Edit tour

Windows Analysis Report
PURCHASE ORDER - PO#267759.xlam.xlsx

Overview

General Information

Sample name:PURCHASE ORDER - PO#267759.xlam.xlsx
Analysis ID:1646987
MD5:9e6cd3ab7762a50813fb25b114e2b162
SHA1:df4651b08187b62b0a6c43d60e73d3e6374af545
SHA256:8700acf7f7771cfc2e0f8b56f76286e12e2a40016db0d41a3bce914b05f464a9
Tags:AgentTeslaxlamxlsxuser-abuse_ch
Infos:

Detection

Score:68
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Document contains OLE streams with names of living off the land binaries
Document misses a certain OLE stream usually present in this Microsoft Office document type
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w11x64_office
  • EXCEL.EXE (PID: 7784 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: F9F7B6C42211B06E7AC3E4B60AA8FB77)
    • splwow64.exe (PID: 2364 cmdline: C:\Windows\splwow64.exe 12288 MD5: AF4A7EBF6114EE9E6FBCC910EC3C96E6)
  • appidpolicyconverter.exe (PID: 8048 cmdline: "C:\Windows\system32\appidpolicyconverter.exe" MD5: 6567D9CF2545FAAC60974D9D682700D4)
    • conhost.exe (PID: 8056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
sheet1.xmlINDICATOR_XML_LegacyDrawing_AutoLoad_Documentdetects AutoLoad documents using LegacyDrawingditekSHen
  • 0x24c3:$s1: <legacyDrawing r:id="
  • 0x24eb:$s2: <oleObject progId="
  • 0x2528:$s3: autoLoad="true"

System Summary

barindex
Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 13.107.246.40, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7784, Protocol: tcp, SourceIp: 192.168.2.25, SourceIsIpv6: false, SourcePort: 49697
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.25, DestinationIsIpv6: false, DestinationPort: 49697, EventID: 3, Image: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7784, Protocol: tcp, SourceIp: 13.107.246.40, SourceIsIpv6: false, SourcePort: 443
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: PURCHASE ORDER - PO#267759.xlam.xlsxAvira: detected
Source: PURCHASE ORDER - PO#267759.xlam.xlsxReversingLabs: Detection: 69%
Source: PURCHASE ORDER - PO#267759.xlam.xlsxVirustotal: Detection: 58%Perma Link
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEDirectory created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior
Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.25:49698 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.25:49697 version: TLS 1.2
Source: global trafficDNS query: name: otelrules.svc.static.microsoft
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49697
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49698
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49698
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49697
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49698
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49697
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49698
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49698
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49697
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49697
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49697
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49698
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49698
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49698
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49698
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49698
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49697
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49697
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49697
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49697
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49697
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49697
Source: Joe Sandbox ViewIP Address: 13.107.246.40 13.107.246.40
Source: Joe Sandbox ViewIP Address: 13.107.246.40 13.107.246.40
Source: Joe Sandbox ViewJA3 fingerprint: 258a5a1e95b8a911872bae9081526644
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /rules/rule170146v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.18129; Pro)Host: otelrules.svc.static.microsoft
Source: global trafficHTTP traffic detected: GET /rules/rule120201v19s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.18129; Pro)Host: otelrules.svc.static.microsoft
Source: global trafficDNS traffic detected: DNS query: otelrules.svc.static.microsoft
Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.25:49698 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.25:49697 version: TLS 1.2

