Edit tour

Windows Analysis Report
Riko Ekos d.o.o. RFQ #PO51842018.xlsx

Overview

General Information

Sample name:Riko Ekos d.o.o. RFQ #PO51842018.xlsx
Analysis ID:1651032
MD5:2c265f3f5136de58896ec5bd9d814a5d
SHA1:5930e285662ab9b3ae5228acb16802a9c1eb1bdd
SHA256:b6daa340200ee967ef4a7c2a2378014c978aa553ca4d6aa5cb6317ed049378b7
Tags:RFQxlsxuser-cocaman
Infos:

Detection

Score:64
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w11x64_office
  • EXCEL.EXE (PID: 7936 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: F9F7B6C42211B06E7AC3E4B60AA8FB77)
    • splwow64.exe (PID: 7476 cmdline: C:\Windows\splwow64.exe 12288 MD5: AF4A7EBF6114EE9E6FBCC910EC3C96E6)
  • appidpolicyconverter.exe (PID: 1376 cmdline: "C:\Windows\system32\appidpolicyconverter.exe" MD5: 6567D9CF2545FAAC60974D9D682700D4)
    • conhost.exe (PID: 4812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
sheet1.xmlINDICATOR_XML_LegacyDrawing_AutoLoad_Documentdetects AutoLoad documents using LegacyDrawingditekSHen
  • 0x1bb:$s1: <legacyDrawing r:id="
  • 0x1e3:$s2: <oleObject progId="
  • 0x21d:$s3: autoLoad="true"

System Summary

barindex
Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 13.107.246.40, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7936, Protocol: tcp, SourceIp: 192.168.2.25, SourceIsIpv6: false, SourcePort: 49698
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.25, DestinationIsIpv6: false, DestinationPort: 49698, EventID: 3, Image: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7936, Protocol: tcp, SourceIp: 13.107.246.40, SourceIsIpv6: false, SourcePort: 443
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Riko Ekos d.o.o. RFQ #PO51842018.xlsxAvira: detected
Source: Riko Ekos d.o.o. RFQ #PO51842018.xlsxVirustotal: Detection: 61%Perma Link
Source: Riko Ekos d.o.o. RFQ #PO51842018.xlsxReversingLabs: Detection: 72%
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEDirectory created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior
Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.25:49699 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.25:49698 version: TLS 1.2
Source: global trafficDNS query: name: otelrules.svc.static.microsoft
Source: global trafficTCP traffic: 192.168.2.25:49699 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49699 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49699 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49699 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49699 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49699 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49699 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49699 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49699 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49699 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49698
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49699 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49699
Source: global trafficTCP traffic: 192.168.2.25:49699 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49698
Source: global trafficTCP traffic: 192.168.2.25:49699 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49699
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49699
Source: global trafficTCP traffic: 192.168.2.25:49699 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49698
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49699 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49699
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49699
Source: global trafficTCP traffic: 192.168.2.25:49699 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49698
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49698
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49699
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49698
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49698
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49698
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49698
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49698
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49698
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49699
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49699
Source: global trafficTCP traffic: 192.168.2.25:49699 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49699 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49699
Source: global trafficTCP traffic: 192.168.2.25:49699 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49699
Source: Joe Sandbox ViewIP Address: 13.107.246.40 13.107.246.40
Source: Joe Sandbox ViewIP Address: 13.107.246.40 13.107.246.40
Source: Joe Sandbox ViewJA3 fingerprint: 258a5a1e95b8a911872bae9081526644
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /rules/rule170146v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.18129; Pro)Host: otelrules.svc.static.microsoft
Source: global trafficHTTP traffic detected: GET /rules/rule120201v19s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.18129; Pro)Host: otelrules.svc.static.microsoft
Source: global trafficDNS traffic detected: DNS query: otelrules.svc.static.microsoft
Source: Primary1743157727473498800_BF1C681E-5BF1-4DBF-8954-71ABA6D2B1BB.log.0.drString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.41/flatfontassets.pkg
Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.25:49699 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.25:49698 version: TLS 1.2

