Edit tour

Windows Analysis Report
PO 4500025813.xls

Overview

General Information

Sample name:	PO 4500025813.xls
Analysis ID:	1446720
MD5:	1a1256f2cb9b79e436d93cb4ef7965e9
SHA1:	d759cc8c94f83d931d339bf576c2d2a6d2edc111
SHA256:	547e6df90153f3d2b2c8ae05399fef0b98431f2ec3d5628cb570acf0f0af393e
Tags:	xls
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Excel sheet contains many unusual embedded objects

Document embeds suspicious OLE2 link

Document misses a certain OLE stream usually present in this Microsoft Office document type

IP address seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Sigma detected: Excel Network Connections

Sigma detected: Suspicious Office Outbound Connections

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 1128 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

cleanup

Sigma Signatures

System Summary

Sigma detected: Excel Network Connections

Source: Network Connection

Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 188.114.97.3, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 1128, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49165, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 1128, Protocol: tcp, SourceIp: 188.114.97.3, SourceIsIpv6: false, SourcePort: 80

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 1128, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: PO 4500025813.xls

ReversingLabs: Detection: 15%

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: global traffic

DNS query: name: qr-in.com

Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:80

Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:80

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: global traffic	HTTP traffic detected: GET /RtWEZGi HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qr-in.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /RtWEZGi HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qr-in.comConnection: Keep-AliveCookie: PHPSESSID=2fpj5qe86di95ocg0rn295j24v

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FBE9C81C.emf

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /RtWEZGi HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qr-in.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /RtWEZGi HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qr-in.comConnection: Keep-AliveCookie: PHPSESSID=2fpj5qe86di95ocg0rn295j24v

Source: global traffic

DNS traffic detected: DNS query: qr-in.com

Source: PO 4500025813.xls, 5D330000.0.dr	String found in binary or memory: http://qr-in.com/RtWEZGi
Source: PO 4500025813.xls, 5D330000.0.dr, A04C86FF.emf.0.dr, 7B56516D.png.0.dr, ~DF8B0F277084679A1A.TMP.0.dr, ~DF6E18AAE11A49FA57.TMP.0.dr	String found in binary or memory: http://www.day.com/dam/1.0

System Summary

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 12

Screenshot OCR: Enable Content from the yellow bar above 19 12 ' " Vol :1ren KOyU, Canakk 20 13 " Akc ay Cad. No

Excel sheet contains many unusual embedded objects

Source: PO 4500025813.xls	OLE: Microsoft Excel 2007+
Source: ~DF8B0F277084679A1A.TMP.0.dr	OLE: Microsoft Excel 2007+
Source: 5D330000.0.dr	OLE: Microsoft Excel 2007+

Source: PO 4500025813.xls	Stream path 'MBD00088CAD/\x1Ole' : http://qr-in.com/RtWEZGi*>OFl=Iz%BLN3\}_Cxoja1[{d+D/hBrhSw;(a/6l:k")Yn{8OspjCi,XNd&Q6S-=`.+-:b/bvHxVr:ftn3Wz>vsT\|M"OECcY3ad2UKC34mOfXGjIQl5QXdRsCwN4zSPsZsqL48KjLOlkfCVLXwtId00gxEI7RyYeyRGopk96g6U45ALPHzFLbtg6F3wyMkWjn5Ld1WyCViIwQZOf3mbQrozuqVevIfNkQkXyJ2XX1mEjmycs2qY7La5PRfxMwrng5oaDgCJ7JbIpj5TMcguLG8mQdAZjYt561eNcgAVXQKpj8AGtqQWwEraEtaERrWM5JHrS3StvKs\|K\|\j]"Jik$.uw
Source: 5D330000.0.dr	Stream path 'MBD00088CAD/\x1Ole' : http://qr-in.com/RtWEZGi*>OFl=Iz%BLN3\}_Cxoja1[{d+D/hBrhSw;(a/6l:k")Yn{8OspjCi,XNd&Q6S-=`.+-:b/bvHxVr:ftn3Wz>vsT\|M"OECcY3ad2UKC34mOfXGjIQl5QXdRsCwN4zSPsZsqL48KjLOlkfCVLXwtId00gxEI7RyYeyRGopk96g6U45ALPHzFLbtg6F3wyMkWjn5Ld1WyCViIwQZOf3mbQrozuqVevIfNkQkXyJ2XX1mEjmycs2qY7La5PRfxMwrng5oaDgCJ7JbIpj5TMcguLG8mQdAZjYt561eNcgAVXQKpj8AGtqQWwEraEtaERrWM5JHrS3StvKs\|K\|\j]"Jik$.uw