System Summary

barindex
Source: sheet1.xml, type: SAMPLEMatched rule: detects AutoLoad documents using LegacyDrawing Author: ditekSHen
Source: PURCHASE ORDER - PO#267759.xlam.xlsxStream path '\x1oLe10nAtIVe' : ..Q$\..<E.F7w|.8O.3W.NLxM-SBD..\q8W.8.g9u....^9Q.u.be!"JS2z.5;.WM.KV.d.)>.$.r.0t.W.l5K#M.r.jf.1...YahCL.:...Io!..gNTbU.gr.2He%n.,..N#q}Oxc~.Vt...E$X<.VOwQ"w9zL9}cA'S?.r.(.7.7[$l-Lu).T<<IfR*=z)I`|.T%>+.|+k..GC.%eY. ...cUZdWKUV.).szr.*\.m...J~}..L~K./Ng$.W.6Rz&i.K._1r.7x.8R!In~7].i12)~.,~..t0.*.ok)?M%z.`.j/".J$-.Bi..r8.6.(..H~k1PR-....WWS.J..=z..T..[__W.-[-q_NZ..S@..-Zf..8..WW5.......N[..S[...V^__.W_VVZ..#...y^..1]..2\..^^....ZX ..qj.he!k.if./x1.*...._..W.".B.j6......PQYX.PS.TH._R-L9...c...H..Z[X.VV^9r,Ejn..xK).:qk=.g,(8. {0N~uq_0LN1'.J#^..^hB.9...,.&z-.N/O.*r%0(CK+@k(.iz.Q..^k.{)*.`.B8Y$.=\..{L.#....c1C.31Cv..mg.l"O.[nRwj47L.l.k{..)Ii1?.....T5..PK3.#f3@ck..f[..dy#m.=..H`Dj_.X.zuy="..5+C>_6F.>GG|.<. j?.O.F.1&d.(K+JZ3+C.9~.-1.c.AQ..7.}=.q[C.RmQy.!W Iy,6G[..ep.#,r7..l..^=.a.~_rRnw=$Ib;RM].)....9mR.*\R.by=T"y....7ex85m=O.......zbNe/'z<Ds.Ec."q..10e.E.kprw/X{R@>`..Emgp...`JH.../s8Guxmpt.+[:W].{2nQ.iA QGJ+D%.M...z?c0.AW\GtP4EO.t|'..Y0UjmU6Rp#.Pt*j\f..8<.O.;^.U'Q4@QrY$..ip.W.q*.ZH.j.s.Gd.Uasd$...].|.j5=nFkM>?JIo.6>?L1)..J3(~i. ..i-i1.nb.wXf.l[..+."wOx`PIA`................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Source: PURCHASE ORDER - PO#267759.xlam.xlsxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: sheet1.xml, type: SAMPLEMatched rule: INDICATOR_XML_LegacyDrawing_AutoLoad_Document author = ditekSHen, description = detects AutoLoad documents using LegacyDrawing
Source: classification engineClassification label: mal68.winXLSX@5/7@1/1
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\Desktop\~$PURCHASE ORDER - PO#267759.xlam.xlsxJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8056:120:WilError_03
Source: C:\Windows\System32\appidpolicyconverter.exeMutant created: PolicyMutex
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{7CEC3150-FBF5-4AA1-8BDF-9F3AE06BA617} - OProcSessId.datJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: PURCHASE ORDER - PO#267759.xlam.xlsxReversingLabs: Detection: 69%
Source: PURCHASE ORDER - PO#267759.xlam.xlsxVirustotal: Detection: 58%
Source: unknownProcess created: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: unknownProcess created: C:\Windows\System32\appidpolicyconverter.exe "C:\Windows\system32\appidpolicyconverter.exe"
Source: C:\Windows\System32\appidpolicyconverter.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3EE60F5C-9BAD-4CD8-8E21-AD2D001D06EB}\InprocServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: PURCHASE ORDER - PO#267759.xlam.xlsxInitial sample: OLE zip file path = xl/media/image1.jpg
Source: PURCHASE ORDER - PO#267759.xlam.xlsxInitial sample: OLE zip file path = xl/calcChain.xml
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEDirectory created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior
Source: PURCHASE ORDER - PO#267759.xlam.xlsxInitial sample: OLE indicators vbamacros = False
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 866Jump to behavior
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information queried: ProcessInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
Exploitation for Client Execution
1
DLL Side-Loading
1
Process Injection
3
Masquerading
OS Credential Dumping1
Process Discovery
Remote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
1
Virtualization/Sandbox Evasion
LSASS Memory1
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection
Security Account Manager1
Application Window Discovery
SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading
NTDS1
File and Directory Discovery
Distributed Component Object ModelInput Capture3
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
System Information Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1646987 Sample: PURCHASE ORDER - PO#267759.... Startdate: 24/03/2025 Architecture: WINDOWS Score: 68 19 star-azurefd-prod.trafficmanager.net 2->19 21 shed.dual-low.s-part-0012.t-0009.t-msedge.net 2->21 23 3 other IPs or domains 2->23 27 Malicious sample detected (through community Yara rule) 2->27 29 Antivirus / Scanner detection for submitted sample 2->29 31 Multi AV Scanner detection for submitted file 2->31 33 Document contains OLE streams with names of living off the land binaries 2->33 7 EXCEL.EXE 504 60 2->7         started        11 appidpolicyconverter.exe 1 2->11         started        signatures3 process4 dnsIp5 25 s-part-0012.t-0009.t-msedge.net 13.107.246.40, 443, 49697, 49698 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 7->25 17 C:\...\~$PURCHASE ORDER - PO#267759.xlam.xlsx, data 7->17 dropped 13 splwow64.exe 7->13         started        15 conhost.exe 11->15         started        file6 process7

