Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
expense-report.xlsx

Overview

General Information

Sample name:expense-report.xlsx
Analysis ID:1635499
MD5:c8e80438462dd86ce38d3e6f1b375064
SHA1:073b99a12104d2e49251a2e29dd56b732f44f020
SHA256:b4ef8f7f2926ab5b30b15e9a5f40c41a774e13be363e79268b4cc526dd7e30ef
Infos:

Detection

KnowBe4
Score:68
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected KnowBe4 simulated phishing
AI detected landing page (webpage, office document or email)
Creates files inside the system directory
Deletes files inside the Windows folder
Document misses a certain OLE stream usually present in this Microsoft Office document type
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Suricata IDS alerts with low severity for network traffic

Classification

Process Tree

  • System is w10x64_ra
  • EXCEL.EXE (PID: 6944 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\expense-report.xlsx" MD5: 4A871771235598812032C822E6F68F19)
    • chrome.exe (PID: 3804 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://secured-login.net/XdXJdsPWh0dHlBzOi8vc2nVjdXJldtZC1sjb2dpbi5uhZXaQvcGFnZXMvMWZkMWRlnMGM0M2VkNTgzMTc3YWZiMDJiODEyMGVkN2ImZW1haWxfdGVtcGxhdGVfaWQ9NDEzMDczOCZhY3Rpb249cHJldmlldyZ1c2VyX2lkPTEwNTc3MzQ0OQ== MD5: E81F54E6C1129887AEA47E7D092680BF)
      • chrome.exe (PID: 6584 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1988,i,5815368013671306217,15866554993126584888,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2236 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
    • splwow64.exe (PID: 8072 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)
    • chrome.exe (PID: 7524 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://secured-login.net/XdXJdsPWh0dHlBzOi8vc2nVjdXJldtZC1sjb2dpbi5uhZXaQvcGFnZXMvMWZkMWRlnMGM0M2VkNTgzMTc3YWZiMDJiODEyMGVkN2ImZW1haWxfdGVtcGxhdGVfaWQ9NDEzMDczOCZhY3Rpb249cHJldmlldyZ1c2VyX2lkPTEwNTc3MzQ0OQ== MD5: E81F54E6C1129887AEA47E7D092680BF)
      • chrome.exe (PID: 7540 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1896,i,16716372848069873838,4237695266062713556,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250311-050106.243000 --mojo-platform-channel-handle=2236 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

HTML

SourceRuleDescriptionAuthorStrings
1.1.pages.csvJoeSecurity_KnowBe4Yara detected KnowBe4 simulated phishingJoe Security
    1.0.pages.csvJoeSecurity_KnowBe4Yara detected KnowBe4 simulated phishingJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Excel Network Connections
      Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 13.107.246.67, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 6944, Protocol: tcp, SourceIp: 192.168.2.16, SourceIsIpv6: false, SourcePort: 49730
      Sigma detected: Suspicious Office Outbound Connections
      Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.16, DestinationIsIpv6: false, DestinationPort: 49730, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 6944, Protocol: tcp, SourceIp: 13.107.246.67, SourceIsIpv6: false, SourcePort: 443

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-03-11T18:11:25.583092+010020283713Unknown Traffic192.168.2.164973013.107.246.67443TCP
      2025-03-11T18:11:32.797686+010020283713Unknown Traffic192.168.2.164973313.107.246.67443TCP
      2025-03-11T18:11:32.805835+010020283713Unknown Traffic192.168.2.164973213.107.246.67443TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: expense-report.xlsxVirustotal: Detection: 16%Perma Link