System Summary

barindex
Source: sheet1.xml, type: SAMPLEMatched rule: detects AutoLoad documents using LegacyDrawing Author: ditekSHen
Source: sheet1.xml, type: SAMPLEMatched rule: INDICATOR_XML_LegacyDrawing_AutoLoad_Document author = ditekSHen, description = detects AutoLoad documents using LegacyDrawing
Source: classification engineClassification label: mal64.winXLSX@5/6@1/1
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Riko Ekos d.o.o. RFQ #PO51842018.xlsxJump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exeMutant created: PolicyMutex
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4812:120:WilError_03
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{BF1C681E-5BF1-4DBF-8954-71ABA6D2B1BB} - OProcSessId.datJump to behavior
Source: Riko Ekos d.o.o. RFQ #PO51842018.xlsxOLE indicator, Workbook stream: true
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Riko Ekos d.o.o. RFQ #PO51842018.xlsxVirustotal: Detection: 61%
Source: Riko Ekos d.o.o. RFQ #PO51842018.xlsxReversingLabs: Detection: 72%
Source: unknownProcess created: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: unknownProcess created: C:\Windows\System32\appidpolicyconverter.exe "C:\Windows\system32\appidpolicyconverter.exe"
Source: C:\Windows\System32\appidpolicyconverter.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exeSection loaded: gpapi.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEDirectory created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: Riko Ekos d.o.o. RFQ #PO51842018.xlsxStatic file information: File size 1103568 > 1048576
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior
Source: Riko Ekos d.o.o. RFQ #PO51842018.xlsxInitial sample: OLE indicators vbamacros = False
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 804Jump to behavior
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information queried: ProcessInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
Exploitation for Client Execution
1
DLL Side-Loading
1
Process Injection
3
Masquerading
OS Credential Dumping1
Process Discovery
Remote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
1
Virtualization/Sandbox Evasion
LSASS Memory1
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection
Security Account Manager1
Application Window Discovery
SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading
NTDS1
File and Directory Discovery
Distributed Component Object ModelInput Capture3
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
System Information Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1651032 Sample: Riko Ekos d.o.o.  RFQ #PO51... Startdate: 28/03/2025 Architecture: WINDOWS Score: 64 19 star-azurefd-prod.trafficmanager.net 2->19 21 shed.dual-low.s-part-0012.t-0009.t-msedge.net 2->21 23 3 other IPs or domains 2->23 27 Malicious sample detected (through community Yara rule) 2->27 29 Antivirus / Scanner detection for submitted sample 2->29 31 Multi AV Scanner detection for submitted file 2->31 7 EXCEL.EXE 504 62 2->7         started        11 appidpolicyconverter.exe 1 2->11         started        signatures3 process4 dnsIp5 25 s-part-0012.t-0009.t-msedge.net 13.107.246.40, 443, 49698, 49699 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 7->25 17 ~$Riko Ekos d.o.o.  RFQ #PO51842018.xlsx, data 7->17 dropped 13 splwow64.exe 7->13         started        15 conhost.exe 11->15         started        file6 process7

