Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Bijlage 2 Vragenlijst.xlsx

Overview

General Information

Sample name:Bijlage 2 Vragenlijst.xlsx
Analysis ID:1417448
MD5:fd2cb6ad9501c1a33d41c48e6e0d29c7
SHA1:f97c475da86fc2a88211e5f4813ce19d0cadf54b
SHA256:4d75da97852c7a36c17b8dabf791be20e03bfaeb3f47db1309ecef8507dd3f72
Infos:

Detection

Score:4
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Document misses a certain OLE stream usually present in this Microsoft Office document type
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections

Classification

Analysis Advice

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
No malicious behavior found, analyze the document also on other version of Office / Acrobat

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 1216 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: 4A871771235598812032C822E6F68F19)
    • splwow64.exe (PID: 5228 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Excel Network Connections
Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 13.107.246.40, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 1216, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49733
Sigma detected: Suspicious Office Outbound Connections
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.5, DestinationIsIpv6: false, DestinationPort: 49733, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 1216, Protocol: tcp, SourceIp: 13.107.246.40, SourceIsIpv6: false, SourcePort: 443

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.5:49734 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.5:49735 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.5:49737 version: TLS 1.2
Source: global trafficTCP traffic: 192.168.2.5:49736 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49734 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49735 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49733 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49737 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49738 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49740 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49739 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49741 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49742 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49733 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49733 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49734 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49734 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49735 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49735 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49736 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49736 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49737 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49737 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49733 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49737 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49734 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49735 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49736 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49736 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49736 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49734 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49736 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49734 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49734 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49735 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49735 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49733 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49733 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49735 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49733 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49737 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49737 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49737 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49736 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49736 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49736 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49738 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49738 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49738 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49733 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49733 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49733 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49733 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49737 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49737 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49737 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49739 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49739 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49739 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49734 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49734 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49740 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49740 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49734 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49734 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49740 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49741 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49741 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49741 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49735 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49735 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49735 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49742 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49742 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49742 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49738 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49738 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49740 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49739 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49740 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49739 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49741 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49741 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49742 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49742 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49738 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49738 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49738 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49739 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49739 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49739 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49740 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49740 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49740 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49741 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49741 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49741 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49742 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49742 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49742 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49733 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49733
Source: global trafficTCP traffic: 192.168.2.5:49733 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49734 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49734
Source: global trafficTCP traffic: 192.168.2.5:49734 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49735 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49735
Source: global trafficTCP traffic: 192.168.2.5:49735 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49736 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49736
Source: global trafficTCP traffic: 192.168.2.5:49736 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49737 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49737
Source: global trafficTCP traffic: 192.168.2.5:49737 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49733 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49733
Source: global trafficTCP traffic: 192.168.2.5:49737 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49737
Source: global trafficTCP traffic: 192.168.2.5:49734 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49734
Source: global trafficTCP traffic: 192.168.2.5:49735 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49735
Source: global trafficTCP traffic: 192.168.2.5:49736 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49736
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49736
Source: global trafficTCP traffic: 192.168.2.5:49736 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49736 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49736
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49736
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49734
Source: global trafficTCP traffic: 192.168.2.5:49734 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49736 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49734 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49734
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49734
Source: global trafficTCP traffic: 192.168.2.5:49734 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49735
Source: global trafficTCP traffic: 192.168.2.5:49735 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49735 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49735
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49735
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49733
Source: global trafficTCP traffic: 192.168.2.5:49733 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49733 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49735 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49733
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49733
Source: global trafficTCP traffic: 192.168.2.5:49733 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49737
Source: global trafficTCP traffic: 192.168.2.5:49737 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49737 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49737
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49737
Source: global trafficTCP traffic: 192.168.2.5:49737 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49734
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49736
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49733
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49735
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49737
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49736
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49736
Source: global trafficTCP traffic: 192.168.2.5:49736 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49736 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49736
Source: global trafficTCP traffic: 192.168.2.5:49736 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49736
Source: global trafficTCP traffic: 192.168.2.5:49738 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49738
Source: global trafficTCP traffic: 192.168.2.5:49738 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49738 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49738
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49733
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49733
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49733
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49733
Source: global trafficTCP traffic: 192.168.2.5:49733 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49733 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49733
Source: global trafficTCP traffic: 192.168.2.5:49733 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49733 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49733
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49733
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49737
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49737
Source: global trafficTCP traffic: 192.168.2.5:49737 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49737 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49737 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49737
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49737
Source: global trafficTCP traffic: 192.168.2.5:49739 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49739
Source: global trafficTCP traffic: 192.168.2.5:49739 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49739 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49739
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49734
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49734
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49734
Source: global trafficTCP traffic: 192.168.2.5:49734 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49734 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49740 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49740
Source: global trafficTCP traffic: 192.168.2.5:49740 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49734 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49734
Source: global trafficTCP traffic: 192.168.2.5:49734 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49734
Source: global trafficTCP traffic: 192.168.2.5:49740 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49740
Source: global trafficTCP traffic: 192.168.2.5:49741 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49741
Source: global trafficTCP traffic: 192.168.2.5:49741 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49741 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49741
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49735
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49735
Source: global trafficTCP traffic: 192.168.2.5:49735 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49735 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49735 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49735
Source: global trafficTCP traffic: 192.168.2.5:49742 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49742
Source: global trafficTCP traffic: 192.168.2.5:49742 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49742 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49742
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49738
Source: global trafficTCP traffic: 192.168.2.5:49738 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49738
Source: global trafficTCP traffic: 192.168.2.5:49738 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49738
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49740
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49739
Source: global trafficTCP traffic: 192.168.2.5:49740 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49740
Source: global trafficTCP traffic: 192.168.2.5:49739 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49739
Source: global trafficTCP traffic: 192.168.2.5:49740 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49740
Source: global trafficTCP traffic: 192.168.2.5:49739 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49739
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49741
Source: global trafficTCP traffic: 192.168.2.5:49741 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49741
Source: global trafficTCP traffic: 192.168.2.5:49741 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49741
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49742
Source: global trafficTCP traffic: 192.168.2.5:49742 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49742 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49742
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49742
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49738
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49738
Source: global trafficTCP traffic: 192.168.2.5:49738 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49738 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49738 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49738
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49739
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49739
Source: global trafficTCP traffic: 192.168.2.5:49739 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49739 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49739 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49739
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49740
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49740
Source: global trafficTCP traffic: 192.168.2.5:49740 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49740 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49740 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49740
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49740
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49741
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49741
Source: global trafficTCP traffic: 192.168.2.5:49741 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49741 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49741 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49741
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49742
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49742
Source: global trafficTCP traffic: 192.168.2.5:49742 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49742 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.5:49742 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.5:49742
Source: excel.exeMemory has grown: Private usage: 2MB later: 75MB
Source: Joe Sandbox ViewIP Address: 13.107.246.40 13.107.246.40
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: global trafficHTTP traffic detected: GET /rules/rule324001v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule170012v10s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule490016v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule63067v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule324002v5s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule324003v5s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule324005v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule324004v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule324006v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule324007v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD41570.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.5:49734 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.5:49735 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.5:49737 version: TLS 1.2
Source: 3BCF1243.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: classification engineClassification label: clean4.winXLSX@3/5@0/1
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Bijlage 2 Vragenlijst.xlsxJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{ABD93842-7609-4511-882A-C127CD4A44DC} - OProcSessId.datJump to behavior
Source: Bijlage 2 Vragenlijst.xlsxOLE indicator, Workbook stream: true
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000303-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Bijlage 2 Vragenlijst.xlsxInitial sample: OLE zip file path = docProps/custom.xml
Source: Bijlage 2 Vragenlijst.xlsxInitial sample: OLE zip file path = customXml/item2.xml
Source: Bijlage 2 Vragenlijst.xlsxInitial sample: OLE zip file path = customXml/itemProps2.xml
Source: Bijlage 2 Vragenlijst.xlsxInitial sample: OLE zip file path = customXml/item3.xml
Source: Bijlage 2 Vragenlijst.xlsxInitial sample: OLE zip file path = customXml/itemProps3.xml
Source: Bijlage 2 Vragenlijst.xlsxInitial sample: OLE zip file path = customXml/item4.xml
Source: Bijlage 2 Vragenlijst.xlsxInitial sample: OLE zip file path = customXml/itemProps4.xml
Source: Bijlage 2 Vragenlijst.xlsxInitial sample: OLE zip file path = customXml/_rels/item2.xml.rels
Source: Bijlage 2 Vragenlijst.xlsxInitial sample: OLE zip file path = customXml/_rels/item3.xml.rels
Source: Bijlage 2 Vragenlijst.xlsxInitial sample: OLE zip file path = customXml/_rels/item4.xml.rels
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
Source: Bijlage 2 Vragenlijst.xlsxInitial sample: OLE indicators vbamacros = False
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 835Jump to behavior
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information queried: ProcessInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Exploitation for Client Execution		Path Interception1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
Extra Window Memory Injection		1
Virtualization/Sandbox Evasion		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account Manager1
Application Window Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Extra Window Memory Injection		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput Capture2
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
part-0012.t-0009.t-msedge.net0%VirustotalBrowse