      Phishing

      barindex
      Yara detected KnowBe4 simulated phishing
      Source: Yara matchFile source: 1.1.pages.csv, type: HTML
      Source: Yara matchFile source: 1.0.pages.csv, type: HTML
      AI detected landing page (webpage, office document or email)
      Source: Office documentJoe Sandbox AI: Page contains button: 'VIEW IN BROWSER' Source: 'Office document'
      Source: Office documentJoe Sandbox AI: Office document contains prominent button: 'view in browser'
      Source: Screenshot id: 23Joe Sandbox AI: Page contains button: 'VIEW IN BROWSER' Source: 'Screenshot id: 23'
      Source: Screenshot id: 23Joe Sandbox AI: Screenshot id: 23 contains prominent button: 'view in browser'
      Source: Screenshot id: 3Joe Sandbox AI: Page contains button: 'VIEW IN BROWSER' Source: 'Screenshot id: 3'
      Source: Screenshot id: 3Joe Sandbox AI: Screenshot id: 3 contains prominent button: 'view in browser'
      Source: Screenshot id: 4Joe Sandbox AI: Page contains button: 'VIEW IN BROWSER' Source: 'Screenshot id: 4'
      Source: Screenshot id: 4Joe Sandbox AI: Screenshot id: 4 contains prominent button: 'view in browser'
      Source: Screenshot id: 20Joe Sandbox AI: Page contains button: 'VIEW IN BROWSER' Source: 'Screenshot id: 20'
      Source: Screenshot id: 20Joe Sandbox AI: Screenshot id: 20 contains prominent button: 'view in browser'
      Source: Screenshot id: 2Joe Sandbox AI: Page contains button: 'VIEW IN BROWSER' Source: 'Screenshot id: 2'
      Source: Screenshot id: 2Joe Sandbox AI: Screenshot id: 2 contains prominent button: 'view in browser'
      Source: https://secured-login.net/pages/1fd1de0c43ed583177afb02b8120ed7b/XdXJdsPWh0dHlBzOi8vc2nVjdXJldtZC1sjb2dpbi5uhZXaQvcGFnZXMvMWZkMWRlnMGM0M2VkNTgzMTc3YWZiMDJiODEyMGVkN2ImZW1haWxfdGVtcGxhdGVfaWQ9NDEzMDczOCZhY3Rpb249cHJldmlldyZ1c2VyX2lkPTEwNTc3MzQ0OQ==HTTP Parser: No favicon
      Source: unknownHTTPS traffic detected: 13.107.246.67:443 -> 192.168.2.16:49730 version: TLS 1.2
      Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
      Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
      Source: Joe Sandbox ViewIP Address: 13.107.246.67 13.107.246.67
      Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
      Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
      Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49730 -> 13.107.246.67:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49732 -> 13.107.246.67:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49733 -> 13.107.246.67:443
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
      Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
      Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
      Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
      Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
      Source: unknownTCP traffic detected without corresponding DNS query: 217.20.57.34
      Source: unknownTCP traffic detected without corresponding DNS query: 217.20.57.34
      Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.195
      Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.195
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /XdXJdsPWh0dHlBzOi8vc2nVjdXJldtZC1sjb2dpbi5uhZXaQvcGFnZXMvMWZkMWRlnMGM0M2VkNTgzMTc3YWZiMDJiODEyMGVkN2ImZW1haWxfdGVtcGxhdGVfaWQ9NDEzMDczOCZhY3Rpb249cHJldmlldyZ1c2VyX2lkPTEwNTc3MzQ0OQ== HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
      Source: global trafficHTTP traffic detected: GET /pages/1fd1de0c43ed583177afb02b8120ed7b/XdXJdsPWh0dHlBzOi8vc2nVjdXJldtZC1sjb2dpbi5uhZXaQvcGFnZXMvMWZkMWRlnMGM0M2VkNTgzMTc3YWZiMDJiODEyMGVkN2ImZW1haWxfdGVtcGxhdGVfaWQ9NDEzMDczOCZhY3Rpb249cHJldmlldyZ1c2VyX2lkPTEwNTc3MzQ0OQ== HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: https://secured-login.net/XdXJdsPWh0dHlBzOi8vc2nVjdXJldtZC1sjb2dpbi5uhZXaQvcGFnZXMvMWZkMWRlnMGM0M2VkNTgzMTc3YWZiMDJiODEyMGVkN2ImZW1haWxfdGVtcGxhdGVfaWQ9NDEzMDczOCZhY3Rpb249cHJldmlldyZ1c2VyX2lkPTEwNTc3MzQ0OQ==Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
      Source: global trafficHTTP traffic detected: GET /assets/landing-watermark-8487e36eef1bec74f06631f19fea0aa171c208e2976373cda5bd0a4b9e230903.css HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: text/css,*/*;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://secured-login.net/pages/1fd1de0c43ed583177afb02b8120ed7b/XdXJdsPWh0dHlBzOi8vc2nVjdXJldtZC1sjb2dpbi5uhZXaQvcGFnZXMvMWZkMWRlnMGM0M2VkNTgzMTc3YWZiMDJiODEyMGVkN2ImZW1haWxfdGVtcGxhdGVfaWQ9NDEzMDczOCZhY3Rpb249cHJldmlldyZ1c2VyX2lkPTEwNTc3MzQ0OQ==Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