Source: ~DF8B0F277084679A1A.TMP.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: classification engine

Classification label: mal60.winXLS@1/10@1/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\5D330000

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR7FB9.tmp

Jump to behavior

Source: PO 4500025813.xls	OLE indicator, Workbook stream: true
Source: 5D330000.0.dr	OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: PO 4500025813.xls

ReversingLabs: Detection: 15%

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: PO 4500025813.xls

Initial sample: OLE indicators vbamacros = False

Source: PO 4500025813.xls

Initial sample: OLE indicators encrypted = True

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: PO 4500025813.xls	Stream path 'MBD00088CAC/Package' entropy: 7.95103243582 (max. 8.0)
Source: PO 4500025813.xls	Stream path 'Workbook' entropy: 7.98985924559 (max. 8.0)
Source: ~DF8B0F277084679A1A.TMP.0.dr	Stream path 'Package' entropy: 7.94201653752 (max. 8.0)
Source: 5D330000.0.dr	Stream path 'MBD00088CAC/Package' entropy: 7.94201653752 (max. 8.0)
Source: 5D330000.0.dr	Stream path 'Workbook' entropy: 7.99709423089 (max. 8.0)

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	3 Exploitation for Client Execution	Path Interception	Path Interception	1 Masquerading	OS Credential Dumping	1 File and Directory Discovery	Remote Services	Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	12 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PO 4500025813.xls	16%	ReversingLabs	Document-Excel.Trojan.Heuristic

Source	Detection	Scanner	Label	Link
http://www.day.com/dam/1.0	0%	URL Reputation	safe
http://qr-in.com/RtWEZGi	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
qr-in.com	188.114.97.3	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://qr-in.com/RtWEZGi	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.day.com/dam/1.0	PO 4500025813.xls, 5D330000.0.dr, A04C86FF.emf.0.dr, 7B56516D.png.0.dr, ~DF8B0F277084679A1A.TMP.0.dr, ~DF6E18AAE11A49FA57.TMP.0.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	qr-in.com	European Union		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1446720
Start date and time:	2024-05-23 20:26:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PO 4500025813.xls
Detection:	MAL
Classification:	mal60.winXLS@1/10@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Active ActiveX Object Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: PO 4500025813.xls

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	SCB REmittance Advice.doc	Get hash	malicious	Lokibot	Browse	rocheholding.top/evie3/five/fre.php
	WRnJsnI1Zq.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	objectiveci.top/pythonpacketGamebigloadprivateCentral.php
	http://hjkie5.pages.dev/	Get hash	malicious	Unknown	Browse	hjkie5.pages.dev/
	56882720_50174358_2024-05-23_203027.xls	Get hash	malicious	Unknown	Browse	qr-in.com/GDKZCby
	Enquiry No. 2421005.xla.xlsx	Get hash	malicious	Unknown	Browse	qr-in.com/atBVKxq
	56882720_50174358_2024-05-23_203027.xls	Get hash	malicious	Unknown	Browse	qr-in.com/GDKZCby
	file.exe	Get hash	malicious	Unknown	Browse	wagner3.net/admin
	Product Listsd#U0334r#U0334o#U0334w#U0334..exe	Get hash	malicious	FormBook	Browse	www.sba99prag.com/pshj/
	ORDIN.xls	Get hash	malicious	Unknown	Browse	qr-in.com/HDYwZbx
	ORDIN.xls	Get hash	malicious	Unknown	Browse	qr-in.com/HDYwZbx