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
part-0012.t-0009.t-msedge.net
13.107.246.40
truefalseunknown

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
13.107.246.40
part-0012.t-0009.t-msedge.netUnited States
8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1417448
Start date and time:2024-03-29 10:21:27 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 1s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:Potential for more IOCs and behavior
Number of analysed new started processes analysed:8
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:Bijlage 2 Vragenlijst.xlsx
Detection:CLEAN
Classification:clean4.winXLSX@3/5@0/1
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .xlsx
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Scroll down
  • Close Viewer

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 52.109.8.89, 52.113.194.132, 23.221.242.90, 52.109.8.36, 72.21.81.240, 20.189.173.8
  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.afd.azureedge.net, cus-config.officeapps.live.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu.azureedge.net, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, onedscolprdwus07.westus.cloudapp.azure.com, osiprod-cus-buff-azsc-000.centralus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, wu.ec.azureedge.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, wu-bg-shim.trafficmanager.net, cus-azsc-000.roaming.officeapps.live.com, fe3cr.delivery.mp.microsoft.com, us1.roaming1.li
  • Report size getting too big, too many NtCreateKey calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

TimeTypeDescription
10:23:13API Interceptor854x Sleep call for process: splwow64.exe modified

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
13.107.246.40NEW ORDER.xlsGet hashmaliciousUnknownBrowse
  • 2s.gg/3zs
PO_OCF 408.xlsGet hashmaliciousUnknownBrowse
  • 2s.gg/42Q
06836722_218 Aluplast.docx.docGet hashmaliciousUnknownBrowse
  • 2s.gg/3zk
Quotation.xlsGet hashmaliciousUnknownBrowse
  • 2s.gg/3zM

