916 CEST	443	49756	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.468585014 CEST	49756	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.469237089 CEST	49756	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.469248056 CEST	443	49756	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.469259977 CEST	49756	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.469264984 CEST	443	49756	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.471703053 CEST	49759	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.471712112 CEST	443	49759	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.471755028 CEST	49759	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.471887112 CEST	443	49757	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.471966028 CEST	443	49757	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.472019911 CEST	49757	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.472083092 CEST	49759	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.472091913 CEST	443	49759	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.476866007 CEST	49760	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.476939917 CEST	443	49760	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.477010965 CEST	49760	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.477065086 CEST	49757	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.477071047 CEST	443	49757	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.477077961 CEST	49757	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.477082968 CEST	443	49757	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.479124069 CEST	49760	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.479136944 CEST	443	49760	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.486715078 CEST	49761	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.486732960 CEST	443	49761	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.486866951 CEST	49761	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.489567041 CEST	49761	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.489567041 CEST	49762	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.489582062 CEST	443	49761	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.489592075 CEST	443	49762	13.107.213.45	192.168.2.4
May 22, 2024 18:03:54.490499973 CEST	49762	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.490972996 CEST	49762	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:54.490981102 CEST	443	49762	13.107.213.45	192.168.2.4
May 22, 2024 18:03:55.163450003 CEST	443	49758	13.107.213.45	192.168.2.4
May 22, 2024 18:03:55.167629957 CEST	443	49759	13.107.213.45	192.168.2.4
May 22, 2024 18:03:55.177109957 CEST	443	49762	13.107.213.45	192.168.2.4
May 22, 2024 18:03:55.185869932 CEST	443	49761	13.107.213.45	192.168.2.4
May 22, 2024 18:03:55.192372084 CEST	443	49760	13.107.213.45	192.168.2.4
May 22, 2024 18:03:55.207710981 CEST	49759	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:55.223423004 CEST	49762	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:55.223426104 CEST	49758	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:55.238940954 CEST	49760	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:55.238940954 CEST	49761	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:57.460645914 CEST	49758	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:57.460724115 CEST	443	49758	13.107.213.45	192.168.2.4
May 22, 2024 18:03:57.461349010 CEST	49759	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:57.461378098 CEST	443	49759	13.107.213.45	192.168.2.4
May 22, 2024 18:03:57.461479902 CEST	49758	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:57.461491108 CEST	443	49758	13.107.213.45	192.168.2.4
May 22, 2024 18:03:57.461999893 CEST	49762	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:57.462052107 CEST	443	49762	13.107.213.45	192.168.2.4
May 22, 2024 18:03:57.462745905 CEST	49759	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:57.462757111 CEST	49762	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:57.462763071 CEST	443	49759	13.107.213.45	192.168.2.4
May 22, 2024 18:03:57.462769032 CEST	443	49762	13.107.213.45	192.168.2.4
May 22, 2024 18:03:57.463221073 CEST	49761	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:57.463238001 CEST	443	49761	13.107.213.45	192.168.2.4
May 22, 2024 18:03:57.463320971 CEST	49760	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:57.463332891 CEST	443	49760	13.107.213.45	192.168.2.4
May 22, 2024 18:03:57.464149952 CEST	49760	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:57.464158058 CEST	443	49760	13.107.213.45	192.168.2.4
May 22, 2024 18:03:57.464515924 CEST	49761	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:57.464521885 CEST	443	49761	13.107.213.45	192.168.2.4
May 22, 2024 18:03:57.565289974 CEST	443	49758	13.107.213.45	192.168.2.4
May 22, 2024 18:03:57.565470934 CEST	443	49758	13.107.213.45	192.168.2.4
May 22, 2024 18:03:57.565545082 CEST	49758	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:57.565895081 CEST	49758	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:57.565941095 CEST	443	49758	13.107.213.45	192.168.2.4
May 22, 2024 18:03:57.565974951 CEST	49758	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:57.565990925 CEST	443	49758	13.107.213.45	192.168.2.4
May 22, 2024 18:03:57.567259073 CEST	443	49762	13.107.213.45	192.168.2.4
May 22, 2024 18:03:57.567336082 CEST	443	49762	13.107.213.45	192.168.2.4
May 22, 2024 18:03:57.567374945 CEST	49762	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:57.568294048 CEST	49762	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:57.568308115 CEST	443	49762	13.107.213.45	192.168.2.4
May 22, 2024 18:03:57.568319082 CEST	49762	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:57.568324089 CEST	443	49762	13.107.213.45	192.168.2.4
May 22, 2024 18:03:57.569714069 CEST	443	49759	13.107.213.45	192.168.2.4
May 22, 2024 18:03:57.569785118 CEST	443	49759	13.107.213.45	192.168.2.4
May 22, 2024 18:03:57.569828987 CEST	49759	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:57.570880890 CEST	49759	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:57.570898056 CEST	443	49759	13.107.213.45	192.168.2.4
May 22, 2024 18:03:57.570924044 CEST	49759	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:57.570934057 CEST	443	49759	13.107.213.45	192.168.2.4
May 22, 2024 18:03:57.571048021 CEST	443	49760	13.107.213.45	192.168.2.4
May 22, 2024 18:03:57.571124077 CEST	443	49760	13.107.213.45	192.168.2.4
May 22, 2024 18:03:57.571168900 CEST	49760	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:57.574915886 CEST	49760	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:57.574922085 CEST	443	49760	13.107.213.45	192.168.2.4
May 22, 2024 18:03:57.574935913 CEST	49760	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:57.574939013 CEST	443	49760	13.107.213.45	192.168.2.4
May 22, 2024 18:03:57.576055050 CEST	443	49761	13.107.213.45	192.168.2.4
May 22, 2024 18:03:57.576216936 CEST	443	49761	13.107.213.45	192.168.2.4
May 22, 2024 18:03:57.576272011 CEST	49761	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:57.577987909 CEST	49761	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:57.577991962 CEST	443	49761	13.107.213.45	192.168.2.4
May 22, 2024 18:03:57.578002930 CEST	49761	443	192.168.2.4	13.107.213.45
May 22, 2024 18:03:57.578006029 CEST	443	49761	13.107.213.45	192.168.2.4