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
qr-in.com	56882720_50174358_2024-05-23_203027.xls	Get hash	malicious	Unknown	Browse	188.114.96.3
	Enquiry No. 2421005.xla.xlsx	Get hash	malicious	Unknown	Browse	188.114.96.3
	56882720_50174358_2024-05-23_203027.xls	Get hash	malicious	Unknown	Browse	188.114.97.3
	Enquiry No. 2421005.xla.xlsx	Get hash	malicious	Unknown	Browse	188.114.97.3
	56882720_50174358_2024-05-23_203027.xls	Get hash	malicious	Unknown	Browse	188.114.97.3
	Enquiry No. 2421005.xla.xlsx	Get hash	malicious	Unknown	Browse	188.114.96.3
	ORDIN.xls	Get hash	malicious	Unknown	Browse	188.114.97.3
	ORDIN.xls	Get hash	malicious	Unknown	Browse	188.114.97.3
	ORDIN.xls	Get hash	malicious	Unknown	Browse	188.114.96.3
	BankSwift.xls	Get hash	malicious	Remcos, DBatLoader, PrivateLoader	Browse	172.67.177.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://freexxxth.link	Get hash	malicious	Unknown	Browse	104.21.25.77
	https://freexxxth.link	Get hash	malicious	Unknown	Browse	172.67.223.248
	SCB REmittance Advice.doc	Get hash	malicious	Lokibot	Browse	188.114.97.9
	V_273686.Lnk.lnk	Get hash	malicious	MalLnk	Browse	172.67.217.192
	kam.cmd	Get hash	malicious	GuLoader	Browse	104.21.28.80
	https://www.whtenvlpe.com/acTcl2kTmPSJi_Ld_mhpL5dNumT258E0ztzYJGo7sYTHmy1SnIHoHTr_lyuA2BZnhF49nvpBtTPseiLflrqOEA~~/16/1	Get hash	malicious	Unknown	Browse	104.21.39.66
	https://www.google.com/url?q=https://tame-coherent-emmental.glitch.me/%23aG95ZUB1bW4uZWR1&source=gmail-imap&ust=1717088881000000&usg=AOvVaw14q68JL0hvqaGr_XiCkvK4	Get hash	malicious	HTMLPhisher	Browse	172.64.154.146
	http://all4promos.com	Get hash	malicious	Unknown	Browse	162.247.243.29
	Doc0781123608.exe	Get hash	malicious	AgentTesla, PureLog Stealer, XWorm	Browse	172.67.74.152
	nv6mqExGOo.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	104.26.0.5

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1008 x 529, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	116917
Entropy (8bit):	7.962967514652866
Encrypted:	false
SSDEEP:	3072:K34UL0tS6WB0JOqFVYGQcARI/McGdAT9kRLFdtSyj:k4UcLe0JOqPQZR8MDdATCR3tSw
MD5:	460EFCF478D05AFB04311BA4833B41FB
SHA1:	35A00E81ED5AA915810702E9BA42E0D6E9E24BA1
SHA-256:	ABBF9B20F57F85EDAD5D5B5848335775428B47D1A48C0772A72D7A6C136D9C51
SHA-512:	C5C6414B88579ADF217DE22C52C1CCB244EB532DED4B2533136D54D1D0F2EC474C36E2BC163FB9BCE05079AD06313B559C9746F73BC82FF42933EB1A3B94DD07
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR..............0V.....sRGB.........gAMA......a.....pHYs..........+......iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c137 1.000000, 0000/00/00-00:00:00 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:ns1="http://www.day.com/dam/1.0". xmlns:tiff="http://ns.adobe.com/tiff/1.0/". xmlns:dc="http://purl.org/dc/elements/1.1/". ns1:Physicalheightininches="-1.0". ns1:Physicalwidthininches="-1.0". ns1:Fileformat="PNG". ns1:Progressive="no". ns1:extracted="2018-06-11T14:21:13.228-07:00". ns1:Bitsperpixel="8". ns1:MIMEtype="image/png". ns1:Physicalwidthindpi="-1". ns1:Physicalheightindpi="-1". ns1:Numberofimages="1". ns1:Numberoftextualcomments="0". ns1:sha1="a5883b71b35060c98e8449851de4fae668c6ea9d". ns1:size="54990". tiff:ImageLength="727". tiff:ImageWidth="1020". dc:format="

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A04C86FF.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1063688
Entropy (8bit):	3.2867843966970987
Encrypted:	false
SSDEEP:	6144:SFOSyH4UcLe0JOqDQZR8MDdATCR3tSpjqcn:oUP/qDQZR8MxAm/SNnn
MD5:	B75BEAB062262E9FE0F994171FB4506C
SHA1:	DA7D4C80217F413EC1A59D937D930946639A5225
SHA-256:	96044A2032199CD5CB4C0567BC8F420500F38618FC26595D9F8EED6F3FCF0161
SHA-512:	D86778DF51FE117F05228DFA47585445E53AEEE4E1FE90E4E45BB70C72CB5E6617E70D455BFA3A9BDD276A5C46A7F045FA46E5C2FB6C62FF561DB50132E26A82
Malicious:	false
Reputation:	low
Preview:	....l...........................{....9.. EMF.....;..............................@...........................F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................o..."...........!...................................................o..."...........!...................................................o..."...........!...................................................o..."...........!...................................................o...'.......................%...........................................................L...d...............>...............?...!..............?...........?................................'................ `.....%...........(.................... `.L...d...............>...............