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
PURCHASE ORDER - PO#267759.xlam.xlsx69%ReversingLabsDocument-Office.Exploit.CVE-2017-11882
PURCHASE ORDER - PO#267759.xlam.xlsx58%VirustotalBrowse
PURCHASE ORDER - PO#267759.xlam.xlsx100%AviraEXP/CVE-2017-11882.Gen
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0012.t-0009.t-msedge.net
13.107.246.40
truefalse
    high
    bg.microsoft.map.fastly.net
    199.232.210.172
    truefalse
      high
      s-0005.dual-s-msedge.net
      52.123.128.14
      truefalse
        high
        otelrules.svc.static.microsoft
        unknown
        unknownfalse
          high
          NameMaliciousAntivirus DetectionReputation
          https://otelrules.svc.static.microsoft/rules/rule170146v0s19.xmlfalse
            high
            https://otelrules.svc.static.microsoft/rules/rule120201v19s19.xmlfalse
              high
              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs
              IPDomainCountryFlagASNASN NameMalicious
              13.107.246.40
              s-part-0012.t-0009.t-msedge.netUnited States
              8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
              Joe Sandbox version:42.0.0 Malachite
              Analysis ID:1646987
              Start date and time:2025-03-24 13:41:58 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 5m 21s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:defaultwindowsofficecookbook.jbs
              Analysis system description:Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
              Run name:Potential for more IOCs and behavior
              Number of analysed new started processes analysed:25
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:PURCHASE ORDER - PO#267759.xlam.xlsx
              Detection:MAL
              Classification:mal68.winXLSX@5/7@1/1
              EGA Information:Failed
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .xlsx
              • Found Word or Excel or PowerPoint or XPS Viewer
              • Attach to Office via COM
              • Active ActiveX Object
              • Scroll down
              • Close Viewer
              • Exclude process from analysis (whitelisted): MpCmdRun.exe, SecurityHealthHost.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, appidcertstorecheck.exe, conhost.exe, svchost.exe
              • Excluded IPs from analysis (whitelisted): 52.109.8.89, 52.109.16.112, 23.219.161.71, 23.193.201.36, 52.111.227.28, 20.189.173.5, 184.31.69.3, 52.123.128.14, 40.126.24.149, 52.149.20.212
              • Excluded domains from analysis (whitelisted): onedscolprdwus04.westus.cloudapp.azure.com, us1.odcsm1.live.com.akadns.net, odc.officeapps.live.com, slscr.update.microsoft.com, cus-config.officeapps.live.com, a767.dspw65.akamai.net, osiprod-ncus-buff-azsc-000.northcentralus.cloudapp.azure.com, ncus-azsc-000.roaming.officeapps.live.com, mobile.events.data.microsoft.com, roaming.officeapps.live.com, dual-s-0005-office.config.skype.com, login.live.com, officeclient.microsoft.com, c.pki.goog, wu-b-net.trafficmanager.net, osiprod-cus-bronze-azsc-000.centralus.cloudapp.azure.com, assets.msn.com, ecs.office.com, fs.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, cus-azsc-000.odc.officeapps.live.com, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, us1.roaming1.live.com.akadns.net, config.officeapps.live.com, us.configsvc1.live.com.akadns.net, ecs.office.trafficmanager.net, prod.odcs
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtCreateKey calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Report size getting too big, too many NtReadVirtualMemory calls found.
              • Report size getting too big, too many NtSetValueKey calls found.
              TimeTypeDescription
              08:44:12API Interceptor888x Sleep call for process: splwow64.exe modified
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              13.107.246.40Payment Transfer Receipt.shtmlGet hashmaliciousHTMLPhisherBrowse
              • www.aib.gov.uk/
              NEW ORDER.xlsGet hashmaliciousUnknownBrowse
              • 2s.gg/3zs
              PO_OCF 408.xlsGet hashmaliciousUnknownBrowse
              • 2s.gg/42Q
              06836722_218 Aluplast.docx.docGet hashmaliciousUnknownBrowse
              • 2s.gg/3zk
              Quotation.xlsGet hashmaliciousUnknownBrowse
              • 2s.gg/3zM
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              s-0005.dual-s-msedge.netsample.docGet hashmaliciousUnknownBrowse
              • 52.123.128.14
              Medical GmbH Order.xlsGet hashmaliciousUnknownBrowse
              • 52.123.128.14
              sample.docGet hashmaliciousUnknownBrowse
              • 52.123.129.14
              Quotation.xlsGet hashmaliciousUnknownBrowse
              • 52.123.129.14
              Quotation.xlsGet hashmaliciousUnknownBrowse
