Edit tour

Windows Analysis Report
Finalization-report-04-19-2024-06_23_25.csv

Overview

General Information

Sample name:	Finalization-report-04-19-2024-06_23_25.csv
Analysis ID:	1430576
MD5:	1a01789f1d85edc344da33e03bee227f
SHA1:	40451aee35e6c5e438c8cbdb7cc7b027a4ab2e91
SHA256:	81128fb4af8c44978e811026134a9d0687f445f17d68e5fb8bac24b4f57ad546
Infos:

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Excel Network Connections

Sigma detected: Suspicious Office Outbound Connections

Classification

Process Tree

System is w10x64

EXCEL.EXE (PID: 6900 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: 4A871771235598812032C822E6F68F19)

splwow64.exe (PID: 7632 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)

cleanup

Sigma Signatures

Sigma detected: Excel Network Connections

Source: Network Connection

Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 52.123.247.30, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 6900, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49735

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.4, DestinationIsIpv6: false, DestinationPort: 49735, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 6900, Protocol: tcp, SourceIp: 52.123.247.30, SourceIsIpv6: false, SourcePort: 443

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 52.123.247.30:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.41:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.41:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.41:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.41:443 -> 192.168.2.4:49753 version: TLS 1.2

Source: excel.exe

Memory has grown: Private usage: 1MB later: 70MB

Source: Joe Sandbox View	IP Address: 13.107.246.41 13.107.246.41
Source: Joe Sandbox View	IP Address: 13.107.246.41 13.107.246.41

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: GET /config/v2/Office/excel/16.0.16827.20130/Production/CC?&EcsCanary=1&Clientid=%7b7423E565-A626-48D4-A186-93E31FBB3F25%7d&Application=excel&Platform=win32&Version=16.0.16827.20130&MsoVersion=16.0.16827.20130&ProcessName=excel.exe&Audience=Production&Build=ship&Architecture=x86&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&LicenseCategory=7&LicenseSKU=ProPlus2019Retail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7b7D3C82C5-B22B-4277-A537-C718EBD25F17%7d&LabMachine=false HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipIf-None-Match: "NBZZ0yPtnIZxj0NZ+as1PGyLKGN8GOvVL0RXS5Wllhw="User-Agent: Microsoft Office 2014DisableExperiments: falseX-ECS-Client-Last-Telemetry-Events: ecs_client_library_name=MSO,ecs_client_app_name=Office,ecs_client_version=16.0.16827.20130Host: ecs.office.com
Source: global traffic	HTTP traffic detected: GET /rules/rule324002v5s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule170012v10s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule490016v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule63067v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net

Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.0.dr

String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756

Source: unknown	HTTPS traffic detected: 52.123.247.30:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.41:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.41:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.41:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.41:443 -> 192.168.2.4:49753 version: TLS 1.2

Source: classification engine

Classification label: clean3.winCSV@3/1@0/2

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\mso81F7.tmp

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{7D3C82C5-B22B-4277-A537-C718EBD25F17} - OProcSessId.dat

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\splwow64.exe

Window / User API: threadDelayed 724

Jump to behavior

Source: C:\Windows\splwow64.exe	Last function: Thread delayed
Source: C:\Windows\splwow64.exe	Last function: Thread delayed

Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000			Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Process information queried: ProcessInformation

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Extra Window Memory Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Extra Window Memory Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Name	IP	Active	Malicious	Antivirus Detection	Reputation
part-0013.t-0009.t-msedge.net	13.107.246.41	true	false		unknown
svc.ha-teams.office.com	52.123.247.30	true	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
13.107.246.41	part-0013.t-0009.t-msedge.net	United States		8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.123.247.30	svc.ha-teams.office.com	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430576
Start date and time:	2024-04-23 22:23:18 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Finalization-report-04-19-2024-06_23_25.csv
Detection:	CLEAN
Classification:	clean3.winCSV@3/1@0/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .csv

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.56.128, 52.109.8.36, 184.31.62.93, 23.45.13.137, 23.45.13.138, 23.45.13.176, 20.42.73.25
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.afd.azureedge.net, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, asia.configsvc1.live.com.akadns.net, roaming.officeapps.live.com, osiprod-cus-buff-azsc-000.centralus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, onedscolprdeus06.eastus.cloudapp.azure.com, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, wu-bg-shim.trafficmanager.net, cus-azsc-000.roaming.officeapps.live.com, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, us1.roaming1.live.com.akadns.net, config.officeapps.live.com, azureedge-t-prod.trafficmanager.net, inc-azsc-config.officeapps.live.com,
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Finalization-report-04-19-2024-06_23_25.csv