Domains

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
part-0012.t-0009.t-msedge.nethttps://portal.bakfar.workers.dev/Get hashmaliciousHTMLPhisherBrowse
  • 13.107.246.40
Signature Required Audits evaluation for lewis on Thursday March 28 2024.msgGet hashmaliciousHTMLPhisherBrowse
  • 13.107.246.40
https://app.frame.io/presentations/e5a98721-636e-41a7-b4b9-23c7d6f1f6c3?component_clicked=digest_call_to_action&email_id=0f3254fb-289d-471c-aa05-4a363e218d3a&email_type=pending-reviewer-inviteGet hashmaliciousHTMLPhisherBrowse
  • 13.107.213.40
https://ckydb04.na1.hubspotlinks.com/Ctc/OP+113/cKydB04/VW9bQw4skpv3N4QMDhk6pMpJW5g6HvJ5ccjQdN61zzVd3qn9gW7lCdLW6lZ3m-VBhZqP2fNwFyN40GRrrMQlZ-N2TdQmJ13Y6QW10XVPX3kbMHcN4L237-7KHZ5W1zLF7f8GbdtBW2ZKqmb4N84ZcW3QDpzS6S7KJJW5X7x_l7b4v9TW2F362D3Hh1s9W54lklM4T0vLxN7h7S8FNlcHjW20Y8Mn2bFBzVW9hqyrD48FY07W1SGLwZ5DF_9-W40HntB7qL0THW1mF8BY3vVj3gW2n5NX74XPrGTW45qZ3V6l-BrTN7CsbcvdfdyCW5951f94y1-HGN8ZFSwmVlSf3W5fSXSN3-n9KQW8hNdv46-Q6rkf7QDZST04Get hashmaliciousUnknownBrowse
  • 13.107.213.40
https://www.joesandbox.com/+Get hashmaliciousUnknownBrowse
  • 13.107.213.40
https://airispharma1-my.sharepoint.com/:o:/g/personal/anagaraj_airispharma_com/EvmEpKGsyxtGnlrgsjVRxi4BOj2g3uhzHgNY6tXqx6wp5g?e=JtdJfIGet hashmaliciousHTMLPhisherBrowse
  • 13.107.213.40
Quarantined Messages (12).zipGet hashmaliciousUnknownBrowse
  • 13.107.246.40
https://gcv.microsoft.us/kgRWagmalJGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
  • 13.107.213.40
https://gcv.microsoft.us/kgRWagmalJGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
  • 13.107.213.40
https://view.storydoc.com/e7jNNLw4Get hashmaliciousUnknownBrowse
  • 13.107.246.40

ASNs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
MICROSOFT-CORP-MSN-AS-BLOCKUSl2ZKczbGRq.exeGet hashmaliciousAmadey, PureLog Stealer, RedLine, RisePro Stealer, zgRATBrowse
  • 20.42.73.29
AMP4qOxnnc.elfGet hashmaliciousMiraiBrowse
  • 20.247.156.214
mpsl.elfGet hashmaliciousMiraiBrowse
  • 20.210.161.80
mips.elfGet hashmaliciousMiraiBrowse
  • 51.142.97.153
arm7.elfGet hashmaliciousMiraiBrowse
  • 104.209.83.205
https://1drv.ms/f/s!AsWd4BQz7qwJa8oeifBH2QA-eNgGet hashmaliciousHTMLPhisherBrowse
  • 13.107.139.11
https://depl.pages.dev/Get hashmaliciousHTMLPhisherBrowse
  • 40.76.134.238
https://attwebupdate.w3spaces.com/Get hashmaliciousUnknownBrowse
  • 40.76.134.238
https://proud-sand-024e5ed10.5.azurestaticapps.net/Win08ShDMeEr0887/index.htmlGet hashmaliciousTechSupportScamBrowse
  • 20.22.16.164

JA3 Fingerprints

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
a0e9f5d64349fb13191bc781f81f42e1MXpl6HFisn.exeGet hashmaliciousRisePro StealerBrowse
  • 13.107.246.40
7ITPeT3VWW.exeGet hashmaliciousLummaCBrowse
  • 13.107.246.40
XqC4Zcp8qg.exeGet hashmaliciousRisePro StealerBrowse
  • 13.107.246.40
3MdZ1WiAYP.exeGet hashmaliciousRisePro StealerBrowse
  • 13.107.246.40
7GofFHQDvk.exeGet hashmaliciousRisePro StealerBrowse
  • 13.107.246.40
20qMFnd9tO.exeGet hashmaliciousLummaCBrowse
  • 13.107.246.40
88Oj06xDol.exeGet hashmaliciousRisePro StealerBrowse
  • 13.107.246.40
uQeIMs91Vh.exeGet hashmaliciousAmadey, PureLog Stealer, RedLine, RisePro Stealer, zgRATBrowse
  • 13.107.246.40
Zam#U00f3wienie_27900045542300.CMD.cmdGet hashmaliciousDBatLoader, RemcosBrowse
  • 13.107.246.40
jUlAlD6KHz.exeGet hashmaliciousRisePro StealerBrowse
  • 13.107.246.40

