Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SOC Clients RD Creds Proj.xlsx

Overview

General Information

Sample name:SOC Clients RD Creds Proj.xlsx
Analysis ID:1427774
MD5:4620fff63919cbf1d2de7a040b58a60a
SHA1:c4114ae3659b273367f9d83be591aa617b0cf6cd
SHA256:1830ee56f231c0f7183dd88439c6ebc5436f1fc94cc380b7102b11f487a8e03c
Infos:

Detection

Score:4
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections

Classification

Analysis Advice

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
No malicious behavior found, analyze the document also on other version of Office / Acrobat

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 7276 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: 4A871771235598812032C822E6F68F19)
    • splwow64.exe (PID: 8128 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Excel Network Connections
Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 13.107.213.41, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7276, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49753
Sigma detected: Suspicious Office Outbound Connections
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.4, DestinationIsIpv6: false, DestinationPort: 49753, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7276, Protocol: tcp, SourceIp: 13.107.213.41, SourceIsIpv6: false, SourcePort: 443

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
Source: unknownHTTPS traffic detected: 13.107.213.41:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.213.41:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.213.41:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.213.41:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.213.41:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: global trafficTCP traffic: 192.168.2.4:49755 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49754 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49753 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49753 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49753 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49754 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49755 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49755 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49754 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49754 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49755 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49753 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49755 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49754 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49755 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49754 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49755 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49754 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49753 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49753 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49753 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49753 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49753 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49753 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49753 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49755 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49755 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49755 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49754 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49754 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49754 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49754 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49753 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49753
Source: global trafficTCP traffic: 192.168.2.4:49753 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49754 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49754
Source: global trafficTCP traffic: 192.168.2.4:49755 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49755
Source: global trafficTCP traffic: 192.168.2.4:49755 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49754 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49756
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49757
Source: global trafficTCP traffic: 192.168.2.4:49754 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49754
Source: global trafficTCP traffic: 192.168.2.4:49755 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49755
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49753 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49757
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49753
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49756
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49755
Source: global trafficTCP traffic: 192.168.2.4:49755 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49754
Source: global trafficTCP traffic: 192.168.2.4:49754 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49755 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49755
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49755
Source: global trafficTCP traffic: 192.168.2.4:49754 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49754
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49754
Source: global trafficTCP traffic: 192.168.2.4:49755 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49754 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49753
Source: global trafficTCP traffic: 192.168.2.4:49753 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49757
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49756
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49753 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49753
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49753
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49757
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49756
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49757
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49756
Source: global trafficTCP traffic: 192.168.2.4:49753 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49755
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49754
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49753
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49757
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49756
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49753
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49757
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49753
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49753
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49757
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49753
Source: global trafficTCP traffic: 192.168.2.4:49753 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49753 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49753 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49753 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49753
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49753
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49757
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49757
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49758
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49758
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49759
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49759
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49756
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49756
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49756
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49756
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49760
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49760
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49755
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49755
Source: global trafficTCP traffic: 192.168.2.4:49755 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49755 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49755
Source: global trafficTCP traffic: 192.168.2.4:49755 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49755
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49754
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49754
Source: global trafficTCP traffic: 192.168.2.4:49754 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49754
Source: global trafficTCP traffic: 192.168.2.4:49754 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49754 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49754
Source: global trafficTCP traffic: 192.168.2.4:49754 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49754
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49761
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49761
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49762
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49762
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49758
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49759
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49758
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49758
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49759
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49759
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49760
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49760
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49760
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49762
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49762
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49762
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49761
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49761
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49761
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49758
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49758
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49760
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49760
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49760
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49760
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49762
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49761
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49762
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49761
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49762
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49759
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49759
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49759
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49758
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49761
Source: excel.exeMemory has grown: Private usage: 2MB later: 71MB
Source: Joe Sandbox ViewIP Address: 13.107.213.41 13.107.213.41
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: global trafficHTTP traffic detected: GET /rules/rule490016v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule170012v10s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule63067v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule324002v5s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule324001v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule324004v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule324003v5s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule324005v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule324007v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule324006v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
Source: unknownHTTPS traffic detected: 13.107.213.41:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.213.41:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.213.41:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.213.41:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.213.41:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: classification engineClassification label: clean4.winXLSX@3/2@0/1
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\Desktop\~$SOC Clients RD Creds Proj.xlsxJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{513344B4-E590-40C6-AB2B-906C10CFC311} - OProcSessId.datJump to behavior
Source: SOC Clients RD Creds Proj.xlsxOLE indicator, Workbook stream: true
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
Source: SOC Clients RD Creds Proj.xlsxInitial sample: OLE indicators vbamacros = False
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 798Jump to behavior
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information queried: ProcessInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Exploitation for Client Execution		Path Interception1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
Extra Window Memory Injection		1
Virtualization/Sandbox Evasion		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account Manager1
Application Window Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Extra Window Memory Injection		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput Capture2
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
part-0013.t-0009.t-msedge.net0%VirustotalBrowse

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
part-0013.t-0009.t-msedge.net
13.107.213.41
truefalseunknown