Simulations

Behavior and APIs

Time	Type	Description
22:25:06	API Interceptor	745x Sleep call for process: splwow64.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
13.107.246.41	http://www.surveymonkey.com/tr/v1/te/PUEIZHbYTJGrZEIkVMWlCoicdktJQxDgUh5D5mhe1V5RrTmuIdynx7PnFHXRUx9slMgQjvZdyUWqhr_2Bl49oNXjy3TOleTjKMKR6WbsGcrstlT2syBMlSkW7U5aKlKcBD9NFqJqrxGyODSWJJr6_2BMbXsKkDA_2F0ep4iw23xw6huuM_3D	Get hash	malicious	Unknown	Browse	www.eand.com/en/index.html
	02-11-2024 MVP.html	Get hash	malicious	Unknown	Browse	www.mvphealthcare.com/
	02-11-2024 MVP.html	Get hash	malicious	Unknown	Browse	www.mvphealthcare.com/
	http://y84x.mjt.lu/lnk/CAAABPdweCoAAAAAAAAAAAVG8MwAAAA6pnMAAAAAAAvpOQBlhIO4-ImJ1UImRBC5CNVIkLSaswAL-7Q/2/r-vXj7XjX0azsD7QNKNH-A/aHR0cHM6Ly9hcHBjZW50ZXIubXMvaW52aXRhdGlvbnMvb3JnL2IxNjM2ZDYzMTE0YTM0MjBkYWFmNTg4YTE5N2Y0N2MxNGY4ZDViNWMyM2ZjM2RhYTgxMWM0ODgwOWM1ZTZkNjQ	Get hash	malicious	Unknown	Browse	appcenter.ms/
	http://url7816.acetaxi.com/ls/click?upn=k9eqZnPBEZmPVPka3LxS61O1ksdCJOgznvtiwccqzi2-2BneqvfCXEJ-2FQj-2BZo7snmCwDunBahf2LYhfs7qQp7-2F23xLStq-2BkxJ70xqVvyXzkWM-3D8Cie_z5TGfmB4A65PPE2hDgRdrx6OZsZ3AmrJLHJ0M9ePWeHP5QDTWsAVp117uXam9dNn-2BGSxHeP-2BInRF-2Bgy2v-2FXBPODjmLss6NRV2RYsUYD7um77hgLl0ET9pPGTHF-2BQ1m6-2Fw7-2B-2B9DJOpakZj874YLC8uUep0F7rZMDlM46gmHmQqqAeCV477M0h2b07T2IcXu0hzUcKftN0UG2jhPq8qo00cQl0gvOLl-2BjChyaOdLpENao-3D	Get hash	malicious	Unknown	Browse	twiliosolutions.azurefd.net/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
svc.ha-teams.office.com	0ad633e2-921f-c631-3b46-d659c729bcb1.eml	Get hash	malicious	Unknown	Browse	52.123.251.11
	STS3780032024.xls	Get hash	malicious	Unknown	Browse	52.123.249.187
	Purchase Order List 1 & 2.xls	Get hash	malicious	Unknown	Browse	52.123.247.50
	https://downloads.sabrent.com/product/hb-b7c3-firmware-update	Get hash	malicious	Unknown	Browse	52.123.247.83
	8DC05M2LD0.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, PureLog Stealer, RisePro Stealer	Browse	52.123.247.40
	SecuriteInfo.com.Win32.TrojanX-gen.27020.26387.exe	Get hash	malicious	PureLog Stealer, RisePro Stealer	Browse	52.123.247.17
	wx3.exe	Get hash	malicious	Unknown	Browse	52.123.251.5
	invoice.docm	Get hash	malicious	Unknown	Browse	52.123.251.7
	k4cojobP8C.docx	Get hash	malicious	Unknown	Browse	52.123.247.54
	https://1drv.ms/b/s!Aj_dAsJOtS3GeKVcEaa61wq6boU?e=TSuYkW	Get hash	malicious	Unknown	Browse	52.123.251.11
part-0013.t-0009.t-msedge.net	https://lithiuimvalley.com/ssd	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	13.107.213.41
	https://u44056869.ct.sendgrid.net/ls/click?upn=u001.nH1ryR-2Btr2av-2Bkfc8quLEXKlGRKFonctFf3nB-2FAP-2Bjae3IsQgCoKtK-2FQ57cEEmmhZzRyd07G16kQ6rsc4EaJT6S7Rh48kOVsBPHV-2Fkkk9Vfz7cojLOCLuj4sUGVMM7pbdmwtinmtiLhfYkhEkgve628OiJsccHyeYc3lkmkn6epsOmmj4-2Fi-2BWjxfm73m7vUzCOGnDWnQJBmmd6DmkDcfIw-3D-3DlLb9_7VBE-2BPKrWdDFE8TeQU0FNoYmRNt3BbsAfHCQfpyMVcUv91cWM1GbR6tMnpfVZqwoeCii1Z-2FHB6Wp4CGi-2FJ4Nq2flvhbRyRKwbWUqyssDslf87wBQZbBQ0EZsTXlvzjuj1ZnarL4QCJJlvUup-2FiM-2F9GPG6X3nhhKKp6sQ0v-2BBs5Jrrpzc3e5B2aUKKEJUx1Hjrx3xc16wmpK1HmM2sLiNIweMaJlJ9frDis7-2BK565mLw-3D	Get hash	malicious	HTMLPhisher	Browse	13.107.246.41
	https://www.jottacloud.com/s/359ee8b110b8ca8464998842a5d227ed979	Get hash	malicious	HTMLPhisher	Browse	13.107.213.41
	https://assets-usa.mkt.dynamics.com/6f8aa86c-81f8-ee11-a1fa-0022482e8338/digitalassets/standaloneforms/4b367e61-8601-ef11-a1fd-0022482f3701	Get hash	malicious	HTMLPhisher	Browse	13.107.246.41
	https://sunhos-my.sharepoint.com/:b:/g/personal/mcaffrey_suncrestcare_com/EVEm8VhV9TBDp7AQUrliImYB4Kt7rXcd_m6-8qNUjxBhTA?e=P3XNTL&xsdata=MDV8MDJ8cHJpY2hhcmRzb25AY2FsdG9uLmNvbXxkM2U5ZTc1MTlkNDA0NmI2OWMzODA4ZGM2M2JhOTA4Y3w3YjU1NzU2YTg5NTg0ZWNlODFkYzVkYTZhYmRiNmE5N3wwfDB8NjM4NDk0OTAwMTUyMzMwMjUxfFVua25vd258VFdGcGJHWnNiM2Q4ZXlKV0lqb2lNQzR3TGpBd01EQWlMQ0pRSWpvaVYybHVNeklpTENKQlRpSTZJazFoYVd3aUxDSlhWQ0k2TW4wPXwwfHx8&sdata=TldIbEg2OTJiSkRUS29RRElmU3dYbTBRQUlqUTBBMXZPcGlIaTlzNnlOQT0%3d	Get hash	malicious	HTMLPhisher	Browse	13.107.246.41
	23xCOZerXg.exe	Get hash	malicious	PureLog Stealer, Xmrig, zgRAT	Browse	13.107.246.41
	https://main-bvxea6i-qhygy63sspp2a.ca-1.platformsh.site/sample-page/	Get hash	malicious	HTMLPhisher	Browse	13.107.246.41
	https://www.msn.com/en-us/autos/enthusiasts/what-s-the-difference-between-a-shelby-mustang-and-a-regular-mustang/ar-AA1ntM5Z?ocid=entnewsntp&pc=U531&cvid=8b8aa9e3e14d4164a6a2181020104694&ei=36	Get hash	malicious	Unknown	Browse	13.107.246.41
	https://netorgft3546691-my.sharepoint.com/:b:/g/personal/nicole_felthaus_mmclippers_com/EfUF1hXkwfZNuGJhx43KV34BvAUaxh5xTDD3cQCuhCEK1w?e=yOS03G	Get hash	malicious	HTMLPhisher	Browse	13.107.246.41
	https://www.ne16.com/t/4177044/70602841/2927387/1/124665/?f8785874=aHR0cHM6Ly93b29kLWRlY2sub3JnL3BkZi85SWRac1p5aTJEeWh3ZUcvYTFmM2IxODIyN2RiNTc4NjIzOGE2ZTc0NTE3YWQ4MDEvWEM4YXAvYTFmM2IxODIyN2RiNTc4NjIzOGE2ZTc0NTE3YWQ4MDEvWTJOc1lYSmxRR0psYkd4d1lYSjBibVZ5YzJsdVl5NWpiMjA9	Get hash	malicious	HTMLPhisher	Browse	13.107.246.41