              • 52.123.128.14
              Quotation.xlsGet hashmaliciousUnknownBrowse
              • 52.123.129.14
              D#U00e9bito Direto 202503104423..msgGet hashmaliciousUnknownBrowse
              • 52.123.128.14
              message__20250324021254_635CB2FE009599FD_quiltercheviot_com_.emlGet hashmaliciousHTMLPhisherBrowse
              • 52.123.128.14
              PO NO. 2500510 COLORSTAR CHEMICAL INDUSTRIAL CORPORATION.msgGet hashmaliciousSnake KeyloggerBrowse
              • 52.123.129.14
              bg.microsoft.map.fastly.netQuotation.xlsGet hashmaliciousUnknownBrowse
              • 199.232.214.172
              Quotation.xlsGet hashmaliciousUnknownBrowse
              • 199.232.210.172
              Fatura-03-2025.pdfGet hashmaliciousUnknownBrowse
              • 199.232.210.172
              PILNIE WYMAGANE POTWIERDZENIE IMP7952Q8.vbsGet hashmaliciousGuLoaderBrowse
              • 199.232.210.172
              PILNIE WYMAGANE POTWIERDZENIE IMP7952Q8.vbsGet hashmaliciousGuLoaderBrowse
              • 199.232.214.172
              024-02503_190776.vbsGet hashmaliciousGuLoaderBrowse
              • 199.232.214.172
              Bper Banca_Copia del Pagamento.pdf.batGet hashmaliciousMSIL Logger, MassLogger RATBrowse
              • 199.232.214.172
              l57j9RFjS7.exeGet hashmaliciousAsyncRATBrowse
              • 199.232.210.172
              iEGOVnrFG7.exeGet hashmaliciousUnknownBrowse
              • 199.232.210.172
              random(12).exeGet hashmaliciousLummaC StealerBrowse
              • 199.232.214.172
              s-part-0012.t-0009.t-msedge.netQuotation.xlsGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              Quotation.xlsGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              message__20250324021254_635CB2FE009599FD_quiltercheviot_com_.emlGet hashmaliciousHTMLPhisherBrowse
              • 13.107.246.40
              http://www.bing.com/search?q=&form=WMSAUT&ao=1&qs=UT&cvid=baf755dc3b5048988d4e50556017abad&pq=%3C&cc=PT&setlang=pt-PT&wsso=Moderate&qfig=2ce3b160a1de445eae6675508853de5e&addfeaturesnoexpansion=wsbcobaltGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              https://pkns.sidhtech.com/m/?c3Y9bzM2NV8xX29uZSZyYW5kPWRIQnlhM2M9JnVpZD1VU0VSMTUwMzIwMjVVMjIwMzE1Mjk=Get hashmaliciousUnknownBrowse
              • 13.107.246.40
              auuu.xhtmlGet hashmaliciousHTMLPhisherBrowse
              • 13.107.246.40
              ENQUIRY - RFQ 674441-76450.xla.xlsxGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              ENQUIRY - RFQ 674441-76450.xla.xlsxGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              https://waimao-north-star-mail.qiye.163.com/api/j/html?c=https%3A%2F%2F1drv.ms%2Fo%2Fs!AjlMaeoI5pi7f_GXm50IY_RD-sw%3Fe%3DEsmwj4%3Fcid%3Dsite_nqmm3LQS7c9jn-2FWvVcVpMl0NsyUA8yUApYElnaeUm2Ly_xlUzBpbEuLGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              MICROSOFT-CORP-MSN-AS-BLOCKUSMedical GmbH Order.xlsGet hashmaliciousUnknownBrowse
              • 13.107.246.38
              Quotation.xlsGet hashmaliciousUnknownBrowse
              • 13.107.246.38
              Quotation.xlsGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              Quotation.xlsGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              http://email.mg.versatilev.com/c/eJwczMFtxSAMANBp4BgZ28Rw4NBL9gDH9CPlt1GCoo5ftQO8txdtHLp4K0EYOWVI4l-l7mnFGljyHiCAUYtkGKW2Hlfp7EdBwAiEEFZmlkWppZyjMWmutIpjeH8uj113neOwZ9Hvtz_Ka87zdvThcHO4hZpISBmtZU3aCSzFnZc5jmZf-vOHHG7-Kuc11E7HcNeh_9dT8DcAAP__O8c2mAGet hashmaliciousHTMLPhisherBrowse
              • 13.107.42.14
              g4za.mips.elfGet hashmaliciousMiraiBrowse
              • 20.95.97.164
              g4za.arm7.elfGet hashmaliciousMiraiBrowse
              • 40.66.156.238
              g4za.arm.elfGet hashmaliciousMiraiBrowse
              • 40.78.204.91
              g4za.spc.elfGet hashmaliciousMiraiBrowse
              • 163.228.96.235
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              258a5a1e95b8a911872bae9081526644Quotation.xlsGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              ENQUIRY - RFQ 674441-76450.xla.xlsxGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              Payment Advice 24-03-2025.docx.docGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              solicitud de cotizaci#U00f3n.xlam.xlsxGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              VAT3_Return_P051671333W.xlsGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              PO10026369-1.xlsGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              PO No 6500023972.xlsGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              CEKA RFQ #IND18042128.xlsxGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              deyesfor.docGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              plesnice.docGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              No context
              Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
              Category:dropped
              Size (bytes):118
              Entropy (8bit):3.5700810731231707
              Encrypted:false
              SSDEEP:3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
              MD5:573220372DA4ED487441611079B623CD
              SHA1:8F9D967AC6EF34640F1F0845214FBC6994C0CB80
              SHA-256:BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
              SHA-512:F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
              Malicious:false
              Reputation:high, very likely benign file
              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.
              Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
              File Type:data
              Category:dropped
              Size (bytes):20971520
              Entropy (8bit):8.112143835430977E-5
              Encrypted:false
              SSDEEP:3:Tuekk9NJtHFfs1XsExe/t:qeVJ8
              MD5:AFDEAC461EEC32D754D8E6017E845D21
              SHA1:5D0874C19B70638A0737696AEEE55BFCC80D7ED8
              SHA-256:3A96B02F6A09F6A6FAC2A44A5842FF9AEB17EB4D633E48ABF6ADDF6FB447C7E2
              SHA-512:CAB6B8F9FFDBD80210F42219BAC8F1124D6C0B6995C5128995F7F48CED8EF0F2159EA06A2CD09B1FDCD409719F94A7DB437C708D3B1FDA01FDC80141A4595FC7
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
              Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
              File Type:data
              Category:dropped
              Size (bytes):20971520
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3::
              MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
              SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
              SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
              SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
              Malicious:false
              Reputation:high, very likely benign file
              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
              Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
              File Type:ASCII text, with very long lines (28714), with CRLF line terminators
              Category:dropped
              Size (bytes):20971520
              Entropy (8bit):0.19108994869689241
              Encrypted:false
              SSDEEP:1536:0tKnXCXhnZ+WgjOWIBzk+tPOsjDFLGgTzbF2HknkPzZnBp566PCcwKu/lepYctL+:KgXgRYOWYtPOCb1V8LZA+BCgqO
              MD5:037A2BA8A4C5EF519C025CAD6AD9BF0E
              SHA1:2F0FD2F0035B1D35094ADD00AFAB63C7D9DBD2F0
              SHA-256:7DABA74D6B502370D741FEF1498625F041BFB016D1918F586EFA811E3ACD6ED0
              SHA-512:CBFAC7DD47D0550A4E555D53B04E9255C800C2B48F4664E8584EEDFDBC27F4C28A0E289FABE2C59C4D8420752225377C2C3D42BE5E50F692367DC0716A9CF62A
              Malicious:false
              Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..03/24/2025 12:43:10.978.EXCEL (0x1E68).0x1F00.Microsoft Excel.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Experimentation.FeatureQueryBatched","Flags":33777005812056321,"InternalSequenceNumber":17,"Time":"2025-03-24T12:43:10.978Z","Data.Sequence":0,"Data.Count":128,"Data.Features":"[ { \"ID\" : 1, \"N\" : \"Microsoft.Office.Telemetry.TrackCPSWrites\", \"V\" : false, \"S\" : 1, \"P\" : 0, \"T\" : \"2025-03-24T12:43:10.5257088Z\", \"C\" : \"33\", \"Q\" : 0.0, \"M\" : 0, \"F\" : 5 }, { \"ID\" : 1, \"N\" : \"Microsoft.Office.Telemetry.CPSMaxWrites\", \"V\" : 2, \"S\" : 1, \"P\" : 0, \"T\" : \"2025-03-24T12:43:10.5257088Z\", \"C\" : \"33\", \"Q\" : 0.0, \"M\" : 0, \"F\" : 5 }, { \"ID\" : 1, \"N\" : \"Microsoft.Office.Word.UAEOnSafeModeEnabled\", \"V\" : true, \"S\" : 1, \"P\" : 0, \"T\" : \"2025-03-24T12:43:10.5257088Z\", \"C\" : \"\", \"Q\" : 9.0, \"M\" : 0, \"F\" : 5, \"G\" : \"Opt\" }, { \"ID\" : 1, \"
              Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
              File Type:data
              Category:dropped
              Size (bytes):20971520
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3::
              MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
              SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
              SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
              SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
              Malicious:false
              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
              Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
              File Type:data
              Category:dropped
              Size (bytes):165
              Entropy (8bit):1.4377382811115937
              Encrypted:false
              SSDEEP:3:EVANFN:EqfN