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
Riko Ekos d.o.o. RFQ #PO51842018.xlsx62%VirustotalBrowse
Riko Ekos d.o.o. RFQ #PO51842018.xlsx72%ReversingLabsDocument-Office.Exploit.CVE-2017-11882
Riko Ekos d.o.o. RFQ #PO51842018.xlsx100%AviraEXP/CVE-2017-11882.Gen
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0012.t-0009.t-msedge.net
13.107.246.40
truefalse
    high
    bg.microsoft.map.fastly.net
    151.101.46.172
    truefalse
      high
      a726.dscd.akamai.net
      23.209.72.170
      truefalse
        high
        s-0005.dual-s-msedge.net
        52.123.129.14
        truefalse
          high
          otelrules.svc.static.microsoft
          unknown
          unknownfalse
            high
            NameMaliciousAntivirus DetectionReputation
            https://otelrules.svc.static.microsoft/rules/rule170146v0s19.xmlfalse
              high
              https://otelrules.svc.static.microsoft/rules/rule120201v19s19.xmlfalse
                high
                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs
                IPDomainCountryFlagASNASN NameMalicious
                13.107.246.40
                s-part-0012.t-0009.t-msedge.netUnited States
                8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                Joe Sandbox version:42.0.0 Malachite
                Analysis ID:1651032
                Start date and time:2025-03-28 11:27:44 +01:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 5m 15s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:defaultwindowsofficecookbook.jbs
                Analysis system description:Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
                Run name:Potential for more IOCs and behavior
                Number of analysed new started processes analysed:20
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:Riko Ekos d.o.o. RFQ #PO51842018.xlsx
                Detection:MAL
                Classification:mal64.winXLSX@5/6@1/1
                EGA Information:Failed
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 0
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Found application associated with file extension: .xlsx
                • Found Word or Excel or PowerPoint or XPS Viewer
                • Attach to Office via COM
                • Active ActiveX Object
                • Scroll down
                • Close Viewer
                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, SIHClient.exe, conhost.exe, appidcertstorecheck.exe, svchost.exe
                • Excluded IPs from analysis (whitelisted): 52.109.0.91, 52.109.8.36, 52.111.227.28, 151.101.46.172, 20.42.72.131, 52.123.129.14, 23.209.72.170, 20.190.151.132, 4.175.87.197, 23.204.23.20
                • Excluded domains from analysis (whitelisted): us1.odcsm1.live.com.akadns.net, odc.officeapps.live.com, slscr.update.microsoft.com, res-1.cdn.office.net, mobile.events.data.microsoft.com, roaming.officeapps.live.com, osiprod-cus-buff-azsc-000.centralus.cloudapp.azure.com, dual-s-0005-office.config.skype.com, login.live.com, wus-azsc-config.officeapps.live.com, officeclient.microsoft.com, c.pki.goog, osiprod-cus-bronze-azsc-000.centralus.cloudapp.azure.com, wu-b-net.trafficmanager.net, assets.msn.com, ecs.office.com, fs.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, cus-azsc-000.odc.officeapps.live.com, res-stls-prod.edgesuite.net, cus-azsc-000.roaming.officeapps.live.com, fe3cr.delivery.mp.microsoft.com, us1.roaming1.live.com.akadns.net, res-prod.trafficmanager.net, config.officeapps.live.com, us.configsvc1.live.com.akadns.net, onedscolprdeus00.eastus.cloudapp.azure.com, ecs.office.trafficmanager.ne
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtCreateKey calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Report size getting too big, too many NtReadVirtualMemory calls found.
                • Report size getting too big, too many NtSetValueKey calls found.
                TimeTypeDescription
                06:29:49API Interceptor828x Sleep call for process: splwow64.exe modified
                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                13.107.246.40Payment Transfer Receipt.shtmlGet hashmaliciousHTMLPhisherBrowse
                • www.aib.gov.uk/
                NEW ORDER.xlsGet hashmaliciousUnknownBrowse
                • 2s.gg/3zs
                PO_OCF 408.xlsGet hashmaliciousUnknownBrowse
                • 2s.gg/42Q
                06836722_218 Aluplast.docx.docGet hashmaliciousUnknownBrowse
                • 2s.gg/3zk
                Quotation.xlsGet hashmaliciousUnknownBrowse
                • 2s.gg/3zM
                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                s-0005.dual-s-msedge.netCompany Profile (Riko Ekos d.o.o).docGet hashmaliciousUnknownBrowse
                • 52.123.128.14
                CTF_IOC_28 marzo 2025.emlGet hashmaliciousUnknownBrowse
                • 52.123.129.14
                Operation framework.msgGet hashmaliciousUnknownBrowse
                • 52.123.129.14
                FW Thursday 27th march 2025q.msgGet hashmaliciousUnknownBrowse
                • 52.123.129.14
                phish_alert_sp2_2.0.0.0 DB - Copy.emlGet hashmaliciousUnknownBrowse