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
13.107.213.41
part-0013.t-0009.t-msedge.netUnited States
8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1427774
Start date and time:2024-04-18 06:56:34 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 16s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:Potential for more IOCs and behavior
Number of analysed new started processes analysed:9
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:SOC Clients RD Creds Proj.xlsx
Detection:CLEAN
Classification:clean4.winXLSX@3/2@0/1
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .xlsx
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Scroll down
  • Close Viewer

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 52.109.8.89, 184.31.62.93, 52.113.194.132, 52.109.16.112, 72.21.81.240, 20.189.173.2
  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.afd.azureedge.net, cus-config.officeapps.live.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, osiprod-ncus-buff-azsc-000.northcentralus.cloudapp.azure.com, wu.azureedge.net, ncus-azsc-000.roaming.officeapps.live.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, wu.ec.azureedge.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, wu-bg-shim.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, us1.roaming1.live.com.akadns.net, s-0005.s-msedge.ne
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtCreateKey calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

TimeTypeDescription
06:58:27API Interceptor817x Sleep call for process: splwow64.exe modified

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
13.107.213.41Quotation.xlsGet hashmaliciousUnknownBrowse
  • 2s.gg/3zM
http://www.serviceadg.comGet hashmaliciousUnknownBrowse
  • fr.linkedin.com/company/service-adg

Domains

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
part-0013.t-0009.t-msedge.nethttp://t.cm.morganstanley.com/r/?id=h1b92d14%2C134cc33c%2C1356be32&p1=www.saiengroup.com%2Fteaz%2F648c482b60b3906833c9304bab170add%2FJBVNhz%2FYW15LmNoZW5AZG91YmxlbGluZS5jb20=Get hashmaliciousHTMLPhisherBrowse
  • 13.107.246.41
https://pub-ac902c48ff244e4fbf44f3e3296d093d.r2.dev/updatemypassword.htmlGet hashmaliciousHTMLPhisherBrowse
  • 13.107.213.41
https://nsjw.newf.workers.dev/Get hashmaliciousHTMLPhisherBrowse
  • 13.107.213.41
https://17apmic5.z13.web.core.windows.net/Get hashmaliciousTechSupportScamBrowse
  • 13.107.213.41
http://office-site-documentations0ivbe2.powerappsportals.comGet hashmaliciousHTMLPhisherBrowse
  • 13.107.246.41
https://mfaauthentication-zipreviewaccessmydocument.us-southeast-1.linodeobjects.com/zi-review.html#Get hashmaliciousHTMLPhisherBrowse
  • 13.107.246.41
https://keenetownhall-my.sharepoint.com/:b:/g/personal/amanda_keenetownhall_org/EcczDXj2MNxGvMjrD3G-fs8BPFPEwegwwlCuPeGrToxzeg?e=l7POTPGet hashmaliciousHTMLPhisherBrowse
  • 13.107.213.41
https://magnummillworkinc-my.sharepoint.com/:b:/g/personal/fsilva_magnummillwork_ca/EbhQBSwOpOJKrHi-GIQk9mkBFlDLbvMwPLEt2uISb7Fy-g?e=F1Z61BGet hashmaliciousHTMLPhisherBrowse
  • 13.107.246.41
https://tukix.net/qp9sKz1A43Pt/news/d1022596bf248601809305df44e8f1f4////dGNvb3BlckBod25lbmVyZ3kuY29tGet hashmaliciousHTMLPhisherBrowse
  • 13.107.246.41
https://u2355257.ct.sendgrid.net/ls/click?upn=u001.4YkCuNYTF3S1epm9KijHzHFfZe6RGn3F0umQQjG6fIb5h6U0n3Lap6J1hKqXi7Fiss-2Fnjz-2BcFRXpypvRmmfgWn-2Ba9e-2FrT6wS0BPmNEAULccdv45sFYdVsM3KSjc08mJmA04o_1ZAajvzgT7xUJVTbSsJliaxerwRRiQgzvxpp4IVUhvZsRGnhbsT-2FJd-2BNkYvqnFEYV-2Fievjb-2FiERuCBdxoKKuExbmLQK3Hx97YRZAmjSYnKihJdbi3O1HVw7rYn-2BOv8g3-2Bc3sKo4S3qvV-2B3xrPNqZv04f66bjMpd21vFZeEe20b76LFAJQaSnA9amajxMueZ9PGIYPKFyq2tTkOlxRSEbhg-3D-3DGet hashmaliciousHTMLPhisherBrowse
  • 13.107.246.41