      Source: global trafficHTTP traffic detected: GET /assets/application-237cb5c4f318687625f8ccf2f42de3fc20238bfe267384653491a6bba8c8f6f5.js HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://secured-login.net/pages/1fd1de0c43ed583177afb02b8120ed7b/XdXJdsPWh0dHlBzOi8vc2nVjdXJldtZC1sjb2dpbi5uhZXaQvcGFnZXMvMWZkMWRlnMGM0M2VkNTgzMTc3YWZiMDJiODEyMGVkN2ImZW1haWxfdGVtcGxhdGVfaWQ9NDEzMDczOCZhY3Rpb249cHJldmlldyZ1c2VyX2lkPTEwNTc3MzQ0OQ==Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
      Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://secured-login.net/pages/1fd1de0c43ed583177afb02b8120ed7b/XdXJdsPWh0dHlBzOi8vc2nVjdXJldtZC1sjb2dpbi5uhZXaQvcGFnZXMvMWZkMWRlnMGM0M2VkNTgzMTc3YWZiMDJiODEyMGVkN2ImZW1haWxfdGVtcGxhdGVfaWQ9NDEzMDczOCZhY3Rpb249cHJldmlldyZ1c2VyX2lkPTEwNTc3MzQ0OQ==Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
      Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Host: secured-login.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
      Source: global trafficHTTP traffic detected: GET /rules/excel.exe-Production-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
      Source: global trafficHTTP traffic detected: GET /rules/rule120603v8s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
      Source: global trafficHTTP traffic detected: GET /rules/rule120607v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
      Source: global trafficHTTP traffic detected: GET /XdXJdsPWh0dHlBzOi8vc2nVjdXJldtZC1sjb2dpbi5uhZXaQvcGFnZXMvMWZkMWRlnMGM0M2VkNTgzMTc3YWZiMDJiODEyMGVkN2ImZW1haWxfdGVtcGxhdGVfaWQ9NDEzMDczOCZhY3Rpb249cHJldmlldyZ1c2VyX2lkPTEwNTc3MzQ0OQ== HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9If-None-Match: W/"47cb192d38fc156b45f7c315c71023cd"
      Source: global trafficHTTP traffic detected: GET /pages/1fd1de0c43ed583177afb02b8120ed7b/XdXJdsPWh0dHlBzOi8vc2nVjdXJldtZC1sjb2dpbi5uhZXaQvcGFnZXMvMWZkMWRlnMGM0M2VkNTgzMTc3YWZiMDJiODEyMGVkN2ImZW1haWxfdGVtcGxhdGVfaWQ9NDEzMDczOCZhY3Rpb249cHJldmlldyZ1c2VyX2lkPTEwNTc3MzQ0OQ== HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: https://secured-login.net/XdXJdsPWh0dHlBzOi8vc2nVjdXJldtZC1sjb2dpbi5uhZXaQvcGFnZXMvMWZkMWRlnMGM0M2VkNTgzMTc3YWZiMDJiODEyMGVkN2ImZW1haWxfdGVtcGxhdGVfaWQ9NDEzMDczOCZhY3Rpb249cHJldmlldyZ1c2VyX2lkPTEwNTc3MzQ0OQ==Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9If-None-Match: W/"126bae31edaf17243c89852970ad6124"
      Source: global trafficDNS traffic detected: DNS query: secured-login.net
      Source: global trafficDNS traffic detected: DNS query: www.google.com
      Source: global trafficDNS traffic detected: DNS query: www.cshco.com
      Source: global trafficDNS traffic detected: DNS query: a.nel.cloudflare.com
      Source: global trafficDNS traffic detected: DNS query: otelrules.svc.static.microsoft
      Source: unknownHTTP traffic detected: POST /report/v4?s=Oy9iuw44bqfr%2BBRFtWRCWkjCtDkN%2F%2FeSoqBM0R5%2F9%2FFzekAwuTy5%2FHq4TlYi832djm7qIeaCK8vp5FTQhxe9dtxAPcnYJoOgryPeFDM3Pk4c1JXrye%2BQn3T8i8RTgBLu HTTP/1.1Host: a.nel.cloudflare.comConnection: keep-aliveContent-Length: 677Content-Type: application/reports+jsonOrigin: https://www.cshco.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
      Source: chromecache_966.4.drString found in binary or memory: https://secured-login.net/pages/1fd1de0c43ed583177afb02b8120ed7b/XdXJdsPWh0dHlBzOi8vc2nVjdXJldtZC1sj
      Source: chromecache_967.4.drString found in binary or memory: https://www.cshco.com/wp-content/uploads/CSH-Logo-2017-700px-wide-300x46.png
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
      Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
      Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
      Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
      Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49679 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
      Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
      Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
      Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
      Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
      Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
      Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
      Source: unknownHTTPS traffic detected: 13.107.246.67:443 -> 192.168.2.16:49730 version: TLS 1.2