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FBE9C81C.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	631964
Entropy (8bit):	1.895535102510293
Encrypted:	false
SSDEEP:	1536:V55tmuHoShA5q/ri+lGnSfKcfu50y7eMGn5v1IN6zJ8Tqbb0z88eqlexq2:kMZu50yknG/qc+R
MD5:	20AF225366CE6EDF8BE97371C90A7FA7
SHA1:	319E417FDB0D321E91B4A3904C49DEE6CBFEBF80
SHA-256:	0B2B9FBE0F1111FCEE4398B1AB3FE8788F3D0CBB9EB702B6EA729E0FEBD523E0
SHA-512:	4457677FACDC9EAB033FDED59C37FFC8BEEE6225145876481F361C834DA86D7BAA3F3B1D554C25CC9DD4B84517542691232DEA385BF3DFEC7EA126AC03648337
Malicious:	false
Reputation:	low
Preview:	....l................................5.. EMF................................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................L...d...............N........... ...O...!..............?...........?................................'................ `.....%...........(.................... `.L...d...............N...........~...

C:\Users\user\AppData\Local\Temp\~DF5E208046F04CF4C0.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF6E18AAE11A49FA57.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	7.480835752823518
Encrypted:	false
SSDEEP:	3072:u4DEp34UL0tS6WB0JOqFVYGQcARI/McGdAT9kRLFdtSyE:u4DEB4UcLe0JOqPQZR8MDdATCR3tS
MD5:	B741E0D2B08DBCA497067F31E87F61CF
SHA1:	615390C30CD5933F88DF404C2F628383E8EBAA7C
SHA-256:	1DB16C01E06E002D1C41038831D08ECC54EB5D67E04DFAADF69918619F0F5C0A
SHA-512:	8896AD8886E11AF904EEECE43E5BE7CC31501DF29327FCCF33F0DF8F0BFF2E230CE03B0B1DF0A0CEC226C8E6ED88FB581351DFF316A25294F75E13687DFA655B
Malicious:	false
Reputation:	low
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF8B0F277084679A1A.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	142336
Entropy (8bit):	7.890230909459693
Encrypted:	false
SSDEEP:	3072:04DEp34UL0tS6WB0JOqFVYGQcARI/McGdAT9kRLFdtSyE:04DEB4UcLe0JOqPQZR8MDdATCR3tS
MD5:	9EF3E118E202EAE2397D01818A9D7363
SHA1:	A57823714FFFA371ADB39E3BCFB13D29698D9908
SHA-256:	8F5DB1DB693B3E53BDC69693355C790610011AF2687B496A7BA89F3F0840F6A8
SHA-512:	CB89DAF4D432092E7127C89B5E9C67D9F5AB992B39A3BE2C71DE53C4CED12AE4D6B1029D237D407E0489C679A814EA937FB2995E5D8E361CD07D0F6DE3CEAA4F
Malicious:	false
Reputation:	low
Preview:	......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\AppData\Local\Temp\~DFBF63F4E6D7BA905E.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\5D330000

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu May 23 19:27:49 2024, Security: 1
Category:	dropped
Size (bytes):	344064
Entropy (8bit):	7.950545079102334
Encrypted:	false
SSDEEP:	6144:54DEB4UcLe0JOqPQZR8MDdATCR3tS4J4RIPYJchHtmvbzVUMxpyMIm:54gOUP/qPQZR8MxAm/S4JKdJchHWHVHy
MD5:	AF75807FB9AF48D758760DA197D4B392
SHA1:	DF0D4FC123D89B4BC2A96108C6472B09A33630D7
SHA-256:	A1EB442E99CBB8DD50EECFFA09B1DC84ED18F6BE24DCC37251D82EE8113CA004
SHA-512:	8F424138ED076E159BD14EC443EC15418E852AC4CD0988EC70B5449E91C54217C534E79B04F9C39308BA4CFEE6177BF23B16E06B920D3EFB7DE288303E1E5970
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................v.......x........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\Desktop\5D330000:Zone.Identifier

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Desktop\PO 4500025813.xls (copy)