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://lithiuimvalley.com/ssd	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	13.107.213.41
	https://u44056869.ct.sendgrid.net/ls/click?upn=u001.nH1ryR-2Btr2av-2Bkfc8quLEXKlGRKFonctFf3nB-2FAP-2Bjae3IsQgCoKtK-2FQ57cEEmmhZzRyd07G16kQ6rsc4EaJT6S7Rh48kOVsBPHV-2Fkkk9Vfz7cojLOCLuj4sUGVMM7pbdmwtinmtiLhfYkhEkgve628OiJsccHyeYc3lkmkn6epsOmmj4-2Fi-2BWjxfm73m7vUzCOGnDWnQJBmmd6DmkDcfIw-3D-3DlLb9_7VBE-2BPKrWdDFE8TeQU0FNoYmRNt3BbsAfHCQfpyMVcUv91cWM1GbR6tMnpfVZqwoeCii1Z-2FHB6Wp4CGi-2FJ4Nq2flvhbRyRKwbWUqyssDslf87wBQZbBQ0EZsTXlvzjuj1ZnarL4QCJJlvUup-2FiM-2F9GPG6X3nhhKKp6sQ0v-2BBs5Jrrpzc3e5B2aUKKEJUx1Hjrx3xc16wmpK1HmM2sLiNIweMaJlJ9frDis7-2BK565mLw-3D	Get hash	malicious	HTMLPhisher	Browse	13.107.213.41
	https://www.jottacloud.com/s/359ee8b110b8ca8464998842a5d227ed979	Get hash	malicious	HTMLPhisher	Browse	20.76.133.196
	file.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, RisePro Stealer, zgRAT	Browse	20.42.65.92
	https://assets-usa.mkt.dynamics.com/6f8aa86c-81f8-ee11-a1fa-0022482e8338/digitalassets/standaloneforms/4b367e61-8601-ef11-a1fd-0022482f3701	Get hash	malicious	HTMLPhisher	Browse	52.146.76.30
	https://sunhos-my.sharepoint.com/:b:/g/personal/mcaffrey_suncrestcare_com/EVEm8VhV9TBDp7AQUrliImYB4Kt7rXcd_m6-8qNUjxBhTA?e=P3XNTL&xsdata=MDV8MDJ8cHJpY2hhcmRzb25AY2FsdG9uLmNvbXxkM2U5ZTc1MTlkNDA0NmI2OWMzODA4ZGM2M2JhOTA4Y3w3YjU1NzU2YTg5NTg0ZWNlODFkYzVkYTZhYmRiNmE5N3wwfDB8NjM4NDk0OTAwMTUyMzMwMjUxfFVua25vd258VFdGcGJHWnNiM2Q4ZXlKV0lqb2lNQzR3TGpBd01EQWlMQ0pRSWpvaVYybHVNeklpTENKQlRpSTZJazFoYVd3aUxDSlhWQ0k2TW4wPXwwfHx8&sdata=TldIbEg2OTJiSkRUS29RRElmU3dYbTBRQUlqUTBBMXZPcGlIaTlzNnlOQT0%3d	Get hash	malicious	HTMLPhisher	Browse	20.189.173.23
	_file____C__Users_hp_Downloads_C__Users_moodyt_AppData_Local_Temp_2_RemittanceAdvice17-Apr-2024.html	Get hash	malicious	Unknown	Browse	13.107.213.51
	Remittance. #U0440df.html	Get hash	malicious	HTMLPhisher	Browse	52.174.3.252
	23xCOZerXg.exe	Get hash	malicious	PureLog Stealer, Xmrig, zgRAT	Browse	13.107.246.51
	http://geoguesser.com/seterra/en-an/vpg/3800	Get hash	malicious	Unknown	Browse	20.237.39.62
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://lithiuimvalley.com/ssd	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	13.107.213.41
	https://u44056869.ct.sendgrid.net/ls/click?upn=u001.nH1ryR-2Btr2av-2Bkfc8quLEXKlGRKFonctFf3nB-2FAP-2Bjae3IsQgCoKtK-2FQ57cEEmmhZzRyd07G16kQ6rsc4EaJT6S7Rh48kOVsBPHV-2Fkkk9Vfz7cojLOCLuj4sUGVMM7pbdmwtinmtiLhfYkhEkgve628OiJsccHyeYc3lkmkn6epsOmmj4-2Fi-2BWjxfm73m7vUzCOGnDWnQJBmmd6DmkDcfIw-3D-3DlLb9_7VBE-2BPKrWdDFE8TeQU0FNoYmRNt3BbsAfHCQfpyMVcUv91cWM1GbR6tMnpfVZqwoeCii1Z-2FHB6Wp4CGi-2FJ4Nq2flvhbRyRKwbWUqyssDslf87wBQZbBQ0EZsTXlvzjuj1ZnarL4QCJJlvUup-2FiM-2F9GPG6X3nhhKKp6sQ0v-2BBs5Jrrpzc3e5B2aUKKEJUx1Hjrx3xc16wmpK1HmM2sLiNIweMaJlJ9frDis7-2BK565mLw-3D	Get hash	malicious	HTMLPhisher	Browse	13.107.213.41
	https://www.jottacloud.com/s/359ee8b110b8ca8464998842a5d227ed979	Get hash	malicious	HTMLPhisher	Browse	20.76.133.196
	file.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, RisePro Stealer, zgRAT	Browse	20.42.65.92
	https://assets-usa.mkt.dynamics.com/6f8aa86c-81f8-ee11-a1fa-0022482e8338/digitalassets/standaloneforms/4b367e61-8601-ef11-a1fd-0022482f3701	Get hash	malicious	HTMLPhisher	Browse	52.146.76.30
	https://sunhos-my.sharepoint.com/:b:/g/personal/mcaffrey_suncrestcare_com/EVEm8VhV9TBDp7AQUrliImYB4Kt7rXcd_m6-8qNUjxBhTA?e=P3XNTL&xsdata=MDV8MDJ8cHJpY2hhcmRzb25AY2FsdG9uLmNvbXxkM2U5ZTc1MTlkNDA0NmI2OWMzODA4ZGM2M2JhOTA4Y3w3YjU1NzU2YTg5NTg0ZWNlODFkYzVkYTZhYmRiNmE5N3wwfDB8NjM4NDk0OTAwMTUyMzMwMjUxfFVua25vd258VFdGcGJHWnNiM2Q4ZXlKV0lqb2lNQzR3TGpBd01EQWlMQ0pRSWpvaVYybHVNeklpTENKQlRpSTZJazFoYVd3aUxDSlhWQ0k2TW4wPXwwfHx8&sdata=TldIbEg2OTJiSkRUS29RRElmU3dYbTBRQUlqUTBBMXZPcGlIaTlzNnlOQT0%3d	Get hash	malicious	HTMLPhisher	Browse	20.189.173.23
	_file____C__Users_hp_Downloads_C__Users_moodyt_AppData_Local_Temp_2_RemittanceAdvice17-Apr-2024.html	Get hash	malicious	Unknown	Browse	13.107.213.51
	Remittance. #U0440df.html	Get hash	malicious	HTMLPhisher	Browse	52.174.3.252
	23xCOZerXg.exe	Get hash	malicious	PureLog Stealer, Xmrig, zgRAT	Browse	13.107.246.51
	http://geoguesser.com/seterra/en-an/vpg/3800	Get hash	malicious	Unknown	Browse	20.237.39.62