      System Summary

      barindex
      Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
      Source: screenshotOCR: enable Editing to view this spreadsheet. CAN'T VIEW THE SPREADSHEET? FOLLOW THE STEPS BELOW: Open th
      Source: screenshotOCR: enable Editing to view this spreadsheet. CAN'T VIEW THE SPREADSHEET? FOLLOW THE STEPS BELOW: Open th
      Source: screenshotOCR: enable Editing to view this spreadsheet. CAN'T VIEW THE SPREADSHEET? FOLLOW THE STEPS BELOW: Open th
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir3804_479527275Jump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile deleted: C:\Windows\SystemTemp\scoped_dir3804_479527275Jump to behavior
      Source: ~DF037F3991415B354E.TMP.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
      Source: ~DF4D9A03CEC4FA5383.TMP.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
      Source: classification engineClassification label: mal68.phis.winXLSX@34/11@19/10
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\Desktop\~$expense-report.xlsxJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{BA930F03-F7DD-414A-859F-CBCAD4A31936} - OProcSessId.datJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: expense-report.xlsxVirustotal: Detection: 16%
      Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\expense-report.xlsx"
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://secured-login.net/XdXJdsPWh0dHlBzOi8vc2nVjdXJldtZC1sjb2dpbi5uhZXaQvcGFnZXMvMWZkMWRlnMGM0M2VkNTgzMTc3YWZiMDJiODEyMGVkN2ImZW1haWxfdGVtcGxhdGVfaWQ9NDEzMDczOCZhY3Rpb249cHJldmlldyZ1c2VyX2lkPTEwNTc3MzQ0OQ==
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1988,i,5815368013671306217,15866554993126584888,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2236 /prefetch:3
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://secured-login.net/XdXJdsPWh0dHlBzOi8vc2nVjdXJldtZC1sjb2dpbi5uhZXaQvcGFnZXMvMWZkMWRlnMGM0M2VkNTgzMTc3YWZiMDJiODEyMGVkN2ImZW1haWxfdGVtcGxhdGVfaWQ9NDEzMDczOCZhY3Rpb249cHJldmlldyZ1c2VyX2lkPTEwNTc3MzQ0OQ==
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1896,i,16716372848069873838,4237695266062713556,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250311-050106.243000 --mojo-platform-channel-handle=2236 /prefetch:3
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://secured-login.net/XdXJdsPWh0dHlBzOi8vc2nVjdXJldtZC1sjb2dpbi5uhZXaQvcGFnZXMvMWZkMWRlnMGM0M2VkNTgzMTc3YWZiMDJiODEyMGVkN2ImZW1haWxfdGVtcGxhdGVfaWQ9NDEzMDczOCZhY3Rpb249cHJldmlldyZ1c2VyX2lkPTEwNTc3MzQ0OQ==Jump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://secured-login.net/XdXJdsPWh0dHlBzOi8vc2nVjdXJldtZC1sjb2dpbi5uhZXaQvcGFnZXMvMWZkMWRlnMGM0M2VkNTgzMTc3YWZiMDJiODEyMGVkN2ImZW1haWxfdGVtcGxhdGVfaWQ9NDEzMDczOCZhY3Rpb249cHJldmlldyZ1c2VyX2lkPTEwNTc3MzQ0OQ==Jump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1988,i,5815368013671306217,15866554993126584888,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2236 /prefetch:3Jump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1896,i,16716372848069873838,4237695266062713556,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250311-050106.243000 --mojo-platform-channel-handle=2236 /prefetch:3Jump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
      Source: ~DF037F3991415B354E.TMP.0.drInitial sample: OLE indicators vbamacros = False
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 459Jump to behavior
      Source: C:\Windows\splwow64.exeLast function: Thread delayed
      Source: C:\Windows\splwow64.exeLast function: Thread delayed
      Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
      Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information queried: ProcessInformationJump to behavior