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 4770 bytes, 1 file, at 0x2c +A "disallowedcert.stl", number 1, 1 datablock, 0x1 compression
Category:dropped
Size (bytes):4770
Entropy (8bit):7.946747821604857
Encrypted:false
SSDEEP:96:9/nBu64pydcvOHRUfu0xK1bQYMRSRNoYmxYvk56sHMZhh4m:9/nBuP2cGxUfu6K1bpWJ6vfh4m
MD5:1BFE591A4FE3D91B03CDF26EAACD8F89
SHA1:719C37C320F518AC168C86723724891950911CEA
SHA-256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
SHA-512:02F88DA4B610678C31664609BCFA9D61DB8D0B0617649981AF948F670F41A6207B4EC19FECCE7385A24E0C609CBBF3F2B79A8ACAF09A03C2C432CC4DCE75E9DB
Malicious:false
Reputation:moderate, very likely benign file
Preview:MSCF............,...................O.................2Wqh .disallowedcert.stl....^K...CK.wTS...:.w.K'.C0T.....Bh.{....C.).*.....Y@...(..).R."E..D^6........u....|f~3...o.3. ..SPK.k.o#...."{-.U..P........:..aPr.@.d......Dy.h.....)..:...!./\A.....A<I_<$...q.h..........'.....7....H...@`T..K.S.%...Y4..R.....`.....-....D...(..b..-c."...G.=.dx..S+..2.a.E....d.L...77J...c.[..@..iT&..^78..g....NW6.Ek..FY.F........cNt.O.*..R....*......D...... k........J.y...z.d...;.9_t...].@....yw..}.x....d.t..`f\K..;|.*h.X...4/.;.xT......q>.0...<...3...X..L$.&.,b.....\V....\......G..O..@..H3.....t..J..).x.?.{[..G>.7...<...^Q..z..Gw9P..d....i].n%K}.*z..2.Py...A..s...z..@...4..........4.....*Y.d..._Z.5.s..fl.C..#.K{9^.E...k..z.Ma..G.(.....5g. ...}.t.#4....$;.,....S@fs....k......u .^2.#_...I........;.......w..P...UCY...$;.S._|.x..dK...[i..q..^.l..A.?.....'N.. .L.l......m.*.+f#]............A.;.....Z..rIt....RW....Kr1e=8.=.z:Oi.z.d..r..C_......o...]j.N;.s....3@3.dgrv.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:data
Category:dropped
Size (bytes):338
Entropy (8bit):3.1630232436556387
Encrypted:false
SSDEEP:3:kkFkl2PtfllXlE/0htlX16pFRltB+SliQlP8F+RlTRe86A+iRlERMta9b3+AL0Wy:kKuN+SkQlPlEGYRMY9z+s3Ql2DUevat
MD5:A03CB2229D0E105B8B2778959BC904C5
SHA1:57EE9535EF6B80F62C8D71E89F1CDB0319B69903
SHA-256:6EE74FF142A14A705A89B41E30D57C42B325BFA130EBD16E48C33066A519C793
SHA-512:D374747920E4FD25A8E8BB55ED486F630CC4C6CD555E3A800066210066196C6E659DB3774F6515AF858C400BAC90C81BF834FF4BFDF542C9310F2ABC29228A73
Malicious:false
Reputation:low
Preview:p...... ..............(....................................................... .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3BCF1243.tmp

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):1536
Entropy (8bit):1.1464700112623651
Encrypted:false
SSDEEP:3:YmsalTlLPltl2N81HRQjlORGt7RQ//W1XR9//3R9//3R9//:rl912N0xs+CFQXCB9Xh9Xh9X
MD5:72F5C05B7EA8DD6059BF59F50B22DF33
SHA1:D5AF52E129E15E3A34772806F6C5FBF132E7408E
SHA-256:1DC0C8D7304C177AD0E74D3D2F1002EB773F4B180685A7DF6BBE75CCC24B0164
SHA-512:6FF1E2E6B99BD0A4ED7CA8A9E943551BCD73A0BEFCACE6F1B1106E88595C0846C9BB76CA99A33266FFEC2440CF6A440090F803ABBF28B208A6C7BC6310BEB39E
Malicious:false
Reputation:high, very likely benign file
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF7197AE7CE48EE47C.TMP

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:data
Category:dropped
Size (bytes):512
Entropy (8bit):0.0
Encrypted:false
SSDEEP:3::
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:false
Reputation:high, very likely benign file
Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$Bijlage 2 Vragenlijst.xlsx

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:data
Category:dropped
Size (bytes):165
Entropy (8bit):1.5231029153786204
Encrypted:false
SSDEEP:3:sYp5lFltt:sYp5Nv
MD5:B77267835A6BEAC785C351BDE8E1A61C
SHA1:FABD93A92989535D43233E3DB9C6579D8174740E
SHA-256:3B222E766EADC8BC9A8A90AC32FA591F313545B7E8C5D481D378AE307FA798C3
SHA-512:FFFCBA958E9BD56F284DA19592F124C48B013FCDA2FBE65B3EB38BB644C2B0C978E6DAE99EF213B054813C7212E119B09236A6FFF342D32E52C84DD26DE1E033
Malicious:false
Reputation:moderate, very likely benign file
Preview:.user ..a.l.f.o.n.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General

File type:Microsoft Excel 2007+
Entropy (8bit):7.108971734911262
TrID:
  • Excel Microsoft Office Open XML Format document (40004/1) 83.33%
  • ZIP compressed archive (8000/1) 16.67%
File name:Bijlage 2 Vragenlijst.xlsx
File size:23'829 bytes
MD5:fd2cb6ad9501c1a33d41c48e6e0d29c7
SHA1:f97c475da86fc2a88211e5f4813ce19d0cadf54b
SHA256:4d75da97852c7a36c17b8dabf791be20e03bfaeb3f47db1309ecef8507dd3f72
SHA512:e190002fb10ee274891ae679ec0a38549ec1f66179deef387ed27aab01749a8c9b5ee9c6497b433e4519c6dc09a363ae9e66bcd7cbf8083f7246d694cb31fa02
SSDEEP:384:8eikQT/MeC9hRUyuOxriw0kBpBVpV3lyv8J8nhnpv:8RXEfRNkkBpb3lyNnN
TLSH:BCB2AE39DD18A858C277667E810D44F33929B282D395AB6F3C94F25D0B90A8F577F2C8
File Content Preview:PK..........!.................[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon

Icon Hash:35e58a8c0c8a85b9

Static OLE Info

General

Document Type:OpenXML
Number of OLE Files:1

OLE File "Bijlage 2 Vragenlijst.xlsx"

Indicators
Has Summary Info:
Application Name:
Encrypted Document:False
Contains Word Document Stream:False
Contains Workbook/Book Stream:True
Contains PowerPoint Document Stream:False
Contains Visio Document Stream:False
Contains ObjectPool Stream:False
Flash Objects Count:0
Contains VBA Macros:False