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	z56NF-Faturada-23042024.msi	Get hash	malicious	MicroClip	Browse	52.123.247.30 13.107.246.41
	768.xla.xlsx	Get hash	malicious	Unknown	Browse	52.123.247.30 13.107.246.41
	Gam.xls	Get hash	malicious	Unknown	Browse	52.123.247.30 13.107.246.41
	szamla_sorszam_8472.xlsm	Get hash	malicious	Unknown	Browse	52.123.247.30 13.107.246.41
	iPUk65i3yI.exe	Get hash	malicious	LummaC	Browse	52.123.247.30 13.107.246.41
	asbpKOngY0.exe	Get hash	malicious	LummaC	Browse	52.123.247.30 13.107.246.41
	VdwJB2cS5l.exe	Get hash	malicious	Remcos, DBatLoader	Browse	52.123.247.30 13.107.246.41
	https://www.epa.gov/climateleadership/simplified-ghg-emissions-calculator	Get hash	malicious	Unknown	Browse	52.123.247.30 13.107.246.41
	SecuriteInfo.com.Win32.RATX-gen.9491.24773.exe	Get hash	malicious	Remcos, DBatLoader	Browse	52.123.247.30 13.107.246.41
	https://mota-engil.caf0sa.com/tiyamike.chikabadwa56078874fessdGl5YW1pa2UuY2hpa2FiYWR3YUBtb3RhLWVuZ2lsLnB097140964?5101245168264822=2215800694735574#dGl5YW1pa2UuY2hpa2FiYWR3YUBtb3RhLWVuZ2lsLnB0	Get hash	malicious	Unknown	Browse	52.123.247.30 13.107.246.41