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu May 23 19:27:49 2024, Security: 1
Category:	dropped
Size (bytes):	344064
Entropy (8bit):	7.950545079102334
Encrypted:	false
SSDEEP:	6144:54DEB4UcLe0JOqPQZR8MDdATCR3tS4J4RIPYJchHtmvbzVUMxpyMIm:54gOUP/qPQZR8MxAm/S4JKdJchHWHVHy
MD5:	AF75807FB9AF48D758760DA197D4B392
SHA1:	DF0D4FC123D89B4BC2A96108C6472B09A33630D7
SHA-256:	A1EB442E99CBB8DD50EECFFA09B1DC84ED18F6BE24DCC37251D82EE8113CA004
SHA-512:	8F424138ED076E159BD14EC443EC15418E852AC4CD0988EC70B5449E91C54217C534E79B04F9C39308BA4CFEE6177BF23B16E06B920D3EFB7DE288303E1E5970
Malicious:	false
Preview:	......................>...............................................................v.......x........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu May 23 07:43:09 2024, Security: 1
Entropy (8bit):	7.919101996007564
TrID:	Microsoft Excel sheet (30009/1) 78.94% Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:	PO 4500025813.xls
File size:	242'176 bytes
MD5:	1a1256f2cb9b79e436d93cb4ef7965e9
SHA1:	d759cc8c94f83d931d339bf576c2d2a6d2edc111
SHA256:	547e6df90153f3d2b2c8ae05399fef0b98431f2ec3d5628cb570acf0f0af393e
SHA512:	04a0cf5fd50ed7765a2231fc20d2a682ea562dfb18a302de159a97dd9610b79f09385289558478d4d07f068697479b52ec452b1b28cedcfb92b6149563c5b04a
SSDEEP:	6144:4e4UcLe0JOqPQZR8MDdATCR3tSve2wZX/wi6O9whspx:2UP/qPQZR8MxAm/SWjZPtrwS
TLSH:	D634023BBE349597D22185B8748E4983FF7EADC09B43B04F1630729E92725A4DE219CD
File Content Preview:	........................>...................................+...........................n......................................................................................................................................................................

File Icon


Icon Hash:	276ea3a6a6b7bfbf

Static OLE Info

General

Document Type:	OLE
Number of OLE Files:	1

OLE File "PO 4500025813.xls"

Indicators

Has Summary Info:
Application Name:	Microsoft Excel
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	False

Summary

Code Page:	1252
Author:
Last Saved By:
Create Time:	2006-09-16 00:00:00
Last Saved Time:	2024-05-23 06:43:09
Creating Application:	Microsoft Excel
Security:	1

Document Summary

Document Code Page:	1252
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	786432

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244

General
Stream Path:	\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	244
Entropy:	2.889430592781307
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200

General
Stream Path:	\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	200
Entropy:	3.282068105701866
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . \| . # . @ . . . \| ` y . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00

Stream Path: MBD00088CAC/\x1CompObj, File Type: data, Stream Size: 99

General
Stream Path:	MBD00088CAC/\x1CompObj
CLSID:
File Type:	data
Stream Size:	99
Entropy:	3.631242196770981
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD00088CAC/Package, File Type: Microsoft Excel 2007+, Stream Size: 150141

General
Stream Path:	MBD00088CAC/Package
CLSID:
File Type:	Microsoft Excel 2007+
Stream Size:	150141
Entropy:	7.951032435815057
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . - N . . . C . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 2d ca 4e f7 b1 01 00 00 43 06 00 00 13 00 cb 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 c7 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD00088CAD/\x1Ole, File Type: data, Stream Size: 884

General
Stream Path:	MBD00088CAD/\x1Ole
CLSID:
File Type:	data
Stream Size:	884
Entropy:	5.66751245593119
Base64 Encoded:	False
Data ASCII:	. . . . . 0 . . . ^ / . . . . . . . . . . . . : . . . y . . . K . 6 . . . h . t . t . p . : . / . / . q . r . - . i . n . . . c . o . m . / . R . t . W . E . Z . G . i . . . * * > . O . . F l = I z . % B L N 3 \\ } _ C x o j a 1 [ { d + D / h B r h . S w ; ( . a / 6 l . : . k . " . ) Y . n { . 8 O . . . s p j C i * , . . . X N d . & Q 6 . S . - = ` . . + - : b . / b v . . . H x V . r : f t n 3 W z > . v s T . \| . M " O E . C . . . . . . . . . . . . . . . . . . . c . Y . 3 . a . d . 2 . U . K . C . 3 . 4 . m
Data Raw:	01 00 00 02 c5 95 30 1f 1a 10 5e 2f 00 00 00 00 00 00 00 00 00 00 00 00 3a 01 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b 36 01 00 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 71 00 72 00 2d 00 69 00 6e 00 2e 00 63 00 6f 00 6d 00 2f 00 52 00 74 00 57 00 45 00 5a 00 47 00 69 00 00 00 bc aa b4 2a 2a 3e 17 4f 02 ea a9 8a a5 46 9d b5 9b bb e0 9a d2 cc 6c 3d d9 49 7a 11 25 9b