ASNs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
MICROSOFT-CORP-MSN-AS-BLOCKUSSecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeGet hashmaliciousGlupteba, PureLog Stealer, zgRATBrowse
  • 20.189.173.21
http://t.cm.morganstanley.com/r/?id=h1b92d14%2C134cc33c%2C1356be32&p1=www.saiengroup.com%2Fteaz%2F648c482b60b3906833c9304bab170add%2FJBVNhz%2FYW15LmNoZW5AZG91YmxlbGluZS5jb20=Get hashmaliciousHTMLPhisherBrowse
  • 52.96.183.242
https://pub-ac902c48ff244e4fbf44f3e3296d093d.r2.dev/updatemypassword.htmlGet hashmaliciousHTMLPhisherBrowse
  • 13.107.213.40
https://nsjw.newf.workers.dev/Get hashmaliciousHTMLPhisherBrowse
  • 13.107.213.41
https://17apmic5.z13.web.core.windows.net/Get hashmaliciousTechSupportScamBrowse
  • 13.107.246.51
http://office-site-documentations0ivbe2.powerappsportals.comGet hashmaliciousHTMLPhisherBrowse
  • 13.107.213.40
https://salmon-sand-04393a710.5.azurestaticapps.net/?bezp=5565454&clickid=836e9bd971fa3a7caf5ca499c64a32c9&phone=+1-866-993-6426Get hashmaliciousUnknownBrowse
  • 20.75.112.13
https://delightful-glacier-0a63b1710.5.azurestaticapps.net/?bezp=5565454&clickid=97a06722cf29085a7ee6b1e853b28f1e&phone=+1-866-993-6426Get hashmaliciousUnknownBrowse
  • 20.22.16.164
https://mfaauthentication-zipreviewaccessmydocument.us-southeast-1.linodeobjects.com/zi-review.html#Get hashmaliciousHTMLPhisherBrowse
  • 13.107.213.41
https://keenetownhall-my.sharepoint.com/:b:/g/personal/amanda_keenetownhall_org/EcczDXj2MNxGvMjrD3G-fs8BPFPEwegwwlCuPeGrToxzeg?e=l7POTPGet hashmaliciousHTMLPhisherBrowse
  • 13.107.246.36

JA3 Fingerprints

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaCBrowse
  • 13.107.213.41
payload.jsGet hashmaliciousUnknownBrowse
  • 13.107.213.41
payload.jsGet hashmaliciousUnknownBrowse
  • 13.107.213.41
file.exeGet hashmaliciousLummaCBrowse
  • 13.107.213.41
SecuriteInfo.com.Win32.RATX-gen.12024.12837.exeGet hashmaliciousRemcos, DBatLoaderBrowse
  • 13.107.213.41
forcedelctl.dllGet hashmaliciousUnknownBrowse
  • 13.107.213.41
Q73YlTAmWe.exeGet hashmaliciousRisePro StealerBrowse
  • 13.107.213.41
Doc_m42_81h118103-88o62135w8623-1999q9.jsGet hashmaliciousUnknownBrowse
  • 13.107.213.41
forcedelctl.dllGet hashmaliciousUnknownBrowse
  • 13.107.213.41
avp.msiGet hashmaliciousUnknownBrowse
  • 13.107.213.41

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:data
Category:dropped
Size (bytes):338
Entropy (8bit):3.459804934679828
Encrypted:false
SSDEEP:6:kKQRkN48hkFiJFN+SkQlPlEGYRMY9z+s3Ql2DUevat:oCN4rBkPlE99SCQl2DUevat
MD5:AB19BF667B71F03FBBB60154D7F7CE48
SHA1:58CF84049CF169458B8C10B4AD47AD4B1B794206
SHA-256:35A31B9042CB8B3A2D7F60B6C04152160606FFEB927933B76D4ED564368723C0
SHA-512:7F91D6F2A802ECE070C705813EF026D695886600FFB8782AFEDE8A084E6DC8A874515E6FC1AFC5220031A01C1D5F46F632F54ADC87F2FBF603E7448088E0D229
Malicious:false
Reputation:low
Preview:p...... ........'...L...(................................................0..@... .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

C:\Users\user\Desktop\~$SOC Clients RD Creds Proj.xlsx

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:data
Category:dropped
Size (bytes):165
Entropy (8bit):1.4377382811115937
Encrypted:false
SSDEEP:3:KVC+cAmltV:KVC+cR
MD5:9C7132B2A8CABF27097749F4D8447635
SHA1:71D7F78718A7AFC3EAB22ED395321F6CBE2F9899
SHA-256:7029AE5479F0CD98D892F570A22B2AE8302747DCFF3465B2DE64D974AE815A83
SHA-512:333AC8A4987CC7DF5981AE81238A77D123996DB2C4C97053E8BD2048A64FDCF33E1245DEE6839358161F6B5EEA6BFD8D2358BC4A9188D786295C22F79E2D635E
Malicious:false
Reputation:moderate, very likely benign file
Preview:.user ..j.o.n.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General

File type:Microsoft Excel 2007+
Entropy (8bit):7.816123788118014
TrID:
  • Excel Microsoft Office Open XML Format document (40004/1) 83.33%
  • ZIP compressed archive (8000/1) 16.67%
File name:SOC Clients RD Creds Proj.xlsx
File size:36'724 bytes
MD5:4620fff63919cbf1d2de7a040b58a60a
SHA1:c4114ae3659b273367f9d83be591aa617b0cf6cd
SHA256:1830ee56f231c0f7183dd88439c6ebc5436f1fc94cc380b7102b11f487a8e03c
SHA512:fb3cffc67fe768cb645dc5caec7e247d2c9f8b2d9d9dfa6bdbfba0b209fb47e32f2799c8929d4071991e78f036e6a92396a3d0e085143badec691b530c8dd884
SSDEEP:768:wMuBTcI/CXg0eiTmJlt6TVxNaNd/N0K0bax8lZ4cfN:1uBb/CXg0e4mJlmyNROJGxO4c1
TLSH:D7F2E146D25D1097E3BF5079021936A47E3E8002DDB6395F3964F32B93E098B3B9E94E
File Content Preview:PK..........!.b..h^...........[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon