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	338
Entropy (8bit):	3.4738726491832703
Encrypted:	false
SSDEEP:	6:kKDU80MSPiJFN+SkQlPlEGYRMY9z+s3Ql2DUevat:rUljBkPlE99SCQl2DUevat
MD5:	7EF50AFE1EE5F253322405A93A2D46AE
SHA1:	32ADCCA733B54CF8C9E5FD8EF80987786CC1A5DE
SHA-256:	459D0D697417831EFAA0E8337FAA0034D95E09E56775C0D3D5E971B9C1FA1198
SHA-512:	7919CBA9211243B22BDC24FCA8C580AC8B212C32AF90FD7731947FFEDBAF854C6D8675D7A918179B265BEF1BA926A1DCCEF89AF50F6DD52E39A8CF2EF22510B6
Malicious:	false
Reputation:	low
Preview:	p...... .........B.2....(...............................................Q...@... .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

Static File Info

General

File type:	CSV text
Entropy (8bit):	4.897903471988569
TrID:
File name:	Finalization-report-04-19-2024-06_23_25.csv
File size:	1'738 bytes
MD5:	1a01789f1d85edc344da33e03bee227f
SHA1:	40451aee35e6c5e438c8cbdb7cc7b027a4ab2e91
SHA256:	81128fb4af8c44978e811026134a9d0687f445f17d68e5fb8bac24b4f57ad546
SHA512:	bc1c0f38a6ee263409058fe8ced473807bacfff353df536e84ea6dcb55a41052f0d667dd741473e8167606af81e95025aa763a9008b33124fe230f3db59a4bdd
SSDEEP:	48:1dL509aNYPbhPbrPbtLnPHRPbwPbZNPbIZRPacPbwKPWRRPb6Jiv:1YASZvR7toVJEHvcauWJiv
TLSH:	DC312730B709A494C74C23ED2A802B223A70CABAF416A9E573D13594FEB89CF1D601D6
File Content Preview:	Plan Type,Individual Name,Individual ID,Individual Employee ID,Benefit Plan Name,Individual Election,Client Election,Plan Year Funding,Carryover In,Funding Adjustment,Funding Total,Plan Year Disbursement,Plan End Carryover Amount,Run Out Disbursement,Tota