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 22, 2024 18:03:53.583574057 CEST	1.1.1.1	192.168.2.4	0x76cb	No error (0)	shed.dual-low.part-0017.t-0009.t-msedge.net	part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
May 22, 2024 18:03:53.583574057 CEST	1.1.1.1	192.168.2.4	0x76cb	No error (0)	part-0017.t-0009.t-msedge.net		13.107.213.45	A (IP address)	IN (0x0001)	false
May 22, 2024 18:03:53.583574057 CEST	1.1.1.1	192.168.2.4	0x76cb	No error (0)	part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

otelrules.azureedge.net

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49754	13.107.213.45	443	1068	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-05-22 16:03:54 UTC	208	OUT	GET /rules/rule170012v10s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-05-22 16:03:54 UTC	584	IN	HTTP/1.1 200 OK Date: Wed, 22 May 2024 16:03:54 GMT Content-Type: text/xml Content-Length: 1523 Connection: close Vary: Accept-Encoding Vary: Accept-Encoding Vary: Accept-Encoding Vary: Accept-Encoding Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:27:33 GMT ETag: "0x8DC582BD969CD29" x-ms-request-id: ec7db18e-301e-0028-5560-ac1cda000000 x-ms-version: 2018-03-28 x-azure-ref: 20240522T160354Z-16f669959b4stn6b7qdxu69yy400000003fg00000000cyfg x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-05-22 16:03:54 UTC	1523	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 37 30 30 31 32 22 20 56 3d 22 31 30 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 47 72 61 70 68 69 63 73 2e 47 56 69 7a 49 6e 6b 53 74 72 6f 6b 65 22 20 41 54 54 3d 22 63 66 63 66 64 62 39 31 63 36 38 63 34 33 32 39 62 62 38 62 37 63 62 37 62 61 62 62 33 63 66 37 2d 65 30 38 32 63 32 66 32 2d 65 66 31 64 2d 34 32 37 61 2d 61 63 34 64 2d 62 30 62 37 30 30 61 66 65 37 61 37 2d 37 36 35 35 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="170012" V="10" DC="SM" EN="Office.Graphics.GVizInkStroke" ATT="cfcfdb91c68c4329bb8b7cb7babb3cf7-e082c2f2-ef1d-427a-ac4d-b0b700afe7a7-7655" SP="CriticalBusinessImpact" DCa="PSU" xmlns=""> <S> <UTS T