                • 52.123.128.14
                PURCHASE ORDER 517-2025.xla.xlsxGet hashmaliciousUnknownBrowse
                • 52.123.129.14
                PURCHASE ORDER 517-2025.xla.xlsxGet hashmaliciousUnknownBrowse
                • 52.123.129.14
                EFT Payment sent On 26032025.msgGet hashmaliciousUnknownBrowse
                • 52.123.129.14
                Quotation_ISH2025.xlsGet hashmaliciousUnknownBrowse
                • 52.123.129.14
                a726.dscd.akamai.netCompany Profile (Riko Ekos d.o.o).docGet hashmaliciousUnknownBrowse
                • 23.210.73.104
                PURCHASE ORDER 517-2025.xla.xlsxGet hashmaliciousUnknownBrowse
                • 23.57.90.69
                Quotation_ISH2025.xlsGet hashmaliciousUnknownBrowse
                • 23.223.209.212
                Presentation Of Legal Notice.pptxGet hashmaliciousHTMLPhisherBrowse
                • 23.223.209.211
                https://watkinsglenareachamber.growthzoneapp.com/ap/r/d8edc648491b44fa8b9c854f10baa742Get hashmaliciousInvisible JS, Tycoon2FABrowse
                • 23.219.36.134
                XRealStats.xlamGet hashmaliciousUnknownBrowse
                • 23.219.36.134
                Pricing Analysis - Ecomm and Amazon vs List.xlsxGet hashmaliciousUnknownBrowse
                • 23.219.36.135
                PURCHASE ORDER 517-2025.xla.xlsxGet hashmaliciousUnknownBrowse
                • 23.219.36.134
                https://www.google.com/url?q=https%3A%2F%2Fcsnrda.net%2Fun-plugins%2F&sa=D&sntz=1&usg=AOvVaw1HtbC798C9cvS3J1_HKx3j#?8407378349Family=a2lyc3RpZS5yZWVzQHF1aWx0ZXJjaGV2aW90LmNvbQ==Get hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                • 23.40.179.142
                20250326_105213_E06iobGVLsebU2XlmUYXRv33mfADWIwk.emlGet hashmaliciousUnknownBrowse
                • 23.40.179.150
                bg.microsoft.map.fastly.netSHIPPING ADVICE#2025.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                • 199.232.90.172
                SZf8I0IvEg.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                • 199.232.90.172
                7NOT92-GmT6-1OjO9-R14.msiGet hashmaliciousUnknownBrowse
                • 151.101.46.172
                SOA.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                • 199.232.90.172
                MetroHealthNow.com.pdfGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                • 199.232.38.172
                PURCHASE ORDER 517-2025.xla.xlsxGet hashmaliciousUnknownBrowse
                • 199.232.90.172
                SecuriteInfo.com.Trojan.Win32.32652.13367.exeGet hashmaliciousScreenConnect ToolBrowse
                • 199.232.38.172
                SecuriteInfo.com.Trojan.Win32.32652.13367.exeGet hashmaliciousScreenConnect ToolBrowse
                • 199.232.90.172
                https://webmail-oxcs.networksolutionsemail.com/appsuite/api/share/06aa762107b86ac26a9d4b37b86a49dfbc05657fa4e7fd74/1/8/MjYxGet hashmaliciousOrcusBrowse
                • 199.232.90.172
                s-part-0012.t-0009.t-msedge.nethttps://mahoganydevelopment.knack.com/untitled-appGet hashmaliciousHTMLPhisherBrowse
                • 13.107.246.40
                345778.pdfGet hashmaliciousHTMLPhisherBrowse
                • 13.107.246.40
                #Ud83d#Udd0aAudio_Msg Pharma.xhtmlGet hashmaliciousHTMLPhisherBrowse
                • 13.107.246.40
                #U25baPlay_VM-Now(Lhershey)ATTT0003.htmlGet hashmaliciousHTMLPhisherBrowse
                • 13.107.246.40
                #Ud83d#Udd0aAudio_Msg Pharma.xhtmlGet hashmaliciousHTMLPhisherBrowse
                • 13.107.246.40
                https://248d0d7c.b6979dc2a0c182f7ec7a4aa7.workers.dev/?_kx=tT2g7RhPaXrh3A6Bckepfg.WnBBDPGet hashmaliciousHTMLPhisherBrowse
                • 13.107.246.40
                http://google.comGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                • 13.107.246.40
                https://login.microsoftonline.com/redeem?rd=https%3a%2f%2finvitations.microsoft.com%2fredeem%2f%3ftenant%3d089a6470-d3a7-46a4-8852-73c0c698c729%26user%3d1f7621fb-e95b-459f-9e70-2ef3d5935926%26ticket%3dp5hN%25252fl8PpUcQKPkV0TMbs2ptO%25252bRNmG2KxgcRrL%25252bWsgY%25253d%26ver%3d2.0Get hashmaliciousUnknownBrowse
                • 13.107.246.40
                https://www.canva.com/design/DAGiRhhTm_M/1Wb1338QF_BEv0zYs4WfZQ/view?utm_content=DAGiRhhTm_M&utm_campaign=designshare&utm_medium=link2&utm_source=uniquelinks&utlId=h6159cd66cf&umid=b05be093-6f53-49ec-8a3b-87bea166f93e&auth=5175c0148660b71d9cf40f5d2581457ec88fc189-b6bc2ea861a256fc841ad8d60030f2289750b83Get hashmaliciousHTMLPhisherBrowse
                • 13.107.246.40
                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                MICROSOFT-CORP-MSN-AS-BLOCKUSSecuriteInfo.com.Win64.MalwareX-gen.24792.5071.exeGet hashmaliciousUnknownBrowse
                • 204.79.197.203
                SecuriteInfo.com.Win64.MalwareX-gen.24792.5071.exeGet hashmaliciousUnknownBrowse
                • 204.79.197.203
                Invoice & Packing list For Sea Shipment.exeGet hashmaliciousFormBookBrowse
                • 204.79.197.203
                https://innovation-platform-6635.my.salesforce-sites.com/secGet hashmaliciousHTMLPhisherBrowse