File Icon


Icon Hash:	35e5caacacca85b9

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 23, 2024 22:24:09.035355091 CEST	49735	443	192.168.2.4	52.123.247.30
Apr 23, 2024 22:24:09.035402060 CEST	443	49735	52.123.247.30	192.168.2.4
Apr 23, 2024 22:24:09.035572052 CEST	49735	443	192.168.2.4	52.123.247.30
Apr 23, 2024 22:24:09.038120031 CEST	49735	443	192.168.2.4	52.123.247.30
Apr 23, 2024 22:24:09.038135052 CEST	443	49735	52.123.247.30	192.168.2.4
Apr 23, 2024 22:24:09.406157017 CEST	443	49735	52.123.247.30	192.168.2.4
Apr 23, 2024 22:24:09.406263113 CEST	49735	443	192.168.2.4	52.123.247.30
Apr 23, 2024 22:24:09.408433914 CEST	49735	443	192.168.2.4	52.123.247.30
Apr 23, 2024 22:24:09.408441067 CEST	443	49735	52.123.247.30	192.168.2.4
Apr 23, 2024 22:24:09.408899069 CEST	443	49735	52.123.247.30	192.168.2.4
Apr 23, 2024 22:24:09.410381079 CEST	49735	443	192.168.2.4	52.123.247.30
Apr 23, 2024 22:24:09.456110954 CEST	443	49735	52.123.247.30	192.168.2.4
Apr 23, 2024 22:24:09.880326986 CEST	443	49735	52.123.247.30	192.168.2.4
Apr 23, 2024 22:24:09.880374908 CEST	443	49735	52.123.247.30	192.168.2.4
Apr 23, 2024 22:24:09.880397081 CEST	443	49735	52.123.247.30	192.168.2.4
Apr 23, 2024 22:24:09.880436897 CEST	49735	443	192.168.2.4	52.123.247.30
Apr 23, 2024 22:24:09.880464077 CEST	443	49735	52.123.247.30	192.168.2.4
Apr 23, 2024 22:24:09.880491018 CEST	49735	443	192.168.2.4	52.123.247.30
Apr 23, 2024 22:24:09.880522966 CEST	49735	443	192.168.2.4	52.123.247.30
Apr 23, 2024 22:24:09.997071028 CEST	443	49735	52.123.247.30	192.168.2.4
Apr 23, 2024 22:24:09.997109890 CEST	443	49735	52.123.247.30	192.168.2.4
Apr 23, 2024 22:24:09.997158051 CEST	49735	443	192.168.2.4	52.123.247.30
Apr 23, 2024 22:24:09.997173071 CEST	443	49735	52.123.247.30	192.168.2.4
Apr 23, 2024 22:24:09.997184992 CEST	443	49735	52.123.247.30	192.168.2.4
Apr 23, 2024 22:24:09.997201920 CEST	49735	443	192.168.2.4	52.123.247.30
Apr 23, 2024 22:24:09.997226954 CEST	49735	443	192.168.2.4	52.123.247.30
Apr 23, 2024 22:24:10.114304066 CEST	443	49735	52.123.247.30	192.168.2.4
Apr 23, 2024 22:24:10.114343882 CEST	443	49735	52.123.247.30	192.168.2.4
Apr 23, 2024 22:24:10.114399910 CEST	49735	443	192.168.2.4	52.123.247.30
Apr 23, 2024 22:24:10.114423037 CEST	443	49735	52.123.247.30	192.168.2.4
Apr 23, 2024 22:24:10.114442110 CEST	443	49735	52.123.247.30	192.168.2.4
Apr 23, 2024 22:24:10.114443064 CEST	49735	443	192.168.2.4	52.123.247.30
Apr 23, 2024 22:24:10.114470959 CEST	443	49735	52.123.247.30	192.168.2.4
Apr 23, 2024 22:24:10.114475012 CEST	49735	443	192.168.2.4	52.123.247.30
Apr 23, 2024 22:24:10.114483118 CEST	443	49735	52.123.247.30	192.168.2.4
Apr 23, 2024 22:24:10.114506960 CEST	49735	443	192.168.2.4	52.123.247.30
Apr 23, 2024 22:24:10.114546061 CEST	49735	443	192.168.2.4	52.123.247.30
Apr 23, 2024 22:24:10.114588022 CEST	443	49735	52.123.247.30	192.168.2.4
Apr 23, 2024 22:24:10.114612103 CEST	443	49735	52.123.247.30	192.168.2.4
Apr 23, 2024 22:24:10.114651918 CEST	49735	443	192.168.2.4	52.123.247.30
Apr 23, 2024 22:24:10.114655972 CEST	443	49735	52.123.247.30	192.168.2.4
Apr 23, 2024 22:24:10.114684105 CEST	49735	443	192.168.2.4	52.123.247.30
Apr 23, 2024 22:24:10.114708900 CEST	49735	443	192.168.2.4	52.123.247.30
Apr 23, 2024 22:24:10.114726067 CEST	443	49735	52.123.247.30	192.168.2.4
Apr 23, 2024 22:24:10.114746094 CEST	443	49735	52.123.247.30	192.168.2.4
Apr 23, 2024 22:24:10.114784956 CEST	49735	443	192.168.2.4	52.123.247.30
Apr 23, 2024 22:24:10.114789963 CEST	443	49735	52.123.247.30	192.168.2.4
Apr 23, 2024 22:24:10.114816904 CEST	49735	443	192.168.2.4	52.123.247.30
Apr 23, 2024 22:24:10.114839077 CEST	49735	443	192.168.2.4	52.123.247.30
Apr 23, 2024 22:24:10.231179953 CEST	443	49735	52.123.247.30	192.168.2.4
Apr 23, 2024 22:24:10.231216908 CEST	443	49735	52.123.247.30	192.168.2.4
Apr 23, 2024 22:24:10.231283903 CEST	443	49735	52.123.247.30	192.168.2.4
Apr 23, 2024 22:24:10.231312037 CEST	443	49735	52.123.247.30	192.168.2.4
Apr 23, 2024 22:24:10.231349945 CEST	49735	443	192.168.2.4	52.123.247.30
Apr 23, 2024 22:24:10.231375933 CEST	443	49735	52.123.247.30	192.168.2.4
Apr 23, 2024 22:24:10.231426954 CEST	49735	443	192.168.2.4	52.123.247.30
Apr 23, 2024 22:24:10.231563091 CEST	443	49735	52.123.247.30	192.168.2.4
Apr 23, 2024 22:24:10.231583118 CEST	443	49735	52.123.247.30	192.168.2.4
Apr 23, 2024 22:24:10.231620073 CEST	49735	443	192.168.2.4	52.123.247.30
Apr 23, 2024 22:24:10.231623888 CEST	443	49735	52.123.247.30	192.168.2.4
Apr 23, 2024 22:24:10.231668949 CEST	49735	443	192.168.2.4	52.123.247.30
Apr 23, 2024 22:24:10.231673956 CEST	443	49735	52.123.247.30	192.168.2.4
Apr 23, 2024 22:24:10.231723070 CEST	443	49735	52.123.247.30	192.168.2.4
Apr 23, 2024 22:24:10.231739044 CEST	49735	443	192.168.2.4	52.123.247.30
Apr 23, 2024 22:24:10.231781006 CEST	49735	443	192.168.2.4	52.123.247.30
Apr 23, 2024 22:24:10.232067108 CEST	49735	443	192.168.2.4	52.123.247.30
Apr 23, 2024 22:24:10.232079983 CEST	443	49735	52.123.247.30	192.168.2.4
Apr 23, 2024 22:24:10.232091904 CEST	49735	443	192.168.2.4	52.123.247.30
Apr 23, 2024 22:24:10.232096910 CEST	443	49735	52.123.247.30	192.168.2.4
Apr 23, 2024 22:25:12.670380116 CEST	49753	443	192.168.2.4	13.107.246.41
Apr 23, 2024 22:25:12.670432091 CEST	443	49753	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:12.670504093 CEST	49753	443	192.168.2.4	13.107.246.41
Apr 23, 2024 22:25:12.670587063 CEST	49754	443	192.168.2.4	13.107.246.41
Apr 23, 2024 22:25:12.670619011 CEST	443	49754	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:12.670706987 CEST	49755	443	192.168.2.4	13.107.246.41
Apr 23, 2024 22:25:12.670723915 CEST	49754	443	192.168.2.4	13.107.246.41
Apr 23, 2024 22:25:12.670737982 CEST	443	49755	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:12.670782089 CEST	49755	443	192.168.2.4	13.107.246.41
Apr 23, 2024 22:25:12.670833111 CEST	49756	443	192.168.2.4	13.107.246.41
Apr 23, 2024 22:25:12.670916080 CEST	443	49756	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:12.670979977 CEST	49756	443	192.168.2.4	13.107.246.41
Apr 23, 2024 22:25:12.671178102 CEST	49753	443	192.168.2.4	13.107.246.41
Apr 23, 2024 22:25:12.671190977 CEST	443	49753	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:12.671288967 CEST	49754	443	192.168.2.4	13.107.246.41
Apr 23, 2024 22:25:12.671295881 CEST	443	49754	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:12.671365976 CEST	49756	443	192.168.2.4	13.107.246.41
Apr 23, 2024 22:25:12.671397924 CEST	443	49756	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:12.671471119 CEST	49755	443	192.168.2.4	13.107.246.41
Apr 23, 2024 22:25:12.671485901 CEST	443	49755	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:13.002011061 CEST	443	49756	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:13.002140999 CEST	49756	443	192.168.2.4	13.107.246.41
Apr 23, 2024 22:25:13.003297091 CEST	443	49754	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:13.003364086 CEST	49754	443	192.168.2.4	13.107.246.41
Apr 23, 2024 22:25:13.006685972 CEST	443	49755	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:13.006767988 CEST	49755	443	192.168.2.4	13.107.246.41
Apr 23, 2024 22:25:13.006956100 CEST	443	49753	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:13.007018089 CEST	49753	443	192.168.2.4	13.107.246.41
Apr 23, 2024 22:25:13.020754099 CEST	49756	443	192.168.2.4	13.107.246.41
Apr 23, 2024 22:25:13.020809889 CEST	443	49756	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:13.021223068 CEST	443	49756	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:13.023699999 CEST	49756	443	192.168.2.4	13.107.246.41
Apr 23, 2024 22:25:13.025876045 CEST	49754	443	192.168.2.4	13.107.246.41
Apr 23, 2024 22:25:13.025907993 CEST	443	49754	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:13.026796103 CEST	443	49754	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:13.027806997 CEST	49755	443	192.168.2.4	13.107.246.41
Apr 23, 2024 22:25:13.027837992 CEST	443	49755	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:13.028863907 CEST	443	49755	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:13.029776096 CEST	49754	443	192.168.2.4	13.107.246.41
Apr 23, 2024 22:25:13.030215025 CEST	49755	443	192.168.2.4	13.107.246.41
Apr 23, 2024 22:25:13.031833887 CEST	49753	443	192.168.2.4	13.107.246.41
Apr 23, 2024 22:25:13.031847000 CEST	443	49753	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:13.032802105 CEST	443	49753	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:13.057102919 CEST	49753	443	192.168.2.4	13.107.246.41
Apr 23, 2024 22:25:13.068125963 CEST	443	49756	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:13.076116085 CEST	443	49754	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:13.076122046 CEST	443	49755	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:13.100158930 CEST	443	49753	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:13.209129095 CEST	443	49756	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:13.209427118 CEST	443	49756	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:13.209759951 CEST	49756	443	192.168.2.4	13.107.246.41
Apr 23, 2024 22:25:13.210638046 CEST	49756	443	192.168.2.4	13.107.246.41
Apr 23, 2024 22:25:13.210638046 CEST	49756	443	192.168.2.4	13.107.246.41
Apr 23, 2024 22:25:13.210684061 CEST	443	49756	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:13.210711956 CEST	443	49756	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:13.213992119 CEST	443	49753	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:13.214054108 CEST	443	49753	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:13.214108944 CEST	49753	443	192.168.2.4	13.107.246.41
Apr 23, 2024 22:25:13.214124918 CEST	443	49753	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:13.214356899 CEST	443	49753	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:13.214526892 CEST	49753	443	192.168.2.4	13.107.246.41
Apr 23, 2024 22:25:13.214548111 CEST	443	49753	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:13.214560032 CEST	49753	443	192.168.2.4	13.107.246.41
Apr 23, 2024 22:25:13.214560032 CEST	49753	443	192.168.2.4	13.107.246.41
Apr 23, 2024 22:25:13.214566946 CEST	443	49753	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:13.214572906 CEST	443	49753	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:13.250343084 CEST	443	49755	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:13.250524044 CEST	443	49755	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:13.250617027 CEST	49755	443	192.168.2.4	13.107.246.41
Apr 23, 2024 22:25:13.397727966 CEST	443	49754	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:13.397773981 CEST	443	49754	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:13.397841930 CEST	49754	443	192.168.2.4	13.107.246.41
Apr 23, 2024 22:25:13.397857904 CEST	443	49754	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:13.398000956 CEST	443	49754	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:13.398056030 CEST	49754	443	192.168.2.4	13.107.246.41
Apr 23, 2024 22:25:13.527426004 CEST	49755	443	192.168.2.4	13.107.246.41
Apr 23, 2024 22:25:13.527457952 CEST	443	49755	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:13.530781984 CEST	49754	443	192.168.2.4	13.107.246.41
Apr 23, 2024 22:25:13.530781984 CEST	49754	443	192.168.2.4	13.107.246.41
Apr 23, 2024 22:25:13.530808926 CEST	443	49754	13.107.246.41	192.168.2.4
Apr 23, 2024 22:25:13.530822992 CEST	443	49754	13.107.246.41	192.168.2.4