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49756	13.107.213.45	443	1068	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-05-22 16:03:54 UTC	207	OUT	GET /rules/rule324001v4s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-05-22 16:03:54 UTC	491	IN	HTTP/1.1 200 OK Date: Wed, 22 May 2024 16:03:54 GMT Content-Type: text/xml Content-Length: 513 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:27:31 GMT ETag: "0x8DC582BD84BDCC1" x-ms-request-id: c90870fa-601e-008d-6060-ac5db6000000 x-ms-version: 2018-03-28 x-azure-ref: 20240522T160354Z-16f669959b4k2842qfx0xu3vng00000003a000000000q2br x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-05-22 16:03:54 UTC	513	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 31 22 20 56 3d 22 34 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 50 72 6f 6a 65 63 74 4c 6f 61 64 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324001" V="4" DC="SM" EN="Office.Extensibility.VbaTelemetryProjectLoad" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" SP="CriticalBusinessImpact" DCa="DC PSP PSU" xmlns="

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49757	13.107.213.45	443	1068	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-05-22 16:03:54 UTC	207	OUT	GET /rules/rule324002v5s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-05-22 16:03:54 UTC	491	IN	HTTP/1.1 200 OK Date: Wed, 22 May 2024 16:03:54 GMT Content-Type: text/xml Content-Length: 833 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:27:33 GMT ETag: "0x8DC582BD9758B35" x-ms-request-id: 31c701cd-b01e-0064-4c60-ac3bd2000000 x-ms-version: 2018-03-28 x-azure-ref: 20240522T160354Z-16f669959b4kxg8rper91yzfwg00000003r000000000073v x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-05-22 16:03:54 UTC	833	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 32 22 20 56 3d 22 35 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 44 65 63 6c 61 72 65 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 62 30 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324002" V="5" DC="SM" EN="Office.Extensibility.VbaTelemetryDeclare" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" DCa="DC PSP PSU" xmlns=""> <S> <UTS T="1" Id="b0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49753	13.107.213.45	443	1068	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-05-22 16:03:54 UTC	206	OUT	GET /rules/rule63067v4s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-05-22 16:03:54 UTC	584	IN	HTTP/1.1 200 OK Date: Wed, 22 May 2024 16:03:54 GMT Content-Type: text/xml Content-Length: 2871 Connection: close Vary: Accept-Encoding Vary: Accept-Encoding Vary: Accept-Encoding Vary: Accept-Encoding Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:28:05 GMT ETag: "0x8DC582BEC5E84E0" x-ms-request-id: 1480fabc-201e-0065-2960-ac10d0000000 x-ms-version: 2018-03-28 x-azure-ref: 20240522T160354Z-16f669959b4kxg8rper91yzfwg00000003pg0000000047sk x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-05-22 16:03:54 UTC	2871	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 36 33 30 36 37 22 20 56 3d 22 34 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 49 64 65 6e 74 69 74 79 2e 53 73 70 69 50 72 6f 6d 70 74 57 69 6e 33 32 22 20 41 54 54 3d 22 35 63 36 35 62 62 63 34 65 64 62 66 34 38 30 64 39 36 33 37 61 63 65 30 34 64 36 32 62 64 39 38 2d 31 32 38 34 34 38 39 33 2d 38 61 62 39 2d 34 64 64 65 2d 62 38 35 30 2d 35 36 31 32 63 62 31 32 65 30 66 32 2d 37 38 32 32 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 44 43 61 3d 22 44 43 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="63067" V="4" DC="SM" EN="Office.Identity.SspiPromptWin32" ATT="5c65bbc4edbf480d9637ace04d62bd98-12844893-8ab9-4dde-b850-5612cb12e0f2-7822" SP="CriticalBusinessImpact" DL="A" DCa="DC" xmlns=""> <S>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49755	13.107.213.45	443	1068	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-05-22 16:03:54 UTC	207	OUT	GET /rules/rule490016v3s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-05-22 16:03:54 UTC	491	IN	HTTP/1.1 200 OK Date: Wed, 22 May 2024 16:03:54 GMT Content-Type: text/xml Content-Length: 777 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:28:04 GMT ETag: "0x8DC582BEC2AAB32" x-ms-request-id: 76fa7e27-e01e-003d-3060-ac2bf2000000 x-ms-version: 2018-03-28 x-azure-ref: 20240522T160354Z-16f669959b48c7s51mf23re5v000000003m0000000005ubu x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-05-22 16:03:54 UTC	777	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 34 39 30 30 31 36 22 20 56 3d 22 33 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 46 65 65 64 62 61 63 6b 2e 53 75 72 76 65 79 2e 46 6c 6f 6f 64 67 61 74 65 43 6c 69 65 6e 74 2e 52 6f 61 6d 69 6e 67 53 75 63 63 65 73 73 66 75 6c 52 65 61 64 57 72 69 74 65 22 20 41 54 54 3d 22 64 37 39 65 38 32 34 33 38 36 63 34 34 34 31 63 62 38 63 31 64 34 61 65 31 35 36 39 30 35 32 36 2d 62 64 34 34 33 33 30 39 2d 35 34 39 34 2d 34 34 34 61 2d 61 62 61 39 2d 30 61 66 39 65 65 66 39 39 66 38 34 2d 37 33 36 30 22 20 54 3d 22 55 70 6c 6f 61 64 2d 4d 65 64 69 75 6d 22 20 44 4c 3d 22 4e 22 20 44 43 61 3d 22 50 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="490016" V="3" DC="SM" EN="Office.Feedback.Survey.FloodgateClient.RoamingSuccessfulReadWrite" ATT="d79e824386c4441cb8c1d4ae15690526-bd443309-5494-444a-aba9-0af9eef99f84-7360" T="Upload-Medium" DL="N" DCa="P