Network Behavior

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Mar 29, 2024 10:23:18.568190098 CET49733443192.168.2.513.107.246.40
Mar 29, 2024 10:23:18.568233013 CET4434973313.107.246.40192.168.2.5
Mar 29, 2024 10:23:18.568417072 CET49733443192.168.2.513.107.246.40
Mar 29, 2024 10:23:18.568608999 CET49734443192.168.2.513.107.246.40
Mar 29, 2024 10:23:18.568645000 CET4434973413.107.246.40192.168.2.5
Mar 29, 2024 10:23:18.568768978 CET49734443192.168.2.513.107.246.40
Mar 29, 2024 10:23:18.568927050 CET49735443192.168.2.513.107.246.40
Mar 29, 2024 10:23:18.568954945 CET4434973513.107.246.40192.168.2.5
Mar 29, 2024 10:23:18.569010019 CET49735443192.168.2.513.107.246.40
Mar 29, 2024 10:23:18.569149017 CET49736443192.168.2.513.107.246.40
Mar 29, 2024 10:23:18.569190025 CET4434973613.107.246.40192.168.2.5
Mar 29, 2024 10:23:18.569242001 CET49736443192.168.2.513.107.246.40
Mar 29, 2024 10:23:18.569600105 CET49737443192.168.2.513.107.246.40
Mar 29, 2024 10:23:18.569641113 CET4434973713.107.246.40192.168.2.5
Mar 29, 2024 10:23:18.569844961 CET49737443192.168.2.513.107.246.40
Mar 29, 2024 10:23:18.571302891 CET49733443192.168.2.513.107.246.40
Mar 29, 2024 10:23:18.571316004 CET4434973313.107.246.40192.168.2.5
Mar 29, 2024 10:23:18.571590900 CET49737443192.168.2.513.107.246.40
Mar 29, 2024 10:23:18.571608067 CET4434973713.107.246.40192.168.2.5
Mar 29, 2024 10:23:18.571681976 CET49734443192.168.2.513.107.246.40
Mar 29, 2024 10:23:18.571692944 CET4434973413.107.246.40192.168.2.5
Mar 29, 2024 10:23:18.571719885 CET49735443192.168.2.513.107.246.40
Mar 29, 2024 10:23:18.571738005 CET4434973513.107.246.40192.168.2.5
Mar 29, 2024 10:23:18.571830988 CET49736443192.168.2.513.107.246.40
Mar 29, 2024 10:23:18.571845055 CET4434973613.107.246.40192.168.2.5
Mar 29, 2024 10:23:18.900166035 CET4434973613.107.246.40192.168.2.5
Mar 29, 2024 10:23:18.900281906 CET49736443192.168.2.513.107.246.40
Mar 29, 2024 10:23:18.902586937 CET49736443192.168.2.513.107.246.40
Mar 29, 2024 10:23:18.902597904 CET4434973613.107.246.40192.168.2.5
Mar 29, 2024 10:23:18.902810097 CET4434973613.107.246.40192.168.2.5
Mar 29, 2024 10:23:18.903315067 CET4434973413.107.246.40192.168.2.5
Mar 29, 2024 10:23:18.903518915 CET49734443192.168.2.513.107.246.40
Mar 29, 2024 10:23:18.904525995 CET49736443192.168.2.513.107.246.40
Mar 29, 2024 10:23:18.904526949 CET49734443192.168.2.513.107.246.40
Mar 29, 2024 10:23:18.904534101 CET4434973413.107.246.40192.168.2.5
Mar 29, 2024 10:23:18.904736996 CET4434973413.107.246.40192.168.2.5
Mar 29, 2024 10:23:18.905766964 CET49734443192.168.2.513.107.246.40
Mar 29, 2024 10:23:18.914100885 CET4434973513.107.246.40192.168.2.5
Mar 29, 2024 10:23:18.914200068 CET49735443192.168.2.513.107.246.40
Mar 29, 2024 10:23:18.915031910 CET49735443192.168.2.513.107.246.40
Mar 29, 2024 10:23:18.915045023 CET4434973513.107.246.40192.168.2.5
Mar 29, 2024 10:23:18.915258884 CET4434973513.107.246.40192.168.2.5
Mar 29, 2024 10:23:18.915337086 CET4434973313.107.246.40192.168.2.5
Mar 29, 2024 10:23:18.915446043 CET49733443192.168.2.513.107.246.40
Mar 29, 2024 10:23:18.916275978 CET49733443192.168.2.513.107.246.40
Mar 29, 2024 10:23:18.916280031 CET49735443192.168.2.513.107.246.40
Mar 29, 2024 10:23:18.916282892 CET4434973313.107.246.40192.168.2.5
Mar 29, 2024 10:23:18.916507959 CET4434973313.107.246.40192.168.2.5
Mar 29, 2024 10:23:18.917371988 CET49733443192.168.2.513.107.246.40
Mar 29, 2024 10:23:18.919514894 CET4434973713.107.246.40192.168.2.5
Mar 29, 2024 10:23:18.919584990 CET49737443192.168.2.513.107.246.40
Mar 29, 2024 10:23:18.920675993 CET49737443192.168.2.513.107.246.40
Mar 29, 2024 10:23:18.920686960 CET4434973713.107.246.40192.168.2.5
Mar 29, 2024 10:23:18.920945883 CET4434973713.107.246.40192.168.2.5
Mar 29, 2024 10:23:18.921902895 CET49737443192.168.2.513.107.246.40
Mar 29, 2024 10:23:18.952231884 CET4434973413.107.246.40192.168.2.5
Mar 29, 2024 10:23:18.952245951 CET4434973613.107.246.40192.168.2.5
Mar 29, 2024 10:23:18.960232973 CET4434973313.107.246.40192.168.2.5
Mar 29, 2024 10:23:18.960239887 CET4434973513.107.246.40192.168.2.5
Mar 29, 2024 10:23:18.968225956 CET4434973713.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.095771074 CET4434973613.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.095990896 CET4434973613.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.096101046 CET49736443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.096486092 CET49736443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.096498013 CET4434973613.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.096532106 CET49736443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.096537113 CET4434973613.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.107445002 CET49738443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.107477903 CET4434973813.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.107609034 CET49738443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.107748985 CET49738443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.107763052 CET4434973813.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.114646912 CET4434973313.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.114685059 CET4434973313.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.114708900 CET4434973313.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.114787102 CET4434973313.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.114820004 CET49733443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.114937067 CET49733443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.114950895 CET4434973313.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.114974976 CET49733443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.114974976 CET49733443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.114980936 CET4434973313.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.114988089 CET4434973313.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.118907928 CET4434973713.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.119163990 CET4434973713.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.119260073 CET49737443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.119323015 CET49737443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.119323015 CET49737443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.119333029 CET4434973713.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.119347095 CET4434973713.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.126102924 CET49739443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.126130104 CET4434973913.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.126259089 CET49739443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.127155066 CET49739443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.127168894 CET4434973913.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.128356934 CET4434973413.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.128380060 CET4434973413.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.128427982 CET4434973413.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.128513098 CET49734443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.128513098 CET49734443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.130225897 CET49740443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.130253077 CET4434974013.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.130657911 CET49740443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.130821943 CET49734443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.130847931 CET4434973413.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.130886078 CET49734443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.130901098 CET4434973413.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.131946087 CET49740443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.131954908 CET4434974013.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.144701004 CET49741443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.144718885 CET4434974113.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.145092010 CET49741443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.145148039 CET49741443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.145154953 CET4434974113.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.165999889 CET4434973513.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.167450905 CET4434973513.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.167624950 CET49735443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.167624950 CET49735443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.167660952 CET49735443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.167675018 CET4434973513.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.174509048 CET49742443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.174539089 CET4434974213.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.174962044 CET49742443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.175054073 CET49742443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.175072908 CET4434974213.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.411408901 CET4434973813.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.412240982 CET49738443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.412261963 CET4434973813.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.412882090 CET49738443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.412889004 CET4434973813.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.442997932 CET4434974013.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.443437099 CET4434973913.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.443480968 CET49740443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.443494081 CET4434974013.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.444143057 CET49739443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.444165945 CET4434973913.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.444478989 CET49740443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.444483995 CET4434974013.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.445410967 CET49739443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.445416927 CET4434973913.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.449839115 CET4434974113.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.450242043 CET49741443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.450264931 CET4434974113.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.451055050 CET49741443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.451061964 CET4434974113.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.485167980 CET4434974213.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.487315893 CET49742443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.487315893 CET49742443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.487344980 CET4434974213.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.487371922 CET4434974213.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.613784075 CET4434973813.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.614032030 CET4434973813.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.614166021 CET49738443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.614166021 CET49738443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.614743948 CET49738443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.614756107 CET4434973813.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.635957003 CET4434973913.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.636189938 CET4434973913.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.636553049 CET49739443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.636553049 CET49739443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.636723995 CET49739443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.636734009 CET4434973913.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.638411045 CET4434974013.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.638740063 CET4434974013.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.638808012 CET49740443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.638856888 CET49740443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.638856888 CET49740443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.638875961 CET4434974013.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.638885975 CET4434974013.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.650685072 CET4434974113.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.650969028 CET4434974113.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.651070118 CET49741443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.651070118 CET49741443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.651103973 CET49741443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.651118994 CET4434974113.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.686269045 CET4434974213.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.686484098 CET4434974213.107.246.40192.168.2.5
Mar 29, 2024 10:23:19.686731100 CET49742443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.686731100 CET49742443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.686965942 CET49742443192.168.2.513.107.246.40
Mar 29, 2024 10:23:19.686985016 CET4434974213.107.246.40192.168.2.5

