Windows Analysis Report
annual-allowance.xlsm

Overview

General Information

Sample name:	annual-allowance.xlsm
Analysis ID:	1522520
MD5:	7585482be8438af062027305c41def13
SHA1:	fcd9f9f67f6bfe445a8222744011fecc663219d0
SHA256:	990a2304fc6c1e8eefb20f0923d772a2e2d2bb2b6b46d09a819ce6ae61f01bc2
Tags:	xlsmuser-abuse_ch
Infos:

Detection

Score:	5
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Abnormal high CPU Usage

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Excel Network Connections

Sigma detected: Suspicious Office Outbound Connections

Unable to load, office file is protected or invalid

Classification

Signatures

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:58299 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:58297 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:58298 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:58301 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:58300 version: TLS 1.2

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58297
Source: global traffic	TCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58298
Source: global traffic	TCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58299
Source: global traffic	TCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58300
Source: global traffic	TCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58301
Source: global traffic	TCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58298
Source: global traffic	TCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58297
Source: global traffic	TCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58299
Source: global traffic	TCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58301
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58300
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58299
Source: global traffic	TCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58299
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58299
Source: global traffic	TCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58297
Source: global traffic	TCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58298
Source: global traffic	TCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58297
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58297
Source: global traffic	TCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58298
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58298
Source: global traffic	TCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58301
Source: global traffic	TCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58300
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58301
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58301
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58300
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58300
Source: global traffic	TCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58299
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58298
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58297
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58300
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58301
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58299
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58299
Source: global traffic	TCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58299
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58299
Source: global traffic	TCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58302
Source: global traffic	TCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58302
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58298
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58297
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58297
Source: global traffic	TCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58297
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58297
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58298
Source: global traffic	TCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58298
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58298
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58301
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58301
Source: global traffic	TCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58301
Source: global traffic	TCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58303
Source: global traffic	TCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58304
Source: global traffic	TCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58303
Source: global traffic	TCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58304
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58300
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58300
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58300
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58300
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58300
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58300
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58305
Source: global traffic	TCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58305
Source: global traffic	TCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58306
Source: global traffic	TCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58306
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58302
Source: global traffic	TCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58302
Source: global traffic	TCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58302
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58305
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58303
Source: global traffic	TCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58305
Source: global traffic	TCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58303
Source: global traffic	TCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58305
Source: global traffic	TCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58303
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58306
Source: global traffic	TCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58306
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58306
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58304
Source: global traffic	TCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58304
Source: global traffic	TCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58304
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58302
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58302
Source: global traffic	TCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58302
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58302
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58305
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58305
Source: global traffic	TCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58305
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58305
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58303
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58303
Source: global traffic	TCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58303
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58306
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58306
Source: global traffic	TCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58306
Source: global traffic	TCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58306
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58304
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58304
Source: global traffic	TCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58304

Source: excel.exe

Memory has grown: Private usage: 2MB later: 99MB

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 13.107.246.60 13.107.246.60

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: GET /rules/rule490016v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule170022v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule170012v12s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule324001v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule63067v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule324002v5s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule324005v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule324003v5s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule324006v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule324004v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net

Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.0.dr

String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab

Source: unknown	Network traffic detected: HTTP traffic on port 58304 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58305 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58297 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58304
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58303
Source: unknown	Network traffic detected: HTTP traffic on port 58298 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58306
Source: unknown	Network traffic detected: HTTP traffic on port 58299 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58305
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58300
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58299
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58302
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58301
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58298
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58297
Source: unknown	Network traffic detected: HTTP traffic on port 58306 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58300 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58303 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58301 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58302 -> 443

Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:58299 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:58297 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:58298 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:58301 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:58300 version: TLS 1.2

Abnormal high CPU Usage

Source: C:\Windows\splwow64.exe

Process Stats: CPU usage > 49%

Unable to load, office file is protected or invalid

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Window title found: microsoft visual basic run-time error '1004':the cell or chart you're trying to change is on a protected sheet. to make a change unprotect the sheet. you might be requested to enter a password.&continue&end&debug&help

Source: classification engine

Classification label: clean5.winXLSM@3/2@0/1

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xml

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\Desktop\~$annual-allowance.xlsm

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{843418D4-01E2-4775-9192-E7D524E9DC22} - OProcSessId.dat

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\splwow64.exe	Window / User API: threadDelayed 1806			Jump to behavior
Source: C:\Windows\splwow64.exe	Window / User API: threadDelayed 8116			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\splwow64.exe	Last function: Thread delayed
Source: C:\Windows\splwow64.exe	Last function: Thread delayed

Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000			Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Process information queried: ProcessInformation

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
13.107.246.60	s-part-0032.t-0009.t-msedge.net	United States		8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

Contacted Domains

Name	IP	Active
s-part-0032.t-0009.t-msedge.net	13.107.246.60	true
windowsupdatebg.s.llnwi.net	41.63.96.0	true