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49758	13.107.213.45	443	1068	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-05-22 16:03:57 UTC	207	OUT	GET /rules/rule324003v5s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-05-22 16:03:57 UTC	491	IN	HTTP/1.1 200 OK Date: Wed, 22 May 2024 16:03:57 GMT Content-Type: text/xml Content-Length: 716 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:27:34 GMT ETag: "0x8DC582BD9F5CC0A" x-ms-request-id: 38f15938-501e-0046-0e60-acfce5000000 x-ms-version: 2018-03-28 x-azure-ref: 20240522T160357Z-16f669959b46xlpd2mxthqg02400000001dg00000000v3sz x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-05-22 16:03:57 UTC	716	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 33 22 20 56 3d 22 35 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 52 65 66 65 72 65 6e 63 65 64 4c 69 62 72 61 72 79 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324003" V="5" DC="SM" EN="Office.Extensibility.VbaTelemetryReferencedLibrary" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" DCa="DC PSP PSU" xmlns=""> <S> <UTS T=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49759	13.107.213.45	443	1068	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-05-22 16:03:57 UTC	207	OUT	GET /rules/rule324004v4s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-05-22 16:03:57 UTC	491	IN	HTTP/1.1 200 OK Date: Wed, 22 May 2024 16:03:57 GMT Content-Type: text/xml Content-Length: 738 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:27:34 GMT ETag: "0x8DC582BD9FE7D4B" x-ms-request-id: 11f74ab1-e01e-0001-7860-acfefa000000 x-ms-version: 2018-03-28 x-azure-ref: 20240522T160357Z-16f669959b427jgr80kzk67y4400000003p0000000008eyc x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-05-22 16:03:57 UTC	738	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 34 22 20 56 3d 22 34 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 43 6f 6d 4f 62 6a 65 63 74 49 6e 73 74 61 6e 74 69 61 74 65 64 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324004" V="4" DC="SM" EN="Office.Extensibility.VbaTelemetryComObjectInstantiated" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" DCa="DC PSP PSU" xmlns=""> <S> <UT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49762	13.107.213.45	443	1068	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-05-22 16:03:57 UTC	207	OUT	GET /rules/rule324007v2s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-05-22 16:03:57 UTC	491	IN	HTTP/1.1 200 OK Date: Wed, 22 May 2024 16:03:57 GMT Content-Type: text/xml Content-Length: 611 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:50 GMT ETag: "0x8DC582BBFB58BC6" x-ms-request-id: e97b76de-201e-0065-0360-ac10d0000000 x-ms-version: 2018-03-28 x-azure-ref: 20240522T160357Z-16f669959b4stn6b7qdxu69yy400000003ag00000000v2xn x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-05-22 16:03:57 UTC	611	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 37 22 20 56 3d 22 32 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 49 64 65 4d 61 63 72 6f 52 75 6e 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324007" V="2" DC="SM" EN="Office.Extensibility.VbaTelemetryIdeMacroRun" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" SP="CriticalBusinessImpact" DCa="DC PSP PSU" xmlns="