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 84678

General
Stream Path:	Workbook
CLSID:
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	84678
Entropy:	7.989859245586533
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . / . 6 . . . . . . . * . . g J . y N . . * O Y . H . ) E H . ; 2 U + . . . . . . . T . . . \\ . p . ! e g . w B @ k . . E . . @ . < # t . . ; . , b . . b # \\ 9 > Y H . ` " 3 j B . l \| ` p . . . . j 6 @ . D B . . . k ~ a . . . ; . . . = . . . Y . 6 . . . . . . . . q @ . . . . Z $ . . . . P . . . 3 . . . i = . . . e k % T C Z . 1 . @ . . . ? . . . 0 " . . . { . . . . . . . r . . . + 1 . . . p l ? ! 2 . . 4 ) v I . ` @ ? . Y 1 . . . g ! # + s % . . ; N } ? \| l E ( v . 1 .
Data Raw:	09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 2a ff 8a fb 1e f8 0a 67 4a a7 03 79 4e 96 fe b9 fd b8 df 90 0e c0 2a 4f 84 59 c4 02 89 48 bf 87 1a 29 45 cd 48 1b 3b 98 c2 f5 32 82 de 55 a4 2b e1 00 02 00 b0 04 c1 00 02 00 54 bc e2 00 00 00 5c 00 70 00 83 21 b3 65 67 da 1a ba df 77 ba bb 99 42 e4 40 6b ca fe d0 bb b4 00 ba 45 14 8e 20 e4 85

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 23, 2024 20:27:21.948307037 CEST	49165	80	192.168.2.22	188.114.97.3
May 23, 2024 20:27:21.953857899 CEST	80	49165	188.114.97.3	192.168.2.22
May 23, 2024 20:27:21.953913927 CEST	49165	80	192.168.2.22	188.114.97.3
May 23, 2024 20:27:21.954056978 CEST	49165	80	192.168.2.22	188.114.97.3
May 23, 2024 20:27:22.006165028 CEST	80	49165	188.114.97.3	192.168.2.22
May 23, 2024 20:27:22.862984896 CEST	80	49165	188.114.97.3	192.168.2.22
May 23, 2024 20:27:22.863955975 CEST	49165	80	192.168.2.22	188.114.97.3
May 23, 2024 20:27:22.864311934 CEST	80	49165	188.114.97.3	192.168.2.22
May 23, 2024 20:27:22.864368916 CEST	49165	80	192.168.2.22	188.114.97.3
May 23, 2024 20:27:22.865516901 CEST	49165	80	192.168.2.22	188.114.97.3
May 23, 2024 20:27:22.865537882 CEST	49165	80	192.168.2.22	188.114.97.3
May 23, 2024 20:27:22.867724895 CEST	80	49165	188.114.97.3	192.168.2.22
May 23, 2024 20:27:22.867738008 CEST	80	49165	188.114.97.3	192.168.2.22
May 23, 2024 20:27:22.867786884 CEST	49165	80	192.168.2.22	188.114.97.3
May 23, 2024 20:27:22.867805004 CEST	49165	80	192.168.2.22	188.114.97.3
May 23, 2024 20:27:22.889384031 CEST	80	49165	188.114.97.3	192.168.2.22
May 23, 2024 20:27:22.889468908 CEST	49165	80	192.168.2.22	188.114.97.3
May 23, 2024 20:27:53.615720987 CEST	49166	80	192.168.2.22	188.114.97.3
May 23, 2024 20:27:53.620759010 CEST	80	49166	188.114.97.3	192.168.2.22
May 23, 2024 20:27:53.620857000 CEST	49166	80	192.168.2.22	188.114.97.3
May 23, 2024 20:27:53.620968103 CEST	49166	80	192.168.2.22	188.114.97.3
May 23, 2024 20:27:53.674323082 CEST	80	49166	188.114.97.3	192.168.2.22
May 23, 2024 20:27:54.495196104 CEST	80	49166	188.114.97.3	192.168.2.22
May 23, 2024 20:27:54.495387077 CEST	49166	80	192.168.2.22	188.114.97.3
May 23, 2024 20:27:54.495589018 CEST	49166	80	192.168.2.22	188.114.97.3
May 23, 2024 20:27:54.495589018 CEST	49166	80	192.168.2.22	188.114.97.3
May 23, 2024 20:27:54.497308969 CEST	80	49166	188.114.97.3	192.168.2.22
May 23, 2024 20:27:54.497483969 CEST	49166	80	192.168.2.22	188.114.97.3
May 23, 2024 20:27:54.502115011 CEST	80	49166	188.114.97.3	192.168.2.22
May 23, 2024 20:27:54.502516031 CEST	49166	80	192.168.2.22	188.114.97.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 23, 2024 20:27:21.920679092 CEST	54562	53	192.168.2.22	8.8.8.8
May 23, 2024 20:27:21.941770077 CEST	53	54562	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 23, 2024 20:27:21.920679092 CEST	192.168.2.22	8.8.8.8	0x73e9	Standard query (0)	qr-in.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 23, 2024 20:27:21.941770077 CEST	8.8.8.8	192.168.2.22	0x73e9	No error (0)	qr-in.com		188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:27:21.941770077 CEST	8.8.8.8	192.168.2.22	0x73e9	No error (0)	qr-in.com		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