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 23, 2024 22:24:09.032695055 CEST	1.1.1.1	192.168.2.4	0xd6a5	No error (0)	svc.ha-teams.office.com		52.123.247.30	A (IP address)	IN (0x0001)	false
Apr 23, 2024 22:24:09.032695055 CEST	1.1.1.1	192.168.2.4	0xd6a5	No error (0)	svc.ha-teams.office.com		52.123.247.25	A (IP address)	IN (0x0001)	false
Apr 23, 2024 22:24:09.032695055 CEST	1.1.1.1	192.168.2.4	0xd6a5	No error (0)	svc.ha-teams.office.com		52.123.247.81	A (IP address)	IN (0x0001)	false
Apr 23, 2024 22:24:09.032695055 CEST	1.1.1.1	192.168.2.4	0xd6a5	No error (0)	svc.ha-teams.office.com		52.123.247.96	A (IP address)	IN (0x0001)	false
Apr 23, 2024 22:24:09.032695055 CEST	1.1.1.1	192.168.2.4	0xd6a5	No error (0)	svc.ha-teams.office.com		52.123.247.64	A (IP address)	IN (0x0001)	false
Apr 23, 2024 22:24:09.032695055 CEST	1.1.1.1	192.168.2.4	0xd6a5	No error (0)	svc.ha-teams.office.com		52.123.247.74	A (IP address)	IN (0x0001)	false
Apr 23, 2024 22:24:09.032695055 CEST	1.1.1.1	192.168.2.4	0xd6a5	No error (0)	svc.ha-teams.office.com		52.123.247.33	A (IP address)	IN (0x0001)	false
Apr 23, 2024 22:24:09.032695055 CEST	1.1.1.1	192.168.2.4	0xd6a5	No error (0)	svc.ha-teams.office.com		52.123.247.22	A (IP address)	IN (0x0001)	false
Apr 23, 2024 22:25:12.669244051 CEST	1.1.1.1	192.168.2.4	0xe3a5	No error (0)	shed.dual-low.part-0013.t-0009.t-msedge.net	part-0013.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 23, 2024 22:25:12.669244051 CEST	1.1.1.1	192.168.2.4	0xe3a5	No error (0)	part-0013.t-0009.t-msedge.net		13.107.246.41	A (IP address)	IN (0x0001)	false
Apr 23, 2024 22:25:12.669244051 CEST	1.1.1.1	192.168.2.4	0xe3a5	No error (0)	part-0013.t-0009.t-msedge.net		13.107.213.41	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ecs.office.com