                • 13.107.42.14
                bimbo-m68k.elfGet hashmaliciousUnknownBrowse
                • 51.111.190.78
                bimbo-mpsl.elfGet hashmaliciousUnknownBrowse
                • 104.210.176.36
                bimbo-arm.elfGet hashmaliciousUnknownBrowse
                • 137.135.44.93
                bimbo-ppc.elfGet hashmaliciousUnknownBrowse
                • 20.18.207.219
                bimbo-spc.elfGet hashmaliciousUnknownBrowse
                • 13.90.63.146
                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                258a5a1e95b8a911872bae9081526644PURCHASE ORDER 517-2025.xla.xlsxGet hashmaliciousUnknownBrowse
                • 13.107.246.40
                Quotation_ISH2025.xlsGet hashmaliciousUnknownBrowse
                • 13.107.246.40
                XRealStats.xlamGet hashmaliciousUnknownBrowse
                • 13.107.246.40
                Pricing Analysis - Ecomm and Amazon vs List.xlsxGet hashmaliciousUnknownBrowse
                • 13.107.246.40
                PURCHASE ORDER 517-2025.xla.xlsxGet hashmaliciousUnknownBrowse
                • 13.107.246.40
                List_242508-02.docx.docGet hashmaliciousUnknownBrowse
                • 13.107.246.40
                242508-02.docx.docGet hashmaliciousUnknownBrowse
                • 13.107.246.40
                Bank Information.xlsGet hashmaliciousUnknownBrowse
                • 13.107.246.40
                ORDER 517-2025.xla.xlsxGet hashmaliciousUnknownBrowse
                • 13.107.246.40
                MDRHZBOL2477518 CO.xlsGet hashmaliciousUnknownBrowse
                • 13.107.246.40
                No context
                Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):118
                Entropy (8bit):3.5700810731231707
                Encrypted:false
                SSDEEP:3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
                MD5:573220372DA4ED487441611079B623CD
                SHA1:8F9D967AC6EF34640F1F0845214FBC6994C0CB80
                SHA-256:BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
                SHA-512:F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
                Malicious:false
                Reputation:high, very likely benign file
                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.
                Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                File Type:data
                Category:dropped
                Size (bytes):20971520
                Entropy (8bit):8.112143835430977E-5
                Encrypted:false
                SSDEEP:3:Tuekk9NJtHFfs1XsExe/t:qeVJ8
                MD5:AFDEAC461EEC32D754D8E6017E845D21
                SHA1:5D0874C19B70638A0737696AEEE55BFCC80D7ED8
                SHA-256:3A96B02F6A09F6A6FAC2A44A5842FF9AEB17EB4D633E48ABF6ADDF6FB447C7E2
                SHA-512:CAB6B8F9FFDBD80210F42219BAC8F1124D6C0B6995C5128995F7F48CED8EF0F2159EA06A2CD09B1FDCD409719F94A7DB437C708D3B1FDA01FDC80141A4595FC7
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                File Type:data
                Category:dropped
                Size (bytes):20971520
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3::
                MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
                SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
                SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
                SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
                Malicious:false
                Reputation:high, very likely benign file
                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                File Type:ASCII text, with very long lines (28714), with CRLF line terminators
                Category:dropped
                Size (bytes):20971520
                Entropy (8bit):0.20883754476343325
                Encrypted:false
                SSDEEP:1536:46k5AHWfOKmhYciDfywbOfoqLjNXCF5SZmTuGMYZWr/Pd8N3fTz1SbEtKwJl5Gux:pIAsqXiDCfoqKJS05pWAAxBCgA
                MD5:2DBC8D3AA65952767A11927E039F3927
                SHA1:3A19DF43F609C70550A7B235DC0117710820E01D
                SHA-256:2D2762A4D3A611DADECBF2C6EC086CE57F0611F4FA0AD7807E9687A27890C0DC
                SHA-512:704EE1080E8C12B3CE85791D977BC6C310C36B0E9AC6E8B0C6AABA27DC817F938C1780EAE8F1B7BB274AB9B73468D89A93E243CE7287271B54C6476B48D6137C
                Malicious:false
                Reputation:low
                Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..03/28/2025 10:28:47.491.EXCEL (0x1F00).0x1F68.Microsoft Excel.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Experimentation.FeatureQueryBatched","Flags":33777005812056321,"InternalSequenceNumber":17,"Time":"2025-03-28T10:28:47.491Z","Data.Sequence":0,"Data.Count":128,"Data.Features":"[ { \"ID\" : 1, \"N\" : \"Microsoft.Office.Telemetry.TrackCPSWrites\", \"V\" : false, \"S\" : 1, \"P\" : 0, \"T\" : \"2025-03-28T10:28:47.0385440Z\", \"C\" : \"33\", \"Q\" : 0.0, \"M\" : 0, \"F\" : 5 }, { \"ID\" : 1, \"N\" : \"Microsoft.Office.Telemetry.CPSMaxWrites\", \"V\" : 2, \"S\" : 1, \"P\" : 0, \"T\" : \"2025-03-28T10:28:47.0385440Z\", \"C\" : \"33\", \"Q\" : 0.0, \"M\" : 0, \"F\" : 5 }, { \"ID\" : 1, \"N\" : \"Microsoft.Office.Word.UAEOnSafeModeEnabled\", \"V\" : true, \"S\" : 1, \"P\" : 0, \"T\" : \"2025-03-28T10:28:47.0385440Z\", \"C\" : \"\", \"Q\" : 6.0, \"M\" : 0, \"F\" : 5, \"G\" : \"Opt\" }, { \"ID\" : 1, \"
                Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                File Type:data
                Category:dropped
                Size (bytes):20971520
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3::
                MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
                SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
                SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
                SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
                Malicious:false
                Reputation:high, very likely benign file
                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                File Type:data
                Category:dropped
                Size (bytes):165
                Entropy (8bit):1.4377382811115937
                Encrypted:false
                SSDEEP:
                MD5:359140EB88A757E2BBEF2F7D32DCC4E5
                SHA1:FD16035441ADF907BBFC594A96470C202E265067
                SHA-256:42CDE461F058A0C6F6C5A69BD1D21114CD55929011C77BCB9A025B9CA43ED71F
                SHA-512:9ADF6AC24E55AA161D2FFA1AC3BBBF03A7028DEFD8E1722FA52CAF7C730F7CF8AAE2073A50FD8AA004AF46E9A578A3B8088DD89415368E64E1916367CE126741
                Malicious:true
                Preview:.user ..M.e.r.c.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                File type:Microsoft Excel 2007+
                Entropy (8bit):7.998371707667736
                TrID:
                • Excel Microsoft Office Open XML Format document (35004/1) 81.40%
                • ZIP compressed archive (8000/1) 18.60%
                File name:Riko Ekos d.o.o. RFQ #PO51842018.xlsx
                File size:1'103'568 bytes
                MD5:2c265f3f5136de58896ec5bd9d814a5d
                SHA1:5930e285662ab9b3ae5228acb16802a9c1eb1bdd
                SHA256:b6daa340200ee967ef4a7c2a2378014c978aa553ca4d6aa5cb6317ed049378b7
                SHA512:d2dd2208ee985527d29c101d6328c139d6cde1f847f18b4cb66c4631e510a9a9c114ea66c2aec543adf0b7c3e886bf4959eb4d7eede4c0079cbbfa8e05463cac
                SSDEEP:24576:R66CVMUqOytEFmXT0X7JvyTih0SinIEC7sKZA1r1r1si:lCVMxOytEFsTAJvyuaSECwwA1hr1si
                TLSH:623533C5E9BBB0B5CC0F823040E715754BBF6A6D43B13E92DF786848E67B99E8053258
                File Content Preview:PK.........YzZ.9......f.......[Content_Types].xmlUT......g...g...g.UKK.1.....%W..U..n{...A....d...&!.k...l.......lX..1..1..j.-!D.l..y.e`.S.....t..dYDa.0.B....xt|4|Z{...m,X...8...Z..y.43s..H.a....1.~.._p.,...&.6......d."...I...Gb..w....&.`.....h)....U?T{n6
                Icon Hash:35e58a8c0c8a85b9
                Document Type:OpenXML
                Number of OLE Files:1
                Has Summary Info:
                Application Name:
                Encrypted Document:False
                Contains Word Document Stream:False
                Contains Workbook/Book Stream:True
                Contains PowerPoint Document Stream:False
                Contains Visio Document Stream:False
                Contains ObjectPool Stream:False
                Flash Objects Count:0
                Contains VBA Macros:False
                Author:ctrl
                Last Saved By:ctrl
                Create Time:2022-11-18T02:05:27Z
                Last Saved Time:2022-11-18T02:07:12Z
                Creating Application:Microsoft Excel
                Security:0
                Thumbnail Scaling Desired:false
                Contains Dirty Links:false
                Shared Document:false
                Changed Hyperlinks:false
                Application Version:12.0000
                General
                Stream Path:\x1ole10nAtIVe
                CLSID:
                File Type:data
                Stream Size:1316230
                Entropy:7.120941598223329
                Base64 Encoded:True
                Data ASCII:< . . Z " / . . . . 7 S . . . . } w 3 w l ; R . . 7 G - 0 G + . E . \\ 7 " . h W . } . p S O . 9 . ^ + [ b ^ q . . a = O _ n S " . . \\ . o . a . H % | ? . \\ . . H . O ) . : . ` i 7 { Y ? . S c h . [ ) 6 x x . ] . s ` R / 9 - : $ . 9 . K . . . { . . . 6 . . P . : . L . . . V . g B W . L ( Z x q % 3 z E . 8 O . k . . w } X t l c 0 . . c . . - q s . q . 0 . ] . | . > g E P . . . " _ x A . ) . K v H R B . + B W . l . V 4 . . . 4 t j ` 6 m G = . _ u . . T z 4 x n + \\ . . * . . . . . G . C a . . Z ' K X ] u V .
                Data Raw:fa f2 3c 01 02 5a 22 2f 06 e0 01 08 af c5 be f1 37 53 f7 81 f6 cd 8a 16 f7 8b 06 8b 10 bb 7d f0 77 93 81 c3 33 77 ce 6c 8b 3b 52 ff d7 05 af 1d 37 47 2d 95 f3 30 47 ff e0 2b c9 0d 45 00 5c 37 22 b6 19 ff e2 68 57 c7 f3 a4 1a 7d 1a be c3 c1 70 dd e2 53 4f bd 2e e9 39 b1 f5 da 88 5e 2b 5b 62 bb 5e d6 71 de 09 a8 99 09 61 3d 9e fa 4f 5f 6e ba 53 22 8b 0d 07 cc 20 5c d6 aa 83 6f e2 a7
                General
                Stream Path:QFsLkMXbXUscZMY3
                CLSID:
                File Type:empty
                Stream Size:0
                Entropy:0.0
                Base64 Encoded:False
                Data ASCII:
                Data Raw:

                Download Network PCAP: filteredfull

                • Total Packets: 20
                • 443 (HTTPS)
                • 53 (DNS)
                TimestampSource PortDest PortSource IPDest IP
                Mar 28, 2025 11:29:55.922677994 CET49698443192.168.2.2513.107.246.40
                Mar 28, 2025 11:29:55.922714949 CET4434969813.107.246.40192.168.2.25
                Mar 28, 2025 11:29:55.922800064 CET49698443192.168.2.2513.107.246.40
                Mar 28, 2025 11:29:55.922821999 CET49699443192.168.2.2513.107.246.40
                Mar 28, 2025 11:29:55.922858000 CET4434969913.107.246.40192.168.2.25
                Mar 28, 2025 11:29:55.922908068 CET49699443192.168.2.2513.107.246.40
                Mar 28, 2025 11:29:55.923894882 CET49698443192.168.2.2513.107.246.40
                Mar 28, 2025 11:29:55.923918962 CET4434969813.107.246.40192.168.2.25
                Mar 28, 2025 11:29:55.924446106 CET49699443192.168.2.2513.107.246.40
                Mar 28, 2025 11:29:55.924463987 CET4434969913.107.246.40192.168.2.25
                Mar 28, 2025 11:29:56.203963995 CET4434969913.107.246.40192.168.2.25
                Mar 28, 2025 11:29:56.204058886 CET49699443192.168.2.2513.107.246.40
                Mar 28, 2025 11:29:56.204153061 CET4434969813.107.246.40192.168.2.25
                Mar 28, 2025 11:29:56.204216003 CET49698443192.168.2.2513.107.246.40
                Mar 28, 2025 11:29:56.216430902 CET49699443192.168.2.2513.107.246.40
                Mar 28, 2025 11:29:56.216448069 CET4434969913.107.246.40192.168.2.25
                Mar 28, 2025 11:29:56.217464924 CET4434969913.107.246.40192.168.2.25
                Mar 28, 2025 11:29:56.232717037 CET49699443192.168.2.2513.107.246.40
                Mar 28, 2025 11:29:56.233947992 CET49698443192.168.2.2513.107.246.40
                Mar 28, 2025 11:29:56.233963013 CET4434969813.107.246.40192.168.2.25
                Mar 28, 2025 11:29:56.234934092 CET4434969813.107.246.40192.168.2.25
                Mar 28, 2025 11:29:56.235690117 CET49698443192.168.2.2513.107.246.40
                Mar 28, 2025 11:29:56.276278973 CET4434969913.107.246.40192.168.2.25
                Mar 28, 2025 11:29:56.280276060 CET4434969813.107.246.40192.168.2.25
                Mar 28, 2025 11:29:56.372895956 CET4434969813.107.246.40192.168.2.25
                Mar 28, 2025 11:29:56.372981071 CET4434969813.107.246.40192.168.2.25
                Mar 28, 2025 11:29:56.373233080 CET4434969813.107.246.40192.168.2.25
                Mar 28, 2025 11:29:56.373243093 CET49698443192.168.2.2513.107.246.40
                Mar 28, 2025 11:29:56.373297930 CET49698443192.168.2.2513.107.246.40
                Mar 28, 2025 11:29:56.374265909 CET49698443192.168.2.2513.107.246.40
                Mar 28, 2025 11:29:56.374278069 CET4434969813.107.246.40192.168.2.25
                Mar 28, 2025 11:29:56.374289036 CET49698443192.168.2.2513.107.246.40
                Mar 28, 2025 11:29:56.374294996 CET4434969813.107.246.40192.168.2.25
                Mar 28, 2025 11:29:56.491883039 CET4434969913.107.246.40192.168.2.25
                Mar 28, 2025 11:29:56.492425919 CET4434969913.107.246.40192.168.2.25
                Mar 28, 2025 11:29:56.492500067 CET49699443192.168.2.2513.107.246.40
                Mar 28, 2025 11:29:56.492553949 CET49699443192.168.2.2513.107.246.40
                Mar 28, 2025 11:29:56.492573023 CET4434969913.107.246.40192.168.2.25
                Mar 28, 2025 11:29:56.492587090 CET49699443192.168.2.2513.107.246.40
                Mar 28, 2025 11:29:56.492598057 CET4434969913.107.246.40192.168.2.25
                TimestampSource PortDest PortSource IPDest IP
                Mar 28, 2025 11:29:20.711349964 CET5364246162.159.36.2192.168.2.25
                Mar 28, 2025 11:29:55.464842081 CET5453153192.168.2.251.1.1.1
                Mar 28, 2025 11:29:55.549851894 CET53545311.1.1.1192.168.2.25
                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                Mar 28, 2025 11:29:55.464842081 CET192.168.2.251.1.1.10x3ba6Standard query (0)otelrules.svc.static.microsoftA (IP address)IN (0x0001)false
                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Mar 28, 2025 11:28:50.729454041 CET1.1.1.1192.168.2.250x1306No error (0)ecs-office.s-0005.dual-s-msedge.nets-0005.dual-s-msedge.netCNAME (Canonical name)IN (0x0001)false
                Mar 28, 2025 11:28:50.729454041 CET1.1.1.1192.168.2.250x1306No error (0)s-0005.dual-s-msedge.net52.123.129.14A (IP address)IN (0x0001)false
                Mar 28, 2025 11:28:50.729454041 CET1.1.1.1192.168.2.250x1306No error (0)s-0005.dual-s-msedge.net52.123.128.14A (IP address)IN (0x0001)false
                Mar 28, 2025 11:28:51.383227110 CET1.1.1.1192.168.2.250x7159No error (0)res-stls-prod.edgesuite.net.globalredir.akadns88.neta726.dscd.akamai.netCNAME (Canonical name)IN (0x0001)false
                Mar 28, 2025 11:28:51.383227110 CET1.1.1.1192.168.2.250x7159No error (0)a726.dscd.akamai.net23.209.72.170A (IP address)IN (0x0001)false
                Mar 28, 2025 11:28:51.383227110 CET1.1.1.1192.168.2.250x7159No error (0)a726.dscd.akamai.net23.209.72.172A (IP address)IN (0x0001)false
                Mar 28, 2025 11:28:51.482228041 CET1.1.1.1192.168.2.250x8bacNo error (0)bg.microsoft.map.fastly.net151.101.46.172A (IP address)IN (0x0001)false
                Mar 28, 2025 11:29:55.549851894 CET1.1.1.1192.168.2.250x3ba6No error (0)otelrules.svc.static.microsoftotelrules-bzhndjfje8dvh5fd.z01.azurefd.netCNAME (Canonical name)IN (0x0001)false
                Mar 28, 2025 11:29:55.549851894 CET1.1.1.1192.168.2.250x3ba6No error (0)otelrules-bzhndjfje8dvh5fd.z01.azurefd.netstar-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                Mar 28, 2025 11:29:55.549851894 CET1.1.1.1192.168.2.250x3ba6No error (0)star-azurefd-prod.trafficmanager.netshed.dual-low.s-part-0012.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                Mar 28, 2025 11:29:55.549851894 CET1.1.1.1192.168.2.250x3ba6No error (0)shed.dual-low.s-part-0012.t-0009.t-msedge.nets-part-0012.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                Mar 28, 2025 11:29:55.549851894 CET1.1.1.1192.168.2.250x3ba6No error (0)s-part-0012.t-0009.t-msedge.net13.107.246.40A (IP address)IN (0x0001)false
                • otelrules.svc.static.microsoft
                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                0192.168.2.254969913.107.246.404437936C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                TimestampBytes transferredDirectionData
                2025-03-28 10:29:56 UTC214OUTGET /rules/rule170146v0s19.xml HTTP/1.1
                Connection: Keep-Alive
                Accept-Encoding: gzip
                User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.18129; Pro)
                Host: otelrules.svc.static.microsoft
                2025-03-28 10:29:56 UTC498INHTTP/1.1 200 OK
                Date: Fri, 28 Mar 2025 10:29:56 GMT
                Content-Type: text/xml
                Content-Length: 461
                Connection: close
                Cache-Control: public, max-age=604800, immutable
                Last-Modified: Thu, 14 Nov 2024 16:14:57 GMT
                ETag: "0x8DD04C77BDE7614"
                x-ms-request-id: 7ce59aec-701e-000d-30ac-9f6de3000000
                x-ms-version: 2018-03-28
                x-azure-ref: 20250328T102956Z-17cccd5449bzd7mthC1EWRrdxw0000000qcg000000004w66
                x-fd-int-roxy-purgeid: 0
                X-Cache-Info: L2_T2
                X-Cache: TCP_REMOTE_HIT
                Accept-Ranges: bytes
                2025-03-28 10:29:56 UTC461INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 37 30 31 34 36 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 47 72 61 70 68 69 63 73 2e 45 78 70 6f 72 74 42 75 6c 6c 65 74 42 6c 69 70 43 45 78 63 65 70 74 69 6f 6e 22 20 41 54 54 3d 22 63 66 63 66 64 62 39 31 63 36 38 63 34 33 32 39 62 62 38 62 37 63 62 37 62 61 62 62 33 63 66 37 2d 65 30 38 32 63 32 66 32 2d 65 66 31 64 2d 34 32 37 61 2d 61 63 34 64 2d 62 30 62 37 30 30 61 66 65 37 61 37 2d 37 36 35 35 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 34 38 39 66 34 22 20
                Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="170146" V="0" DC="SM" EN="Office.Graphics.ExportBulletBlipCException" ATT="cfcfdb91c68c4329bb8b7cb7babb3cf7-e082c2f2-ef1d-427a-ac4d-b0b700afe7a7-7655" DCa="PSU" xmlns=""> <S> <UTS T="1" Id="489f4"