qr-in.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49165	188.114.97.3	80	1128	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:27:21.954056978 CEST	323	OUT	GET /RtWEZGi HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: qr-in.com Connection: Keep-Alive
May 23, 2024 20:27:22.862984896 CEST	1236	IN	HTTP/1.1 500 Internal Server Error Date: Thu, 23 May 2024 18:27:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: PHPSESSID=2fpj5qe86di95ocg0rn295j24v; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Robots-Tag: noindex CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hRg1D1cpWqF3qK3Y7X1mh9vkxZDfSzuHWysUgFXMToTEfzeZmUFQJ3Kx4TYXylmgxXSAgBGa6vbcXrZ9F6dBo9Giky5SpITnYDydNMdkDqfYUu0bw%2BpzAXy7cwE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88871980ec624291-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 37 64 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 09 09 09 09 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 09 09 09 09 3c 68 65 61 64 3e 0d 0a 09 09 09 09 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 20 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0d 0a 09 09 09 09 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 30 3c 2f 74 69 74 6c 65 3e 0d 0a 09 09 09 09 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 53 6f 75 72 63 65 2b 43 6f 64 65 2b 50 72 6f 26 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 [TRUNCATED] Data Ascii: 7d0<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /><meta http-equiv="X-UA-Compatible" content="IE=edge" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>500</title> <link href="https://fonts.googleapis.com/css?family=Source+Code+Pro&display=swap" rel="stylesheet"> <style type="text/css">html{font-family:sans-serif;line-height:1.15;-ms-text-size-adjust:100%;-webk
May 23, 2024 20:27:22.864311934 CEST	224	IN	Data Raw: 69 74 2d 74 65 78 74 2d 73 69 7a 65 2d 61 64 6a 75 73 74 3a 31 30 30 25 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 7d 62 6f 64 79 2c 68 74 6d 6c 7b 77 69 64 74 68 3a 31 30 30 25 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 62 61 63 6b 67 72 6f 75 6e 64 Data Ascii: it-text-size-adjust:100%}body{margin:0}body,html{width:100%;height:100%;background-color:#fff}body{color:#080a20;text-align:center;padding:0;min-height:100%;display:table;font-family: 'Source Code Pro', monospace;}h1{font-fa
May 23, 2024 20:27:22.867724895 CEST	1236	IN	Data Raw: 6d 69 6c 79 3a 69 6e 68 65 72 69 74 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 37 30 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 31 3b 63 6f 6c 6f 72 3a 69 6e 68 65 72 69 74 3b 66 6f 6e 74 2d 73 69 7a 65 3a 33 36 70 78 7d 68 31 20 73 6d 61 6c 6c Data Ascii: mily:inherit;font-weight:700;line-height:1.1;color:inherit;font-size:36px}h1 small{font-weight:700;line-height:1;color:#FF037A}a{text-decoration:none;color:#9c9898;font-size:inherit;border-bottom:dotted 1px #707070}.lead{color:#c2c4d7;font-siz
May 23, 2024 20:27:22.867738008 CEST	88	IN	Data Raw: 64 65 78 2e 70 68 70 28 32 33 29 3a 3c 62 72 3e 47 65 6d 3a 3a 42 6f 6f 74 73 74 72 61 70 28 29 3c 2f 6c 69 3e 3c 6c 69 3e 23 34 20 7b 6d 61 69 6e 7d 3c 2f 6c 69 3e 3c 2f 75 6c 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 0d 0a 09 09 09 09 3c 2f 68 Data Ascii: dex.php(23):<br>Gem::Bootstrap()</li><li>#4 {main}</li></ul></div></body></html>
May 23, 2024 20:27:22.889384031 CEST	88	IN	Data Raw: 64 65 78 2e 70 68 70 28 32 33 29 3a 3c 62 72 3e 47 65 6d 3a 3a 42 6f 6f 74 73 74 72 61 70 28 29 3c 2f 6c 69 3e 3c 6c 69 3e 23 34 20 7b 6d 61 69 6e 7d 3c 2f 6c 69 3e 3c 2f 75 6c 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 0d 0a 09 09 09 09 3c 2f 68 Data Ascii: dex.php(23):<br>Gem::Bootstrap()</li><li>#4 {main}</li></ul></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49166	188.114.97.3	80	1128	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:27:53.620968103 CEST	369	OUT	GET /RtWEZGi HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: qr-in.com Connection: Keep-Alive Cookie: PHPSESSID=2fpj5qe86di95ocg0rn295j24v
