Click to jump to signature section
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll | Jump to behavior |
Source: unknown | HTTPS traffic detected: 13.107.213.69:443 -> 192.168.2.12:49734 version: TLS 1.2 |
Source: unknown | HTTPS traffic detected: 13.107.213.69:443 -> 192.168.2.12:49733 version: TLS 1.2 |
Source: unknown | HTTPS traffic detected: 13.107.213.69:443 -> 192.168.2.12:49732 version: TLS 1.2 |
Source: global traffic | TCP traffic: 192.168.2.12:49734 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49733 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49732 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49733 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49733 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49732 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49732 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49734 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49734 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49733 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49734 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49732 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49734 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49733 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49732 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49733 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49734 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49732 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49734 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49733 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49732 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49732 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49732 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49732 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49732 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49734 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49734 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49734 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49733 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49733 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49733 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49733 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49733 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 13.107.213.69:443 -> 192.168.2.12:49733 |
Source: global traffic | TCP traffic: 192.168.2.12:49733 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49732 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 13.107.213.69:443 -> 192.168.2.12:49732 |
Source: global traffic | TCP traffic: 192.168.2.12:49732 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49734 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 13.107.213.69:443 -> 192.168.2.12:49734 |
Source: global traffic | TCP traffic: 192.168.2.12:49734 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49733 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 13.107.213.69:443 -> 192.168.2.12:49733 |
Source: global traffic | TCP traffic: 192.168.2.12:49734 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 13.107.213.69:443 -> 192.168.2.12:49734 |
Source: global traffic | TCP traffic: 192.168.2.12:49732 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 13.107.213.69:443 -> 192.168.2.12:49732 |
Source: global traffic | TCP traffic: 13.107.213.69:443 -> 192.168.2.12:49734 |
Source: global traffic | TCP traffic: 192.168.2.12:49734 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 13.107.213.69:443 -> 192.168.2.12:49733 |
Source: global traffic | TCP traffic: 192.168.2.12:49733 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 13.107.213.69:443 -> 192.168.2.12:49732 |
Source: global traffic | TCP traffic: 192.168.2.12:49732 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49733 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 13.107.213.69:443 -> 192.168.2.12:49733 |
Source: global traffic | TCP traffic: 192.168.2.12:49734 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 13.107.213.69:443 -> 192.168.2.12:49734 |
Source: global traffic | TCP traffic: 13.107.213.69:443 -> 192.168.2.12:49733 |
Source: global traffic | TCP traffic: 13.107.213.69:443 -> 192.168.2.12:49734 |
Source: global traffic | TCP traffic: 192.168.2.12:49732 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 13.107.213.69:443 -> 192.168.2.12:49732 |
Source: global traffic | TCP traffic: 13.107.213.69:443 -> 192.168.2.12:49732 |
Source: global traffic | TCP traffic: 192.168.2.12:49734 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49733 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49732 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 13.107.213.69:443 -> 192.168.2.12:49734 |
Source: global traffic | TCP traffic: 13.107.213.69:443 -> 192.168.2.12:49732 |
Source: global traffic | TCP traffic: 13.107.213.69:443 -> 192.168.2.12:49733 |
Source: global traffic | TCP traffic: 13.107.213.69:443 -> 192.168.2.12:49732 |
Source: global traffic | TCP traffic: 13.107.213.69:443 -> 192.168.2.12:49732 |
Source: global traffic | TCP traffic: 192.168.2.12:49732 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 13.107.213.69:443 -> 192.168.2.12:49732 |
Source: global traffic | TCP traffic: 13.107.213.69:443 -> 192.168.2.12:49732 |
Source: global traffic | TCP traffic: 192.168.2.12:49732 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49732 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 13.107.213.69:443 -> 192.168.2.12:49732 |
Source: global traffic | TCP traffic: 192.168.2.12:49732 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 13.107.213.69:443 -> 192.168.2.12:49732 |
Source: global traffic | TCP traffic: 13.107.213.69:443 -> 192.168.2.12:49734 |