DNS Answers

TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
Mar 29, 2024 10:23:18.566688061 CET1.1.1.1192.168.2.50xd70bNo error (0)shed.dual-low.part-0012.t-0009.t-msedge.netpart-0012.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
Mar 29, 2024 10:23:18.566688061 CET1.1.1.1192.168.2.50xd70bNo error (0)part-0012.t-0009.t-msedge.net13.107.246.40A (IP address)IN (0x0001)false
Mar 29, 2024 10:23:18.566688061 CET1.1.1.1192.168.2.50xd70bNo error (0)part-0012.t-0009.t-msedge.net13.107.213.40A (IP address)IN (0x0001)false

HTTP Request Dependency Graph

  • otelrules.azureedge.net

HTTPS Proxied Packets

Session IDSource IPSource PortDestination IPDestination PortPIDProcess
0192.168.2.54973613.107.246.404431216C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-03-29 09:23:18 UTC207OUTGET /rules/rule324001v4s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-03-29 09:23:19 UTC545INHTTP/1.1 200 OK
Date: Fri, 29 Mar 2024 09:23:19 GMT
Content-Type: text/xml
Content-Length: 513
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Fri, 15 Dec 2023 01:11:58 GMT
ETag: 0x8DBFD0AD5C19AD1
x-ms-request-id: 4800c6ee-a01e-007d-0ccb-80f8e3000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
x-azure-ref: 20240329T092319Z-npcyu9krd51132e58grn4grsn000000002pg00000000s2fm
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-03-29 09:23:19 UTC513INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 31 22 20 56 3d 22 34 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 50 72 6f 6a 65 63 74 4c 6f 61 64 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324001" V="4" DC="SM" EN="Office.Extensibility.VbaTelemetryProjectLoad" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" SP="CriticalBusinessImpact" DCa="DC PSP PSU" xmlns="