              MD5:359140EB88A757E2BBEF2F7D32DCC4E5
              SHA1:FD16035441ADF907BBFC594A96470C202E265067
              SHA-256:42CDE461F058A0C6F6C5A69BD1D21114CD55929011C77BCB9A025B9CA43ED71F
              SHA-512:9ADF6AC24E55AA161D2FFA1AC3BBBF03A7028DEFD8E1722FA52CAF7C730F7CF8AAE2073A50FD8AA004AF46E9A578A3B8088DD89415368E64E1916367CE126741
              Malicious:false
              Preview:.user ..M.e.r.c.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
              Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
              File Type:data
              Category:dropped
              Size (bytes):165
              Entropy (8bit):1.4377382811115937
              Encrypted:false
              SSDEEP:3:EVANFN:EqfN
              MD5:359140EB88A757E2BBEF2F7D32DCC4E5
              SHA1:FD16035441ADF907BBFC594A96470C202E265067
              SHA-256:42CDE461F058A0C6F6C5A69BD1D21114CD55929011C77BCB9A025B9CA43ED71F
              SHA-512:9ADF6AC24E55AA161D2FFA1AC3BBBF03A7028DEFD8E1722FA52CAF7C730F7CF8AAE2073A50FD8AA004AF46E9A578A3B8088DD89415368E64E1916367CE126741
              Malicious:true
              Preview:.user ..M.e.r.c.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
              File type:Microsoft Excel 2007+
              Entropy (8bit):7.99804727386034
              TrID:
              • Excel Microsoft Office Open XML Format document (35004/1) 81.40%
              • ZIP compressed archive (8000/1) 18.60%
              File name:PURCHASE ORDER - PO#267759.xlam.xlsx
              File size:654'572 bytes
              MD5:9e6cd3ab7762a50813fb25b114e2b162
              SHA1:df4651b08187b62b0a6c43d60e73d3e6374af545
              SHA256:8700acf7f7771cfc2e0f8b56f76286e12e2a40016db0d41a3bce914b05f464a9
              SHA512:d9181b87416a441e1dc42c9f23cd0162e5c71893b6f747146eb28c74ea742cc13c76e56be11681707fc1e8c374601cc1c1a96681a957afcbb2069661b8888410
              SSDEEP:12288:oknWOYjc44cbx8G3EtPEnGyR/KPAnZOtY4/kNoAZgVyq4X5Udw/WYGHnXVSz:FiN4chUtPmGUyPAZEt/koAZ5q4p0BDHa
              TLSH:92D4238D506FD385EECB4AF34E1A52CC89646E7180ABA6072FDD2CCC09DE68A505C57F
              File Content Preview:PK........~.xZ................[Content_Types].xmlUT......g...g...g.U.n.0....?..........C...&E..X.k.6_ ....w).F..V.......p......b.!*gkv^MX.V8.l[...../......,.l..]_}.4}^{...m.Y....y......h)2s.@...r.b.-......g..T......8......}.*i.e.....j..k% Q./.|'R..L..N...
              Icon Hash:35e58a8c0c8a85b9
              Document Type:OpenXML
              Number of OLE Files:1
              Has Summary Info:
              Application Name:
              Encrypted Document:False
              Contains Word Document Stream:False
              Contains Workbook/Book Stream:False
              Contains PowerPoint Document Stream:False
              Contains Visio Document Stream:False
              Contains ObjectPool Stream:False
              Flash Objects Count:0
              Contains VBA Macros:False
              Author:SHINY
              Last Saved By:X10LUXURY
              Create Time:2010-06-04T08:55:28Z
              Last Saved Time:2023-07-30T22:56:25Z
              Creating Application:Microsoft Excel
              Security:0
              Thumbnail Scaling Desired:false
              Company:Grizli777
              Contains Dirty Links:false
              Shared Document:false
              Changed Hyperlinks:false
              Application Version:15.0300
              General
              Stream Path:\x1oLe10nAtIVe
              CLSID:
              File Type:OpenPGP Public Key
              Stream Size:906170
              Entropy:5.9103421598640855
              Base64 Encoded:False
              Data ASCII:. . Q $ \\ . . < E . F 7 w | . 8 O . 3 W . N L x M - S B D . . \\ q 8 W . 8 . g 9 u . . . . ^ 9 Q . u . b e ! " J S 2 z . 5 ; . W M . K V . d . ) > . $ . r . 0 t . W . l 5 K # M . r . j f . 1 . . . Y a h C L . : . . . I o ! . . g N T b U . g r . 2 H e % n . , . . N # q } O x c ~ . V t . . . E $ X < . V O w Q " w 9 z L 9 } c A ' S ? . r . ( . 7 . 7 [ $ l - L u ) . T < < I f R * = z ) I ` | . T % > + . | + k . . G C . % e Y . . . . c U Z d W K U V . ) . s z r . * \\ . m . . . J ~ } . . L ~ K . / N g $ . W . 6
              Data Raw:98 ff 97 01 03 51 c1 24 80 5c 01 08 3c 45 be 05 46 9f 83 81 c6 37 77 a6 7c 8b 06 8b 38 bb 4f 98 b9 ff f7 d3 8b 33 57 ff d6 83 c0 4e ff e0 4c 8a cc 78 4d 2d 81 d0 53 9e 42 94 92 b8 44 00 14 a6 5c 71 88 38 57 ac be a9 f1 15 38 1b 67 9c 39 b6 75 14 e9 fe 01 00 00 ef ff 5e 39 51 0b 75 da a1 62 98 fa 65 21 c6 e8 22 9c 9b 4a a2 94 9f 53 32 85 7a 12 e8 dd 35 a5 d5 3b 84 7f 57 b5 f8 a8 4d
              General
              Stream Path:k3hD
              CLSID:
              File Type:empty
              Stream Size:0
              Entropy:0.0
              Base64 Encoded:False
              Data ASCII:
              Data Raw:

              Download Network PCAP: filteredfull

              • Total Packets: 20
              • 443 (HTTPS)
              • 53 (DNS)
              TimestampSource PortDest PortSource IPDest IP
              Mar 24, 2025 13:44:18.789554119 CET49697443192.168.2.2513.107.246.40
              Mar 24, 2025 13:44:18.789597034 CET4434969713.107.246.40192.168.2.25
              Mar 24, 2025 13:44:18.789664984 CET49697443192.168.2.2513.107.246.40
              Mar 24, 2025 13:44:18.789761066 CET49698443192.168.2.2513.107.246.40
              Mar 24, 2025 13:44:18.789800882 CET4434969813.107.246.40192.168.2.25
              Mar 24, 2025 13:44:18.789978027 CET49698443192.168.2.2513.107.246.40
              Mar 24, 2025 13:44:18.790976048 CET49698443192.168.2.2513.107.246.40
              Mar 24, 2025 13:44:18.790993929 CET4434969813.107.246.40192.168.2.25
              Mar 24, 2025 13:44:18.791121006 CET49697443192.168.2.2513.107.246.40
              Mar 24, 2025 13:44:18.791136980 CET4434969713.107.246.40192.168.2.25
              Mar 24, 2025 13:44:19.083432913 CET4434969813.107.246.40192.168.2.25
              Mar 24, 2025 13:44:19.083642960 CET49698443192.168.2.2513.107.246.40
              Mar 24, 2025 13:44:19.088222980 CET4434969713.107.246.40192.168.2.25
              Mar 24, 2025 13:44:19.088335037 CET49698443192.168.2.2513.107.246.40
              Mar 24, 2025 13:44:19.088361025 CET4434969813.107.246.40192.168.2.25
              Mar 24, 2025 13:44:19.088397980 CET49697443192.168.2.2513.107.246.40
              Mar 24, 2025 13:44:19.088624001 CET4434969813.107.246.40192.168.2.25
              Mar 24, 2025 13:44:19.090039968 CET49697443192.168.2.2513.107.246.40
              Mar 24, 2025 13:44:19.090048075 CET4434969713.107.246.40192.168.2.25
              Mar 24, 2025 13:44:19.090325117 CET4434969713.107.246.40192.168.2.25
              Mar 24, 2025 13:44:19.098089933 CET49698443192.168.2.2513.107.246.40
              Mar 24, 2025 13:44:19.098129988 CET49697443192.168.2.2513.107.246.40
              Mar 24, 2025 13:44:19.140327930 CET4434969713.107.246.40192.168.2.25
              Mar 24, 2025 13:44:19.144324064 CET4434969813.107.246.40192.168.2.25
              Mar 24, 2025 13:44:19.266664028 CET4434969813.107.246.40192.168.2.25
              Mar 24, 2025 13:44:19.266855955 CET4434969813.107.246.40192.168.2.25
              Mar 24, 2025 13:44:19.267299891 CET49698443192.168.2.2513.107.246.40
              Mar 24, 2025 13:44:19.267833948 CET49698443192.168.2.2513.107.246.40
              Mar 24, 2025 13:44:19.267833948 CET49698443192.168.2.2513.107.246.40
              Mar 24, 2025 13:44:19.267849922 CET4434969813.107.246.40192.168.2.25
              Mar 24, 2025 13:44:19.267862082 CET4434969813.107.246.40192.168.2.25
              Mar 24, 2025 13:44:19.324014902 CET4434969713.107.246.40192.168.2.25
              Mar 24, 2025 13:44:19.324042082 CET4434969713.107.246.40192.168.2.25
              Mar 24, 2025 13:44:19.324182034 CET49697443192.168.2.2513.107.246.40
              Mar 24, 2025 13:44:19.324208975 CET4434969713.107.246.40192.168.2.25
              Mar 24, 2025 13:44:19.324659109 CET4434969713.107.246.40192.168.2.25
              Mar 24, 2025 13:44:19.325270891 CET49697443192.168.2.2513.107.246.40
              Mar 24, 2025 13:44:19.325846910 CET49697443192.168.2.2513.107.246.40
              Mar 24, 2025 13:44:19.325846910 CET49697443192.168.2.2513.107.246.40
              Mar 24, 2025 13:44:19.325871944 CET4434969713.107.246.40192.168.2.25
              Mar 24, 2025 13:44:19.325884104 CET4434969713.107.246.40192.168.2.25
              TimestampSource PortDest PortSource IPDest IP
              Mar 24, 2025 13:44:18.688541889 CET5849653192.168.2.251.1.1.1
              Mar 24, 2025 13:44:18.788527012 CET53584961.1.1.1192.168.2.25
              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
              Mar 24, 2025 13:44:18.688541889 CET192.168.2.251.1.1.10xcdfcStandard query (0)otelrules.svc.static.microsoftA (IP address)IN (0x0001)false
              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              Mar 24, 2025 13:43:13.752600908 CET1.1.1.1192.168.2.250xd4e0No error (0)ecs-office.s-0005.dual-s-msedge.nets-0005.dual-s-msedge.netCNAME (Canonical name)IN (0x0001)false
              Mar 24, 2025 13:43:13.752600908 CET1.1.1.1192.168.2.250xd4e0No error (0)s-0005.dual-s-msedge.net52.123.128.14A (IP address)IN (0x0001)false
              Mar 24, 2025 13:43:13.752600908 CET1.1.1.1192.168.2.250xd4e0No error (0)s-0005.dual-s-msedge.net52.123.129.14A (IP address)IN (0x0001)false
              Mar 24, 2025 13:44:15.509977102 CET1.1.1.1192.168.2.250xd88bNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
              Mar 24, 2025 13:44:15.509977102 CET1.1.1.1192.168.2.250xd88bNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
              Mar 24, 2025 13:44:18.788527012 CET1.1.1.1192.168.2.250xcdfcNo error (0)otelrules.svc.static.microsoftotelrules-bzhndjfje8dvh5fd.z01.azurefd.netCNAME (Canonical name)IN (0x0001)false
              Mar 24, 2025 13:44:18.788527012 CET1.1.1.1192.168.2.250xcdfcNo error (0)otelrules-bzhndjfje8dvh5fd.z01.azurefd.netstar-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
              Mar 24, 2025 13:44:18.788527012 CET1.1.1.1192.168.2.250xcdfcNo error (0)star-azurefd-prod.trafficmanager.netshed.dual-low.s-part-0012.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
              Mar 24, 2025 13:44:18.788527012 CET1.1.1.1192.168.2.250xcdfcNo error (0)shed.dual-low.s-part-0012.t-0009.t-msedge.nets-part-0012.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
              Mar 24, 2025 13:44:18.788527012 CET1.1.1.1192.168.2.250xcdfcNo error (0)s-part-0012.t-0009.t-msedge.net13.107.246.40A (IP address)IN (0x0001)false
              • otelrules.svc.static.microsoft
              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              0192.168.2.254969813.107.246.404437784C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
              TimestampBytes transferredDirectionData
              2025-03-24 12:44:19 UTC214OUTGET /rules/rule170146v0s19.xml HTTP/1.1
              Connection: Keep-Alive
              Accept-Encoding: gzip
              User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.18129; Pro)
              Host: otelrules.svc.static.microsoft
              2025-03-24 12:44:19 UTC491INHTTP/1.1 200 OK
              Date: Mon, 24 Mar 2025 12:44:19 GMT
              Content-Type: text/xml
              Content-Length: 461
              Connection: close
              Cache-Control: public, max-age=604800, immutable
              Last-Modified: Thu, 14 Nov 2024 16:14:57 GMT
              ETag: "0x8DD04C77BDE7614"
              x-ms-request-id: af5926f4-c01e-0066-308c-9ca1ec000000
              x-ms-version: 2018-03-28
              x-azure-ref: 20250324T124419Z-17cccd5449blr9xfhC1EWR6mgs0000000apg00000000asax
              x-fd-int-roxy-purgeid: 0
              X-Cache-Info: L1_T2
              X-Cache: TCP_HIT
              Accept-Ranges: bytes
              2025-03-24 12:44:19 UTC461INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 37 30 31 34 36 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 47 72 61 70 68 69 63 73 2e 45 78 70 6f 72 74 42 75 6c 6c 65 74 42 6c 69 70 43 45 78 63 65 70 74 69 6f 6e 22 20 41 54 54 3d 22 63 66 63 66 64 62 39 31 63 36 38 63 34 33 32 39 62 62 38 62 37 63 62 37 62 61 62 62 33 63 66 37 2d 65 30 38 32 63 32 66 32 2d 65 66 31 64 2d 34 32 37 61 2d 61 63 34 64 2d 62 30 62 37 30 30 61 66 65 37 61 37 2d 37 36 35 35 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 34 38 39 66 34 22 20
              Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="170146" V="0" DC="SM" EN="Office.Graphics.ExportBulletBlipCException" ATT="cfcfdb91c68c4329bb8b7cb7babb3cf7-e082c2f2-ef1d-427a-ac4d-b0b700afe7a7-7655" DCa="PSU" xmlns=""> <S> <UTS T="1" Id="489f4"