Icon Hash:35e58a8c0c8a85b9

Static OLE Info

General

Document Type:OpenXML
Number of OLE Files:1

OLE File "SOC Clients RD Creds Proj.xlsx"

Indicators
Has Summary Info:
Application Name:
Encrypted Document:False
Contains Word Document Stream:False
Contains Workbook/Book Stream:True
Contains PowerPoint Document Stream:False
Contains Visio Document Stream:False
Contains ObjectPool Stream:False
Flash Objects Count:0
Contains VBA Macros:False

Network Behavior

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Apr 18, 2024 06:58:32.259841919 CEST49753443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.259866953 CEST4434975313.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.259928942 CEST49753443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.260003090 CEST49754443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.260082960 CEST4434975413.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.260086060 CEST49755443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.260117054 CEST4434975513.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.260166883 CEST49755443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.260214090 CEST49754443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.260253906 CEST49756443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.260292053 CEST4434975613.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.260365963 CEST49756443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.260463953 CEST49757443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.260504961 CEST4434975713.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.260545969 CEST49754443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.260574102 CEST4434975413.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.260616064 CEST49755443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.260626078 CEST4434975513.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.260699987 CEST49757443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.260699987 CEST49757443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.260750055 CEST49753443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.260761023 CEST4434975713.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.260762930 CEST4434975313.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.260776043 CEST49756443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.260799885 CEST4434975613.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.595943928 CEST4434975513.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.596016884 CEST49755443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.596455097 CEST4434975413.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.596522093 CEST49754443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.597615004 CEST49755443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.597624063 CEST4434975513.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.597996950 CEST4434975513.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.598088026 CEST49754443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.598100901 CEST4434975413.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.598459959 CEST4434975413.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.599128962 CEST49755443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.599596024 CEST49754443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.599627972 CEST4434975313.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.599713087 CEST49753443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.599864006 CEST4434975713.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.599937916 CEST49757443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.600063086 CEST4434975613.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.600119114 CEST49756443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.600919962 CEST49753443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.600935936 CEST4434975313.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.601294041 CEST4434975313.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.601572990 CEST49757443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.601587057 CEST4434975713.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.602097034 CEST49756443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.602108002 CEST4434975613.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.602137089 CEST4434975713.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.602611065 CEST4434975613.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.602696896 CEST49753443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.603513002 CEST49757443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.604360104 CEST49756443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.644114971 CEST4434975513.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.644124031 CEST4434975413.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.648108006 CEST4434975313.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.648113012 CEST4434975713.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.652117014 CEST4434975613.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.802388906 CEST4434975313.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.802412987 CEST4434975713.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.802450895 CEST4434975313.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.802495956 CEST4434975313.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.802613974 CEST4434975713.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.802649975 CEST4434975313.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.802671909 CEST49753443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.802720070 CEST49757443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.802819967 CEST49753443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.803256989 CEST49753443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.803256989 CEST49753443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.803282022 CEST4434975313.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.803292036 CEST4434975313.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.803406000 CEST49757443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.803425074 CEST4434975713.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.803442955 CEST49757443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.803450108 CEST4434975713.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.812247992 CEST49758443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.812292099 CEST4434975813.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.812397957 CEST49758443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.812547922 CEST49758443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.812558889 CEST4434975813.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.812738895 CEST49759443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.812819004 CEST4434975913.