Source: global traffic | TCP traffic: 13.107.213.69:443 -> 192.168.2.12:49734 |
Source: global traffic | TCP traffic: 192.168.2.12:49734 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49734 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 13.107.213.69:443 -> 192.168.2.12:49734 |
Source: global traffic | TCP traffic: 192.168.2.12:49734 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 13.107.213.69:443 -> 192.168.2.12:49734 |
Source: global traffic | TCP traffic: 13.107.213.69:443 -> 192.168.2.12:49733 |
Source: global traffic | TCP traffic: 13.107.213.69:443 -> 192.168.2.12:49733 |
Source: global traffic | TCP traffic: 13.107.213.69:443 -> 192.168.2.12:49733 |
Source: global traffic | TCP traffic: 13.107.213.69:443 -> 192.168.2.12:49733 |
Source: global traffic | TCP traffic: 192.168.2.12:49733 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49733 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49733 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 192.168.2.12:49733 -> 13.107.213.69:443 |
Source: global traffic | TCP traffic: 13.107.213.69:443 -> 192.168.2.12:49733 |
Source: global traffic | TCP traffic: 13.107.213.69:443 -> 192.168.2.12:49733 |
Source: excel.exe | Memory has grown: Private usage: 2MB later: 92MB |
Source: Joe Sandbox View | IP Address: 13.107.213.69 13.107.213.69 |
Source: Joe Sandbox View | JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1 |
Source: global traffic | HTTP traffic detected: GET /rules/rule490016v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net |
Source: global traffic | HTTP traffic detected: GET /rules/rule63067v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net |
Source: global traffic | HTTP traffic detected: GET /rules/rule170012v10s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net |
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD41570.0.dr | String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab |
Source: unknown | Network traffic detected: HTTP traffic on port 49733 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49733 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49732 |
Source: unknown | Network traffic detected: HTTP traffic on port 49734 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49732 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49734 |
Source: unknown | HTTPS traffic detected: 13.107.213.69:443 -> 192.168.2.12:49734 version: TLS 1.2 |
Source: unknown | HTTPS traffic detected: 13.107.213.69:443 -> 192.168.2.12:49733 version: TLS 1.2 |
Source: unknown | HTTPS traffic detected: 13.107.213.69:443 -> 192.168.2.12:49732 version: TLS 1.2 |
Source: A19C2E78.tmp.0.dr | OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false |
Source: classification engine | Classification label: clean4.winXLSX@3/5@0/1 |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | File created: C:\Users\user\Desktop\~$Aztec UP&GO to we 14 April 2024.xlsx | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | File created: C:\Users\user\AppData\Local\Temp\{D5E9CE68-76DD-4DEF-AE78-4B9792620451} - OProcSessId.dat | Jump to behavior |
Source: Aztec UP&GO to we 14 April 2024.xlsx | OLE indicator, Workbook stream: true |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | File read: C:\Users\desktop.ini | Jump to behavior |
Source: unknown | Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding | |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288 | |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288 | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000303-0000-0000-C000-000000000046}\InprocServer32 | Jump to behavior |
Source: Window Recorder | Window detected: More than 3 window changes detected |
Source: Aztec UP&GO to we 14 April 2024.xlsx | Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels |
Source: Aztec UP&GO to we 14 April 2024.xlsx | Initial sample: OLE zip file path = xl/worksheets/_rels/sheet3.xml.rels |
Source: Aztec UP&GO to we 14 April 2024.xlsx | Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin |
Source: Aztec UP&GO to we 14 April 2024.xlsx | Initial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin |
Source: Aztec UP&GO to we 14 April 2024.xlsx | Initial sample: OLE zip file path = xl/comments1.xml |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll | Jump to behavior |
Source: Aztec UP&GO to we 14 April 2024.xlsx | Initial sample: OLE indicators vbamacros = False |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\splwow64.exe | Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\splwow64.exe | Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\splwow64.exe | Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\splwow64.exe | Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\splwow64.exe | Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\splwow64.exe | Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\splwow64.exe | Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\splwow64.exe | Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\splwow64.exe | Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\splwow64.exe | Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\splwow64.exe | Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\splwow64.exe | Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\splwow64.exe | Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\splwow64.exe | Last function: Thread delayed |
Source: C:\Windows\splwow64.exe | Last function: Thread delayed |
Source: C:\Windows\splwow64.exe | Thread delayed: delay time: 120000 | Jump to behavior |
Source: C:\Windows\splwow64.exe | Thread delayed: delay time: 120000 | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process information queried: ProcessInformation | Jump to behavior |