May 23, 2024 20:27:54.495196104 CEST	1236	IN	HTTP/1.1 500 Internal Server Error Date: Thu, 23 May 2024 18:27:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Robots-Tag: noindex CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R3KtnzdDktxkOOj%2FWWJcZfNO5xcvR99Od908ZPJrlNXyZquA9T91zzOtQR7desQBI2SKClCLk7%2FOTAOvqm6T3JWKLNkMqJPIUwevgAgNbppbRaA6itkYXI2lPNI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88871a46ba9219bf-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 37 64 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 09 09 09 09 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 09 09 09 09 3c 68 65 61 64 3e 0d 0a 09 09 09 09 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 20 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0d 0a 09 09 09 09 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 30 3c 2f 74 69 74 6c 65 3e 0d 0a 09 09 09 09 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 53 6f 75 72 63 65 2b 43 6f 64 65 2b 50 72 6f 26 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 [TRUNCATED] Data Ascii: 7d0<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /><meta http-equiv="X-UA-Compatible" content="IE=edge" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>500</title> <link href="https://fonts.googleapis.com/css?family=Source+Code+Pro&display=swap" rel="stylesheet"> <style type="text/css">html{font-family:sans-serif;line-height:1.15;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}body{margin:0}body,html{width:1
May 23, 2024 20:27:54.497308969 CEST	1236	IN	Data Raw: 30 30 25 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 30 38 30 61 32 30 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 70 61 64 64 69 6e 67 Data Ascii: 00%;height:100%;background-color:#fff}body{color:#080a20;text-align:center;padding:0;min-height:100%;display:table;font-family: 'Source Code Pro', monospace;}h1{font-family:inherit;font-weight:700;line-height:1.1;color:inherit;font-size:36px}h
May 23, 2024 20:27:54.502115011 CEST	261	IN	Data Raw: 2f 63 6f 72 65 2f 47 65 6d 2e 63 6c 61 73 73 2e 70 68 70 28 32 36 37 29 3a 3c 62 72 3e 47 65 6d 45 72 72 6f 72 3a 3a 74 72 69 67 67 65 72 28 29 3c 2f 6c 69 3e 3c 6c 69 3e 23 32 20 2f 68 6f 6d 65 2f 66 6f 72 67 65 2f 71 72 2d 69 6e 2e 63 6f 6d 2f Data Ascii: /core/Gem.class.php(267):<br>GemError::trigger()</li><li>#2 /home/forge/qr-in.com/core/Gem.class.php(160):<br>Gem::Dispatch()</li><li>#3 /home/forge/qr-in.com/public/index.php(23):<br>Gem::Bootstrap()</li><li>#4 {main}</li></ul></div></body>

Target ID:	0
Start time:	14:26:55
Start date:	23/05/2024
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13fe90000
File size:	28'253'536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO 4500025813.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7B56516D.png

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A04C86FF.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FBE9C81C.emf

C:\Users\user\AppData\Local\Temp\~DF5E208046F04CF4C0.TMP

C:\Users\user\AppData\Local\Temp\~DF6E18AAE11A49FA57.TMP

C:\Users\user\AppData\Local\Temp\~DF8B0F277084679A1A.TMP

C:\Users\user\AppData\Local\Temp\~DFBF63F4E6D7BA905E.TMP

C:\Users\user\Desktop\5D330000

C:\Users\user\Desktop\5D330000:Zone.Identifier

C:\Users\user\Desktop\PO 4500025813.xls (copy)

Static File Info

General

File Icon

Static OLE Info

General

OLE File "PO 4500025813.xls"

Indicators

Summary

Document Summary

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244

General

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200

General

Stream Path: MBD00088CAC/\x1CompObj, File Type: data, Stream Size: 99

Windows Analysis Report
PO 4500025813.xls