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
1192.168.2.54973413.107.246.404431216C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-03-29 09:23:18 UTC208OUTGET /rules/rule170012v10s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-03-29 09:23:19 UTC638INHTTP/1.1 200 OK
Date: Fri, 29 Mar 2024 09:23:19 GMT
Content-Type: text/xml
Content-Length: 1523
Connection: close
Vary: Accept-Encoding
Vary: Accept-Encoding
Vary: Accept-Encoding
Vary: Accept-Encoding
Cache-Control: public, max-age=604800, immutable
Last-Modified: Thu, 14 Mar 2024 15:55:45 GMT
ETag: 0x8DC443F35D4E780
x-ms-request-id: 1bfc2474-c01e-002f-09cb-80cdd4000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
x-azure-ref: 20240329T092319Z-x67sv75c354b335e6u6f3msdew00000002n0000000007e0z
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-03-29 09:23:19 UTC1523INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 37 30 30 31 32 22 20 56 3d 22 31 30 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 47 72 61 70 68 69 63 73 2e 47 56 69 7a 49 6e 6b 53 74 72 6f 6b 65 22 20 41 54 54 3d 22 63 66 63 66 64 62 39 31 63 36 38 63 34 33 32 39 62 62 38 62 37 63 62 37 62 61 62 62 33 63 66 37 2d 65 30 38 32 63 32 66 32 2d 65 66 31 64 2d 34 32 37 61 2d 61 63 34 64 2d 62 30 62 37 30 30 61 66 65 37 61 37 2d 37 36 35 35 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="170012" V="10" DC="SM" EN="Office.Graphics.GVizInkStroke" ATT="cfcfdb91c68c4329bb8b7cb7babb3cf7-e082c2f2-ef1d-427a-ac4d-b0b700afe7a7-7655" SP="CriticalBusinessImpact" DCa="PSU" xmlns=""> <S> <UTS T


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
2192.168.2.54973513.107.246.404431216C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-03-29 09:23:18 UTC207OUTGET /rules/rule490016v3s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-03-29 09:23:19 UTC525INHTTP/1.1 200 OK
Date: Fri, 29 Mar 2024 09:23:19 GMT
Content-Type: text/xml
Content-Length: 777
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 29 Mar 2022 04:08:31 GMT
ETag: 0x8DA1139C929C121
x-ms-request-id: ae936b69-201e-001d-3aba-81bac1000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
x-azure-ref: 20240329T092319Z-gdskurbeup1rzd4qywphk5kzbw00000002mg00000000w8qd
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_MISS
Accept-Ranges: bytes
2024-03-29 09:23:19 UTC777INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 34 39 30 30 31 36 22 20 56 3d 22 33 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 46 65 65 64 62 61 63 6b 2e 53 75 72 76 65 79 2e 46 6c 6f 6f 64 67 61 74 65 43 6c 69 65 6e 74 2e 52 6f 61 6d 69 6e 67 53 75 63 63 65 73 73 66 75 6c 52 65 61 64 57 72 69 74 65 22 20 41 54 54 3d 22 64 37 39 65 38 32 34 33 38 36 63 34 34 34 31 63 62 38 63 31 64 34 61 65 31 35 36 39 30 35 32 36 2d 62 64 34 34 33 33 30 39 2d 35 34 39 34 2d 34 34 34 61 2d 61 62 61 39 2d 30 61 66 39 65 65 66 39 39 66 38 34 2d 37 33 36 30 22 20 54 3d 22 55 70 6c 6f 61 64 2d 4d 65 64 69 75 6d 22 20 44 4c 3d 22 4e 22 20 44 43 61 3d 22 50
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="490016" V="3" DC="SM" EN="Office.Feedback.Survey.FloodgateClient.RoamingSuccessfulReadWrite" ATT="d79e824386c4441cb8c1d4ae15690526-bd443309-5494-444a-aba9-0af9eef99f84-7360" T="Upload-Medium" DL="N" DCa="P


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
3192.168.2.54973313.107.246.404431216C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-03-29 09:23:18 UTC206OUTGET /rules/rule63067v4s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-03-29 09:23:19 UTC638INHTTP/1.1 200 OK
Date: Fri, 29 Mar 2024 09:23:19 GMT
Content-Type: text/xml
Content-Length: 2871
Connection: close
Vary: Accept-Encoding
Vary: Accept-Encoding
Vary: Accept-Encoding
Vary: Accept-Encoding
Cache-Control: public, max-age=604800, immutable
Last-Modified: Mon, 13 Nov 2023 14:54:01 GMT
ETag: 0x8DBE4585F99472E
x-ms-request-id: fa54f8ab-001e-000f-0ddf-805ce7000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
x-azure-ref: 20240329T092319Z-z8725mcsw17gx5ec1d1bdrgca000000002g00000000132my
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-03-29 09:23:19 UTC2871INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 36 33 30 36 37 22 20 56 3d 22 34 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 49 64 65 6e 74 69 74 79 2e 53 73 70 69 50 72 6f 6d 70 74 57 69 6e 33 32 22 20 41 54 54 3d 22 35 63 36 35 62 62 63 34 65 64 62 66 34 38 30 64 39 36 33 37 61 63 65 30 34 64 36 32 62 64 39 38 2d 31 32 38 34 34 38 39 33 2d 38 61 62 39 2d 34 64 64 65 2d 62 38 35 30 2d 35 36 31 32 63 62 31 32 65 30 66 32 2d 37 38 32 32 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 44 43 61 3d 22 44 43 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="63067" V="4" DC="SM" EN="Office.Identity.SspiPromptWin32" ATT="5c65bbc4edbf480d9637ace04d62bd98-12844893-8ab9-4dde-b850-5612cb12e0f2-7822" SP="CriticalBusinessImpact" DL="A" DCa="DC" xmlns=""> <S>


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
4192.168.2.54973713.107.246.404431216C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-03-29 09:23:18 UTC207OUTGET /rules/rule324002v5s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-03-29 09:23:19 UTC545INHTTP/1.1 200 OK
Date: Fri, 29 Mar 2024 09:23:19 GMT
Content-Type: text/xml
Content-Length: 833
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 20 Feb 2024 22:28:40 GMT
ETag: 0x8DC326349F63883
x-ms-request-id: 5bd5eebb-001e-008b-62cb-80a7ba000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
x-azure-ref: 20240329T092319Z-npcyu9krd51132e58grn4grsn000000002pg00000000s2fq
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-03-29 09:23:19 UTC833INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 32 22 20 56 3d 22 35 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 44 65 63 6c 61 72 65 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 62 30
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324002" V="5" DC="SM" EN="Office.Extensibility.VbaTelemetryDeclare" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" DCa="DC PSP PSU" xmlns=""> <S> <UTS T="1" Id="b0