Name	Type	MD5	SHA1	SHA256
C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	573220372DA4ED487441611079B623CD	8F9D967AC6EF34640F1F0845214FBC6994C0CB80	BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	data	F51709BCE4166E42058CB5B85BDC1ECE	EC20AB9D65A442FBD936F556E9A8B489B3DF34C7	1BB3BCB513512E885321671FD7F8064B85691F86EBA5939BA7B47FEBBF16BE6A

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:58299 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:58297 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:58298 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:58301 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:58300 version: TLS 1.2

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58297
Source: global traffic	TCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58298
Source: global traffic	TCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58299
Source: global traffic	TCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58300
Source: global traffic	TCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58301
Source: global traffic	TCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58298
Source: global traffic	TCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58297
Source: global traffic	TCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58299
Source: global traffic	TCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58301
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58300
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58299
Source: global traffic	TCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58299
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58299
Source: global traffic	TCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58297
Source: global traffic	TCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58298
Source: global traffic	TCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58297
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58297
Source: global traffic	TCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58298
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58298
Source: global traffic	TCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58301
Source: global traffic	TCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58300
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58301
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58301
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58300
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58300
Source: global traffic	TCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58299
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58298
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58297
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58300
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58301
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58299
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58299
Source: global traffic	TCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58299
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58299
Source: global traffic	TCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58302
Source: global traffic	TCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58302
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58298
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58297
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58297
Source: global traffic	TCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58297
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58297
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58298
Source: global traffic	TCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58298
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58298
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58301
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58301
Source: global traffic	TCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58301
Source: global traffic	TCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58303
Source: global traffic	TCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58304
Source: global traffic	TCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58303
Source: global traffic	TCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58304
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58300
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58300
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58300
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58300
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58300
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58300
Source: global traffic	TCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58305
Source: global traffic	TCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58305
Source: global traffic	TCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58306
Source: global traffic	TCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58306
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58302
Source: global traffic	TCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58302
Source: global traffic	TCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58302
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58305
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58303
Source: global traffic	TCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58305
Source: global traffic	TCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58303
Source: global traffic	TCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58305
Source: global traffic	TCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58303
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58306
Source: global traffic	TCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58306
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58306
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58304
Source: global traffic	TCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58304
Source: global traffic	TCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58304
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58302
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58302
Source: global traffic	TCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58302
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58302
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58305
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58305
Source: global traffic	TCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58305
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58305
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58303
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58303
Source: global traffic	TCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58303
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58306
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58306
Source: global traffic	TCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58306
Source: global traffic	TCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58306
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58304
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58304
Source: global traffic	TCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global traffic	TCP traffic: 13.107.246.60:443 -> 192.168.2.4:58304

Source: excel.exe

Memory has grown: Private usage: 2MB later: 99MB

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 13.107.246.60 13.107.246.60

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: GET /rules/rule490016v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule170022v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule170012v12s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule324001v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule63067v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule324002v5s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule324005v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule324003v5s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule324006v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule324004v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net

Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.0.dr

String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab

Source: unknown	Network traffic detected: HTTP traffic on port 58304 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58305 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58297 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58304
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58303
Source: unknown	Network traffic detected: HTTP traffic on port 58298 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58306
Source: unknown	Network traffic detected: HTTP traffic on port 58299 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58305
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58300
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58299
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58302
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58301
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58298
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58297
Source: unknown	Network traffic detected: HTTP traffic on port 58306 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58300 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58303 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58301 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58302 -> 443

Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:58299 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:58297 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:58298 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:58301 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:58300 version: TLS 1.2

Abnormal high CPU Usage

Source: C:\Windows\splwow64.exe

Process Stats: CPU usage > 49%

Unable to load, office file is protected or invalid

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Source: classification engine

Classification label: clean5.winXLSM@3/2@0/1

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xml

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\Desktop\~$annual-allowance.xlsm

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{843418D4-01E2-4775-9192-E7D524E9DC22} - OProcSessId.dat

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\splwow64.exe	Window / User API: threadDelayed 1806			Jump to behavior
Source: C:\Windows\splwow64.exe	Window / User API: threadDelayed 8116			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\splwow64.exe	Last function: Thread delayed
Source: C:\Windows\splwow64.exe	Last function: Thread delayed

Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000			Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Process information queried: ProcessInformation

Jump to behavior

ID:	1522520
Product:	CloudBasic
Start time:	10:25:53
Start date:	30.09.2024
Sample:	annual-allowance.xlsm
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	7585482be8438af062027305c41def13
SHA1:	fcd9f9f67f6bfe445a8222744011fecc663219d0
SHA256:	990a2304fc6c1e8eefb20f0923d772a2e2d2bb2b6b46d09a819ce6ae61f01bc2
Filetype:	Excel Microsoft Office Open XML Format document with Macro (52504/1) 54.97%

Windows Analysis Report
annual-allowance.xlsm

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Software Vulnerabilities

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report annual-allowance.xlsm

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Software Vulnerabilities

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
annual-allowance.xlsm