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.812886953 CEST49759443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.812997103 CEST49759443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.813020945 CEST4434975913.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.819780111 CEST4434975613.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.819883108 CEST4434975613.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.819971085 CEST49756443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.820010900 CEST49756443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.820010900 CEST49756443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.820030928 CEST4434975613.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.820043087 CEST4434975613.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.826195002 CEST49760443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.826204062 CEST4434976013.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.826266050 CEST49760443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.826390982 CEST49760443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.826400995 CEST4434976013.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.941876888 CEST4434975513.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.942075968 CEST4434975513.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.942214966 CEST49755443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.942264080 CEST49755443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.942286968 CEST4434975513.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.942313910 CEST49755443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.942320108 CEST4434975513.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.947968006 CEST4434975413.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.947988987 CEST4434975413.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.948048115 CEST49754443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.948064089 CEST4434975413.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.948184013 CEST49754443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.948266983 CEST49754443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.948282957 CEST4434975413.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.948299885 CEST49754443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.948307037 CEST4434975413.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.952882051 CEST49761443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.952927113 CEST4434976113.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.953129053 CEST49761443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.953315020 CEST49761443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.953327894 CEST4434976113.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.957480907 CEST49762443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.957526922 CEST4434976213.107.213.41192.168.2.4
Apr 18, 2024 06:58:32.957583904 CEST49762443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.957729101 CEST49762443192.168.2.413.107.213.41
Apr 18, 2024 06:58:32.957743883 CEST4434976213.107.213.41192.168.2.4
Apr 18, 2024 06:58:33.138019085 CEST4434975813.107.213.41192.168.2.4
Apr 18, 2024 06:58:33.138739109 CEST49758443192.168.2.413.107.213.41
Apr 18, 2024 06:58:33.138750076 CEST4434975913.107.213.41192.168.2.4
Apr 18, 2024 06:58:33.138823032 CEST4434975813.107.213.41192.168.2.4
Apr 18, 2024 06:58:33.139908075 CEST49758443192.168.2.413.107.213.41
Apr 18, 2024 06:58:33.139957905 CEST4434975813.107.213.41192.168.2.4
Apr 18, 2024 06:58:33.140204906 CEST49759443192.168.2.413.107.213.41
Apr 18, 2024 06:58:33.140284061 CEST4434975913.107.213.41192.168.2.4
Apr 18, 2024 06:58:33.141179085 CEST49759443192.168.2.413.107.213.41
Apr 18, 2024 06:58:33.141230106 CEST4434975913.107.213.41192.168.2.4
Apr 18, 2024 06:58:33.152534962 CEST4434976013.107.213.41192.168.2.4
Apr 18, 2024 06:58:33.153007030 CEST49760443192.168.2.413.107.213.41
Apr 18, 2024 06:58:33.153091908 CEST4434976013.107.213.41192.168.2.4
Apr 18, 2024 06:58:33.153907061 CEST49760443192.168.2.413.107.213.41
Apr 18, 2024 06:58:33.153956890 CEST4434976013.107.213.41192.168.2.4
Apr 18, 2024 06:58:33.276686907 CEST4434976213.107.213.41192.168.2.4
Apr 18, 2024 06:58:33.277236938 CEST49762443192.168.2.413.107.213.41
Apr 18, 2024 06:58:33.277297020 CEST4434976213.107.213.41192.168.2.4
Apr 18, 2024 06:58:33.278392076 CEST49762443192.168.2.413.107.213.41
Apr 18, 2024 06:58:33.278409004 CEST4434976213.107.213.41192.168.2.4
Apr 18, 2024 06:58:33.281488895 CEST4434976113.107.213.41192.168.2.4
Apr 18, 2024 06:58:33.281857967 CEST49761443192.168.2.413.107.213.41
Apr 18, 2024 06:58:33.281918049 CEST4434976113.107.213.41192.168.2.4
Apr 18, 2024 06:58:33.282903910 CEST49761443192.168.2.413.107.213.41
Apr 18, 2024 06:58:33.282954931 CEST4434976113.107.213.41192.168.2.4
Apr 18, 2024 06:58:33.348331928 CEST4434975813.107.213.41192.168.2.4
Apr 18, 2024 06:58:33.348512888 CEST4434975813.107.213.41192.168.2.4
Apr 18, 2024 06:58:33.348743916 CEST49758443192.168.2.413.107.213.41
Apr 18, 2024 06:58:33.348745108 CEST49758443192.168.2.413.107.213.41
Apr 18, 2024 06:58:33.348745108 CEST49758443192.168.2.413.107.213.41
Apr 18, 2024 06:58:33.362679005 CEST4434976013.107.213.41192.168.2.4
Apr 18, 2024 06:58:33.362829924 CEST4434976013.107.213.41192.168.2.4
Apr 18, 2024 06:58:33.362909079 CEST49760443192.168.2.413.107.213.41
Apr 18, 2024 06:58:33.363094091 CEST49760443192.168.2.413.107.213.41
Apr 18, 2024 06:58:33.363094091 CEST49760443192.168.2.413.107.213.41
Apr 18, 2024 06:58:33.363136053 CEST4434976013.107.213.41192.168.2.4
Apr 18, 2024 06:58:33.363162994 CEST4434976013.107.213.41192.168.2.4
Apr 18, 2024 06:58:33.492561102 CEST4434976213.107.213.41192.168.2.4
Apr 18, 2024 06:58:33.492588997 CEST4434976113.107.213.41192.168.2.4
Apr 18, 2024 06:58:33.492628098 CEST4434976213.107.213.41192.168.2.4
Apr 18, 2024 06:58:33.492814064 CEST4434976113.107.213.41192.168.2.4
Apr 18, 2024 06:58:33.492885113 CEST49762443192.168.2.413.107.213.41
Apr 18, 2024 06:58:33.492930889 CEST49762443192.168.2.413.107.213.41
Apr 18, 2024 06:58:33.492948055 CEST4434976213.107.213.41192.168.2.4
Apr 18, 2024 06:58:33.493016958 CEST49761443192.168.2.413.107.213.41
Apr 18, 2024 06:58:33.493016958 CEST49761443192.168.2.413.107.213.41
Apr 18, 2024 06:58:33.493016958 CEST49761443192.168.2.413.107.213.41
Apr 18, 2024 06:58:33.498938084 CEST4434975913.107.213.41192.168.2.4
Apr 18, 2024 06:58:33.499099016 CEST4434975913.107.213.41192.168.2.4
Apr 18, 2024 06:58:33.499275923 CEST49759443192.168.2.413.107.213.41
Apr 18, 2024 06:58:33.499275923 CEST49759443192.168.2.413.107.213.41
Apr 18, 2024 06:58:33.499353886 CEST49759443192.168.2.413.107.213.41
Apr 18, 2024 06:58:33.499387980 CEST4434975913.107.213.41192.168.2.4
Apr 18, 2024 06:58:33.653650045 CEST49758443192.168.2.413.107.213.41
Apr 18, 2024 06:58:33.653708935 CEST4434975813.107.213.41192.168.2.4
Apr 18, 2024 06:58:33.794269085 CEST49761443192.168.2.413.107.213.41
Apr 18, 2024 06:58:33.794328928 CEST4434976113.107.213.41192.168.2.4