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
5192.168.2.54973813.107.246.404431216C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-03-29 09:23:19 UTC207OUTGET /rules/rule324003v5s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-03-29 09:23:19 UTC545INHTTP/1.1 200 OK
Date: Fri, 29 Mar 2024 09:23:19 GMT
Content-Type: text/xml
Content-Length: 716
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 20 Feb 2024 22:28:41 GMT
ETag: 0x8DC32634A8DF559
x-ms-request-id: 1bfc2569-c01e-002f-6ccb-80cdd4000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
x-azure-ref: 20240329T092319Z-fbsuskukgd7u74wr9uws7q3kxc00000002u000000000dct5
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-03-29 09:23:19 UTC716INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 33 22 20 56 3d 22 35 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 52 65 66 65 72 65 6e 63 65 64 4c 69 62 72 61 72 79 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324003" V="5" DC="SM" EN="Office.Extensibility.VbaTelemetryReferencedLibrary" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" DCa="DC PSP PSU" xmlns=""> <S> <UTS T=


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
6192.168.2.54974013.107.246.404431216C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-03-29 09:23:19 UTC207OUTGET /rules/rule324005v2s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-03-29 09:23:19 UTC545INHTTP/1.1 200 OK
Date: Fri, 29 Mar 2024 09:23:19 GMT
Content-Type: text/xml
Content-Length: 599
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Fri, 15 Dec 2023 01:11:56 GMT
ETag: 0x8DBFD0AD4B2273C
x-ms-request-id: a0430e8b-d01e-004e-1dcb-80a4f4000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
x-azure-ref: 20240329T092319Z-uay40fh5wt1nhf3c3qzdbxvzps00000002s000000000z2bt
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-03-29 09:23:19 UTC599INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 35 22 20 56 3d 22 32 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 43 6f 6d 70 69 6c 65 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324005" V="2" DC="SM" EN="Office.Extensibility.VbaTelemetryCompile" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" SP="CriticalBusinessImpact" DCa="DC PSP PSU" xmlns="">


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
7192.168.2.54973913.107.246.404431216C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-03-29 09:23:19 UTC207OUTGET /rules/rule324004v4s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-03-29 09:23:19 UTC545INHTTP/1.1 200 OK
Date: Fri, 29 Mar 2024 09:23:19 GMT
Content-Type: text/xml
Content-Length: 738
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Wed, 22 Nov 2023 02:14:14 GMT
ETag: 0x8DBEB00B986DAC8
x-ms-request-id: fc778f55-301e-0028-53cb-801cda000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
x-azure-ref: 20240329T092319Z-0hz3egkyq90gf5g0ffgz6m7tpg00000002ng00000000rx83
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-03-29 09:23:19 UTC738INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 34 22 20 56 3d 22 34 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 43 6f 6d 4f 62 6a 65 63 74 49 6e 73 74 61 6e 74 69 61 74 65 64 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324004" V="4" DC="SM" EN="Office.Extensibility.VbaTelemetryComObjectInstantiated" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" DCa="DC PSP PSU" xmlns=""> <S> <UT


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
8192.168.2.54974113.107.246.404431216C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-03-29 09:23:19 UTC207OUTGET /rules/rule324006v2s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-03-29 09:23:19 UTC545INHTTP/1.1 200 OK
Date: Fri, 29 Mar 2024 09:23:19 GMT
Content-Type: text/xml
Content-Length: 599
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Fri, 15 Dec 2023 01:11:55 GMT
ETag: 0x8DBFD0AD4628C42
x-ms-request-id: 5ce84982-c01e-0013-58cf-8018dc000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
x-azure-ref: 20240329T092319Z-8yngfh7h3506x6uds3pm58hn4s00000002t000000000q4t0
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-03-29 09:23:19 UTC599INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 36 22 20 56 3d 22 32 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 53 68 6f 77 49 64 65 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324006" V="2" DC="SM" EN="Office.Extensibility.VbaTelemetryShowIde" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" SP="CriticalBusinessImpact" DCa="DC PSP PSU" xmlns="">


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
9192.168.2.54974213.107.246.404431216C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-03-29 09:23:19 UTC207OUTGET /rules/rule324007v2s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-03-29 09:23:19 UTC545INHTTP/1.1 200 OK
Date: Fri, 29 Mar 2024 09:23:19 GMT
Content-Type: text/xml
Content-Length: 611
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Fri, 15 Dec 2023 01:11:52 GMT
ETag: 0x8DBFD0AD2A73A7A
x-ms-request-id: cb56e038-401e-004f-4fcf-808ff6000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
x-azure-ref: 20240329T092319Z-k4qectk3z50kv4pws28ww80vzg00000002v000000000yfqy
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-03-29 09:23:19 UTC611INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 37 22 20 56 3d 22 32 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 49 64 65 4d 61 63 72 6f 52 75 6e 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324007" V="2" DC="SM" EN="Office.Extensibility.VbaTelemetryIdeMacroRun" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" SP="CriticalBusinessImpact" DCa="DC PSP PSU" xmlns="


Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:10:22:09
Start date:29/03/2024
Path:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Wow64 process (32bit):true
Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Imagebase:0x8d0000
File size:53'161'064 bytes
MD5 hash:4A871771235598812032C822E6F68F19
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate
Has exited:false

General

Target ID:6
Start time:10:23:13
Start date:29/03/2024
Path:C:\Windows\splwow64.exe
Wow64 process (32bit):false
Commandline:C:\Windows\splwow64.exe 12288
Imagebase:0x7ff6365c0000
File size:163'840 bytes
MD5 hash:77DE7761B037061C7C112FD3C5B91E73
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate
Has exited:false

Disassembly

No disassembly