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49760	13.107.213.45	443	1068	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-05-22 16:03:57 UTC	207	OUT	GET /rules/rule324005v2s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-05-22 16:03:57 UTC	491	IN	HTTP/1.1 200 OK Date: Wed, 22 May 2024 16:03:57 GMT Content-Type: text/xml Content-Length: 599 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:51 GMT ETag: "0x8DC582BC0B3C3C8" x-ms-request-id: 4a52c665-c01e-0097-0860-ace381000000 x-ms-version: 2018-03-28 x-azure-ref: 20240522T160357Z-16f669959b4wcr8fx75afmqyzg00000003hg00000000wggq x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-05-22 16:03:57 UTC	599	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 35 22 20 56 3d 22 32 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 43 6f 6d 70 69 6c 65 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324005" V="2" DC="SM" EN="Office.Extensibility.VbaTelemetryCompile" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" SP="CriticalBusinessImpact" DCa="DC PSP PSU" xmlns="">

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49761	13.107.213.45	443	1068	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-05-22 16:03:57 UTC	207	OUT	GET /rules/rule324006v2s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-05-22 16:03:57 UTC	491	IN	HTTP/1.1 200 OK Date: Wed, 22 May 2024 16:03:57 GMT Content-Type: text/xml Content-Length: 599 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:44 GMT ETag: "0x8DC582BBC83D642" x-ms-request-id: 118f7bf8-f01e-00a0-3760-ac139e000000 x-ms-version: 2018-03-28 x-azure-ref: 20240522T160357Z-16f669959b4np8fgddqght2c4g00000002gg0000000005r5 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-05-22 16:03:57 UTC	599	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 36 22 20 56 3d 22 32 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 53 68 6f 77 49 64 65 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324006" V="2" DC="SM" EN="Office.Extensibility.VbaTelemetryShowIde" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" SP="CriticalBusinessImpact" DCa="DC PSP PSU" xmlns="">

Target ID:	0
Start time:	12:02:42
Start date:	22/05/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /C "C:\Users\user\Desktop\22-May-24-document-137bcf45.xll"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	12:02:42
Start date:	22/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	12:02:43
Start date:	22/05/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" -xlls "C:\Users\user\Desktop\22-May-24-document-137bcf45.xll"
Imagebase:	0x120000
File size:	53'161'064 bytes
MD5 hash:	4A871771235598812032C822E6F68F19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	12:03:48
Start date:	22/05/2024
Path:	C:\Windows\splwow64.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\splwow64.exe 12288
Imagebase:	0x7ff646140000
File size:	163'840 bytes
MD5 hash:	77DE7761B037061C7C112FD3C5B91E73
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 22-May-24-document-137bcf45.xll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Static File Info

General

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Exports

Network Behavior

Network Port Distribution

TCP Packets

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: cmd.exePID: 6848, Parent PID: 5040

Windows Analysis Report
22-May-24-document-137bcf45.xll