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
      Browser Extensions      		1
      Process Injection      		11
      Masquerading      		OS Credential Dumping1
      Process Discovery      		Remote ServicesData from Local System1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
      Disable or Modify Tools      		LSASS Memory1
      Virtualization/Sandbox Evasion      		Remote Desktop ProtocolData from Removable Media1
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
      Virtualization/Sandbox Evasion      		Security Account Manager1
      Application Window Discovery      		SMB/Windows Admin SharesData from Network Shared Drive3
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Process Injection      		NTDS1
      File and Directory Discovery      		Distributed Component Object ModelInput Capture4
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      File Deletion      		LSA Secrets1
      System Information Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1635499 Sample: expense-report.xlsx Startdate: 11/03/2025 Architecture: WINDOWS Score: 68 26 star-azurefd-prod.trafficmanager.net 2->26 28 shed.dual-low.s-part-0039.t-0009.t-msedge.net 2->28 30 3 other IPs or domains 2->30 48 Multi AV Scanner detection for submitted file 2->48 50 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->50 52 Yara detected KnowBe4 simulated phishing 2->52 54 AI detected landing page (webpage, office document or email) 2->54 8 EXCEL.EXE 219 61 2->8         started        signatures3 process4 dnsIp5 44 s-part-0039.t-0009.t-msedge.net 13.107.246.67, 443, 49730, 49732 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 8->44 24 C:\Users\user\Desktop\~$expense-report.xlsx, data 8->24 dropped 12 chrome.exe 2 8->12         started        15 chrome.exe 8->15         started        17 splwow64.exe 1 8->17         started        file6 process7 dnsIp8 46 192.168.2.16, 138, 443, 49242 unknown unknown 12->46 19 chrome.exe 12->19         started        22 chrome.exe 15->22         started        process9 dnsIp10 32 www.google.com 142.250.186.164, 443, 49715, 49736 GOOGLEUS United States 19->32 34 a.nel.cloudflare.com 35.190.80.1, 443, 49725, 49726 GOOGLEUS United States 19->34 42 3 other IPs or domains 19->42 36 142.250.185.196, 443, 49748 GOOGLEUS United States 22->36 38 104.21.96.1, 443, 49749 CLOUDFLARENETUS United States 22->38 40 52.21.180.167, 443, 49739, 49741 AMAZON-AESUS United States 22->40

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.