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              1192.168.2.254969713.107.246.404437784C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
              TimestampBytes transferredDirectionData
              2025-03-24 12:44:19 UTC215OUTGET /rules/rule120201v19s19.xml HTTP/1.1
              Connection: Keep-Alive
              Accept-Encoding: gzip
              User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.18129; Pro)
              Host: otelrules.svc.static.microsoft
              2025-03-24 12:44:19 UTC515INHTTP/1.1 200 OK
              Date: Mon, 24 Mar 2025 12:44:19 GMT
              Content-Type: text/xml
              Content-Length: 2781
              Connection: close
              Vary: Accept-Encoding
              Cache-Control: public, max-age=604800, immutable
              Last-Modified: Tue, 31 Dec 2024 22:07:50 GMT
              ETag: "0x8DD29E791389B5C"
              x-ms-request-id: b918ca35-d01e-0017-3c8c-9cb035000000
              x-ms-version: 2018-03-28
              x-azure-ref: 20250324T124419Z-17cccd5449bg7c4bhC1EWR84740000000aq000000000aesv
              x-fd-int-roxy-purgeid: 0
              X-Cache-Info: L1_T2
              X-Cache: TCP_HIT
              Accept-Ranges: bytes
              2025-03-24 12:44:19 UTC2781INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 32 30 31 22 20 56 3d 22 31 39 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 53 79 73 74 65 6d 2e 53 79 73 74 65 6d 48 65 61 6c 74 68 55 73 61 67 65 2e 43 6c 69 63 6b 53 74 72 65 61 6d 22 20 41 54 54 3d 22 63 64 38 33 36 36 32 36 36 31 31 63 34 63 61 61 61 38 66 63 35 62 32 65 37 32 38 65 65 38 31 64 2d 33 62 36 64 36 63 34 35 2d 36 33 37 37 2d 34 62 66 35 2d 39 37 39 32 2d 64 62 66 38 65 31 38 38 31 30 38 38 2d 37 35 32 31 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 55 73 61 67 65 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20
              Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120201" V="19" DC="SM" EN="Office.System.SystemHealthUsage.ClickStream" ATT="cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521" SP="CriticalUsage" DCa="PSU" xmlns=""> <RIS>


              Click to jump to process

              Click to jump to process

              • File
              • Registry

              Click to dive into process behavior distribution

              Target ID:0
              Start time:08:43:09
              Start date:24/03/2025
              Path:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
              Wow64 process (32bit):false
              Commandline:"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
              Imagebase:0x7ff7ca6f0000
              File size:70'082'712 bytes
              MD5 hash:F9F7B6C42211B06E7AC3E4B60AA8FB77
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:moderate
              Has exited:false
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

              Target ID:2
              Start time:08:43:11
              Start date:24/03/2025
              Path:C:\Windows\System32\appidpolicyconverter.exe
              Wow64 process (32bit):false
              Commandline:"C:\Windows\system32\appidpolicyconverter.exe"
              Imagebase:0x7ff66b600000
              File size:155'648 bytes
              MD5 hash:6567D9CF2545FAAC60974D9D682700D4
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:moderate
              Has exited:true

              Target ID:3
              Start time:08:43:11
              Start date:24/03/2025
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff729690000
              File size:1'040'384 bytes
              MD5 hash:9698384842DA735D80D278A427A229AB
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:moderate
              Has exited:true

              Target ID:14
              Start time:08:44:12
              Start date:24/03/2025
              Path:C:\Windows\splwow64.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\splwow64.exe 12288
              Imagebase:0x7ff659360000
              File size:192'512 bytes
              MD5 hash:AF4A7EBF6114EE9E6FBCC910EC3C96E6
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:moderate
              Has exited:false
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

              No disassembly