DNS Answers

TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
Apr 18, 2024 06:58:32.259047985 CEST1.1.1.1192.168.2.40xb6ccNo error (0)shed.dual-low.part-0013.t-0009.t-msedge.netpart-0013.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
Apr 18, 2024 06:58:32.259047985 CEST1.1.1.1192.168.2.40xb6ccNo error (0)part-0013.t-0009.t-msedge.net13.107.213.41A (IP address)IN (0x0001)false
Apr 18, 2024 06:58:32.259047985 CEST1.1.1.1192.168.2.40xb6ccNo error (0)part-0013.t-0009.t-msedge.net13.107.246.41A (IP address)IN (0x0001)false

HTTP Request Dependency Graph

  • otelrules.azureedge.net

HTTPS Proxied Packets

Session IDSource IPSource PortDestination IPDestination PortPIDProcess
0192.168.2.44975513.107.213.414437276C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-04-18 04:58:32 UTC207OUTGET /rules/rule490016v3s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-04-18 04:58:32 UTC471INHTTP/1.1 200 OK
Date: Thu, 18 Apr 2024 04:58:32 GMT
Content-Type: text/xml
Content-Length: 777
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:28:04 GMT
ETag: "0x8DC582BEC2AAB32"
x-ms-request-id: ed909f5d-801e-006f-0e4d-911ec5000000
x-ms-version: 2018-03-28
x-azure-ref: 20240418T045832Z-r1f585c6b65s7kgqgxy5zxdub400000007v00000000013ut
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_MISS
Accept-Ranges: bytes
2024-04-18 04:58:32 UTC777INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 34 39 30 30 31 36 22 20 56 3d 22 33 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 46 65 65 64 62 61 63 6b 2e 53 75 72 76 65 79 2e 46 6c 6f 6f 64 67 61 74 65 43 6c 69 65 6e 74 2e 52 6f 61 6d 69 6e 67 53 75 63 63 65 73 73 66 75 6c 52 65 61 64 57 72 69 74 65 22 20 41 54 54 3d 22 64 37 39 65 38 32 34 33 38 36 63 34 34 34 31 63 62 38 63 31 64 34 61 65 31 35 36 39 30 35 32 36 2d 62 64 34 34 33 33 30 39 2d 35 34 39 34 2d 34 34 34 61 2d 61 62 61 39 2d 30 61 66 39 65 65 66 39 39 66 38 34 2d 37 33 36 30 22 20 54 3d 22 55 70 6c 6f 61 64 2d 4d 65 64 69 75 6d 22 20 44 4c 3d 22 4e 22 20 44 43 61 3d 22 50
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="490016" V="3" DC="SM" EN="Office.Feedback.Survey.FloodgateClient.RoamingSuccessfulReadWrite" ATT="d79e824386c4441cb8c1d4ae15690526-bd443309-5494-444a-aba9-0af9eef99f84-7360" T="Upload-Medium" DL="N" DCa="P


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
1192.168.2.44975413.107.213.414437276C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-04-18 04:58:32 UTC208OUTGET /rules/rule170012v10s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-04-18 04:58:32 UTC564INHTTP/1.1 200 OK
Date: Thu, 18 Apr 2024 04:58:32 GMT
Content-Type: text/xml
Content-Length: 1523
Connection: close
Vary: Accept-Encoding
Vary: Accept-Encoding
Vary: Accept-Encoding
Vary: Accept-Encoding
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:27:33 GMT
ETag: "0x8DC582BD969CD29"
x-ms-request-id: ec692e2e-e01e-0001-404d-91fefa000000
x-ms-version: 2018-03-28
x-azure-ref: 20240418T045832Z-r1f585c6b65s6t5bg30nh02cq000000004qg000000001ukf
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_MISS
Accept-Ranges: bytes
2024-04-18 04:58:32 UTC1523INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 37 30 30 31 32 22 20 56 3d 22 31 30 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 47 72 61 70 68 69 63 73 2e 47 56 69 7a 49 6e 6b 53 74 72 6f 6b 65 22 20 41 54 54 3d 22 63 66 63 66 64 62 39 31 63 36 38 63 34 33 32 39 62 62 38 62 37 63 62 37 62 61 62 62 33 63 66 37 2d 65 30 38 32 63 32 66 32 2d 65 66 31 64 2d 34 32 37 61 2d 61 63 34 64 2d 62 30 62 37 30 30 61 66 65 37 61 37 2d 37 36 35 35 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="170012" V="10" DC="SM" EN="Office.Graphics.GVizInkStroke" ATT="cfcfdb91c68c4329bb8b7cb7babb3cf7-e082c2f2-ef1d-427a-ac4d-b0b700afe7a7-7655" SP="CriticalBusinessImpact" DCa="PSU" xmlns=""> <S> <UTS T