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                1192.168.2.254969813.107.246.404437936C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                TimestampBytes transferredDirectionData
                2025-03-28 10:29:56 UTC215OUTGET /rules/rule120201v19s19.xml HTTP/1.1
                Connection: Keep-Alive
                Accept-Encoding: gzip
                User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.18129; Pro)
                Host: otelrules.svc.static.microsoft
                2025-03-28 10:29:56 UTC515INHTTP/1.1 200 OK
                Date: Fri, 28 Mar 2025 10:29:56 GMT
                Content-Type: text/xml
                Content-Length: 2781
                Connection: close
                Vary: Accept-Encoding
                Cache-Control: public, max-age=604800, immutable
                Last-Modified: Tue, 31 Dec 2024 22:07:50 GMT
                ETag: "0x8DD29E791389B5C"
                x-ms-request-id: 9dd2ef99-e01e-0052-7dbf-9fd9df000000
                x-ms-version: 2018-03-28
                x-azure-ref: 20250328T102956Z-17cccd5449b89qrjhC1EWR22980000000qgg000000000q6b
                x-fd-int-roxy-purgeid: 0
                X-Cache-Info: L1_T2
                X-Cache: TCP_HIT
                Accept-Ranges: bytes
                2025-03-28 10:29:56 UTC2781INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 32 30 31 22 20 56 3d 22 31 39 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 53 79 73 74 65 6d 2e 53 79 73 74 65 6d 48 65 61 6c 74 68 55 73 61 67 65 2e 43 6c 69 63 6b 53 74 72 65 61 6d 22 20 41 54 54 3d 22 63 64 38 33 36 36 32 36 36 31 31 63 34 63 61 61 61 38 66 63 35 62 32 65 37 32 38 65 65 38 31 64 2d 33 62 36 64 36 63 34 35 2d 36 33 37 37 2d 34 62 66 35 2d 39 37 39 32 2d 64 62 66 38 65 31 38 38 31 30 38 38 2d 37 35 32 31 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 55 73 61 67 65 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20
                Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120201" V="19" DC="SM" EN="Office.System.SystemHealthUsage.ClickStream" ATT="cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521" SP="CriticalUsage" DCa="PSU" xmlns=""> <RIS>


                Click to jump to process

                Click to jump to process

                • File
                • Registry

                Click to dive into process behavior distribution

                Target ID:0
                Start time:06:28:45
                Start date:28/03/2025
                Path:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                Wow64 process (32bit):false
                Commandline:"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
                Imagebase:0x7ff6f8cf0000
                File size:70'082'712 bytes
                MD5 hash:F9F7B6C42211B06E7AC3E4B60AA8FB77
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:moderate
                Has exited:false
                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                Target ID:6
                Start time:06:28:57
                Start date:28/03/2025
                Path:C:\Windows\System32\appidpolicyconverter.exe
                Wow64 process (32bit):false
                Commandline:"C:\Windows\system32\appidpolicyconverter.exe"
                Imagebase:0x7ff73ab40000
                File size:155'648 bytes
                MD5 hash:6567D9CF2545FAAC60974D9D682700D4
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:moderate
                Has exited:true

                Target ID:7
                Start time:06:28:57
                Start date:28/03/2025
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff729690000
                File size:1'040'384 bytes
                MD5 hash:9698384842DA735D80D278A427A229AB
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:moderate
                Has exited:true

                Target ID:12
                Start time:06:29:49
                Start date:28/03/2025
                Path:C:\Windows\splwow64.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\splwow64.exe 12288
                Imagebase:0x7ff7a4610000
                File size:192'512 bytes
                MD5 hash:AF4A7EBF6114EE9E6FBCC910EC3C96E6
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:moderate
                Has exited:false
                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                No disassembly