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
2192.168.2.44975313.107.213.414437276C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-04-18 04:58:32 UTC206OUTGET /rules/rule63067v4s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-04-18 04:58:32 UTC584INHTTP/1.1 200 OK
Date: Thu, 18 Apr 2024 04:58:32 GMT
Content-Type: text/xml
Content-Length: 2871
Connection: close
Vary: Accept-Encoding
Vary: Accept-Encoding
Vary: Accept-Encoding
Vary: Accept-Encoding
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:28:05 GMT
ETag: "0x8DC582BEC5E84E0"
x-ms-request-id: 8e6f73bf-801e-006f-43de-8f1ec5000000
x-ms-version: 2018-03-28
x-azure-ref: 20240418T045832Z-18655757dbczg7gg29589z2gyn000000068g000000006bn2
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-04-18 04:58:32 UTC2871INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 36 33 30 36 37 22 20 56 3d 22 34 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 49 64 65 6e 74 69 74 79 2e 53 73 70 69 50 72 6f 6d 70 74 57 69 6e 33 32 22 20 41 54 54 3d 22 35 63 36 35 62 62 63 34 65 64 62 66 34 38 30 64 39 36 33 37 61 63 65 30 34 64 36 32 62 64 39 38 2d 31 32 38 34 34 38 39 33 2d 38 61 62 39 2d 34 64 64 65 2d 62 38 35 30 2d 35 36 31 32 63 62 31 32 65 30 66 32 2d 37 38 32 32 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 44 43 61 3d 22 44 43 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="63067" V="4" DC="SM" EN="Office.Identity.SspiPromptWin32" ATT="5c65bbc4edbf480d9637ace04d62bd98-12844893-8ab9-4dde-b850-5612cb12e0f2-7822" SP="CriticalBusinessImpact" DL="A" DCa="DC" xmlns=""> <S>


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
3192.168.2.44975713.107.213.414437276C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-04-18 04:58:32 UTC207OUTGET /rules/rule324002v5s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-04-18 04:58:32 UTC491INHTTP/1.1 200 OK
Date: Thu, 18 Apr 2024 04:58:32 GMT
Content-Type: text/xml
Content-Length: 833
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:27:33 GMT
ETag: "0x8DC582BD9758B35"
x-ms-request-id: 218c6939-e01e-003d-2c1a-902bf2000000
x-ms-version: 2018-03-28
x-azure-ref: 20240418T045832Z-18655757dbc2g2k9uvx6z0wf3g00000004b0000000006yvz
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-04-18 04:58:32 UTC833INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 32 22 20 56 3d 22 35 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 44 65 63 6c 61 72 65 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 62 30
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324002" V="5" DC="SM" EN="Office.Extensibility.VbaTelemetryDeclare" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" DCa="DC PSP PSU" xmlns=""> <S> <UTS T="1" Id="b0


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
4192.168.2.44975613.107.213.414437276C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-04-18 04:58:32 UTC207OUTGET /rules/rule324001v4s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-04-18 04:58:32 UTC491INHTTP/1.1 200 OK
Date: Thu, 18 Apr 2024 04:58:32 GMT
Content-Type: text/xml
Content-Length: 513
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:27:31 GMT
ETag: "0x8DC582BD84BDCC1"
x-ms-request-id: fa95e62b-001e-0033-12d2-9089ef000000
x-ms-version: 2018-03-28
x-azure-ref: 20240418T045832Z-r1f585c6b65s6t5bg30nh02cq000000004rg000000001mpe
x-fd-int-roxy-purgeid: 0
X-Cache-Info: L1_T2
X-Cache: TCP_HIT
Accept-Ranges: bytes
2024-04-18 04:58:32 UTC513INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 31 22 20 56 3d 22 34 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 50 72 6f 6a 65 63 74 4c 6f 61 64 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324001" V="4" DC="SM" EN="Office.Extensibility.VbaTelemetryProjectLoad" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" SP="CriticalBusinessImpact" DCa="DC PSP PSU" xmlns="


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
5192.168.2.44975813.107.213.414437276C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-04-18 04:58:33 UTC207OUTGET /rules/rule324004v4s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-04-18 04:58:33 UTC491INHTTP/1.1 200 OK
Date: Thu, 18 Apr 2024 04:58:33 GMT
Content-Type: text/xml
Content-Length: 738
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:27:34 GMT
ETag: "0x8DC582BD9FE7D4B"
x-ms-request-id: c29d41e6-e01e-0079-731a-9054eb000000
x-ms-version: 2018-03-28
x-azure-ref: 20240418T045833Z-18655757dbcrsjqwq658bc0ff0000000064g000000006egb
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-04-18 04:58:33 UTC738INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 34 22 20 56 3d 22 34 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 43 6f 6d 4f 62 6a 65 63 74 49 6e 73 74 61 6e 74 69 61 74 65 64 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324004" V="4" DC="SM" EN="Office.Extensibility.VbaTelemetryComObjectInstantiated" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" DCa="DC PSP PSU" xmlns=""> <S> <UT


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
6192.168.2.44975913.107.213.414437276C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-04-18 04:58:33 UTC207OUTGET /rules/rule324003v5s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-04-18 04:58:33 UTC471INHTTP/1.1 200 OK
Date: Thu, 18 Apr 2024 04:58:33 GMT
Content-Type: text/xml
Content-Length: 716
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:27:34 GMT
ETag: "0x8DC582BD9F5CC0A"
x-ms-request-id: 01d5512d-701e-003c-6f4d-9100f0000000
x-ms-version: 2018-03-28
x-azure-ref: 20240418T045833Z-r1f585c6b65wz25qxmdpx2rpgg00000001s0000000001uxp
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_MISS
Accept-Ranges: bytes
2024-04-18 04:58:33 UTC716INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 33 22 20 56 3d 22 35 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 52 65 66 65 72 65 6e 63 65 64 4c 69 62 72 61 72 79 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324003" V="5" DC="SM" EN="Office.Extensibility.VbaTelemetryReferencedLibrary" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" DCa="DC PSP PSU" xmlns=""> <S> <UTS T=


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
7192.168.2.44976013.107.213.414437276C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-04-18 04:58:33 UTC207OUTGET /rules/rule324005v2s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-04-18 04:58:33 UTC491INHTTP/1.1 200 OK
Date: Thu, 18 Apr 2024 04:58:33 GMT
Content-Type: text/xml
Content-Length: 599
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:26:51 GMT
ETag: "0x8DC582BC0B3C3C8"
x-ms-request-id: e949e43f-801e-006f-1718-901ec5000000
x-ms-version: 2018-03-28
x-azure-ref: 20240418T045833Z-18655757dbc4ww6dg55cr6ae400000000690000000003cq1
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-04-18 04:58:33 UTC599INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 35 22 20 56 3d 22 32 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 43 6f 6d 70 69 6c 65 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324005" V="2" DC="SM" EN="Office.Extensibility.VbaTelemetryCompile" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" SP="CriticalBusinessImpact" DCa="DC PSP PSU" xmlns="">


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
8192.168.2.44976213.107.213.414437276C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-04-18 04:58:33 UTC207OUTGET /rules/rule324007v2s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-04-18 04:58:33 UTC491INHTTP/1.1 200 OK
Date: Thu, 18 Apr 2024 04:58:33 GMT
Content-Type: text/xml
Content-Length: 611
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:26:50 GMT
ETag: "0x8DC582BBFB58BC6"
x-ms-request-id: f0ddf202-e01e-0001-0518-90fefa000000
x-ms-version: 2018-03-28
x-azure-ref: 20240418T045833Z-18655757dbcxz6b6hxdud1ubbc000000068g000000003n89
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-04-18 04:58:33 UTC611INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 37 22 20 56 3d 22 32 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 49 64 65 4d 61 63 72 6f 52 75 6e 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324007" V="2" DC="SM" EN="Office.Extensibility.VbaTelemetryIdeMacroRun" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" SP="CriticalBusinessImpact" DCa="DC PSP PSU" xmlns="


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
9192.168.2.44976113.107.213.414437276C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-04-18 04:58:33 UTC207OUTGET /rules/rule324006v2s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-04-18 04:58:33 UTC491INHTTP/1.1 200 OK
Date: Thu, 18 Apr 2024 04:58:33 GMT
Content-Type: text/xml
Content-Length: 599
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:26:44 GMT
ETag: "0x8DC582BBC83D642"
x-ms-request-id: c5869c87-201e-0065-05ca-9010d0000000
x-ms-version: 2018-03-28
x-azure-ref: 20240418T045833Z-18655757dbcxz6b6hxdud1ubbc0000000650000000007f8u
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-04-18 04:58:33 UTC599INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 36 22 20 56 3d 22 32 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 53 68 6f 77 49 64 65 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324006" V="2" DC="SM" EN="Office.Extensibility.VbaTelemetryShowIde" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" SP="CriticalBusinessImpact" DCa="DC PSP PSU" xmlns="">


Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:06:57:23
Start date:18/04/2024
Path:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Wow64 process (32bit):true
Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Imagebase:0xe90000
File size:53'161'064 bytes
MD5 hash:4A871771235598812032C822E6F68F19
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate
Has exited:false

General

Target ID:6
Start time:06:58:27
Start date:18/04/2024
Path:C:\Windows\splwow64.exe
Wow64 process (32bit):false
Commandline:C:\Windows\splwow64.exe 12288
Imagebase:0x7ff638d10000
File size:163'840 bytes
MD5 hash:77DE7761B037061C7C112FD3C5B91E73
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate
Has exited:false

Disassembly

No disassembly