otelrules.azureedge.net

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49735	52.123.247.30	443	6900	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-04-23 20:24:09 UTC	851	OUT	GET /config/v2/Office/excel/16.0.16827.20130/Production/CC?&EcsCanary=1&Clientid=%7b7423E565-A626-48D4-A186-93E31FBB3F25%7d&Application=excel&Platform=win32&Version=16.0.16827.20130&MsoVersion=16.0.16827.20130&ProcessName=excel.exe&Audience=Production&Build=ship&Architecture=x86&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&LicenseCategory=7&LicenseSKU=ProPlus2019Retail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7b7D3C82C5-B22B-4277-A537-C718EBD25F17%7d&LabMachine=false HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip If-None-Match: "NBZZ0yPtnIZxj0NZ+as1PGyLKGN8GOvVL0RXS5Wllhw=" User-Agent: Microsoft Office 2014 DisableExperiments: false X-ECS-Client-Last-Telemetry-Events: ecs_client_library_name=MSO,ecs_client_app_name=Office,ecs_client_version=16.0.16827.20130 Host: ecs.office.com
2024-04-23 20:24:09 UTC	1181	IN	HTTP/1.1 200 OK Cache-Control: no-cache,max-age=14400 Content-Length: 148125 Content-Type: application/json Expires: Wed, 24 Apr 2024 00:24:09 GMT ETag: "tDEexs7HuI+8Ir5VTElCevlaYcQvh/TwMJejBIri0R8=" Server: Microsoft-IIS/10.0 request-id: 56e78b50-f295-556d-8396-07206915b404 Alt-Svc: h3=":443";ma=2592000,h3-29=":443";ma=2592000 X-BackEndHttpStatus: 200 X-Content-Type-Options: nosniff X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; includeSubDomains Report-To: {"group":"NelEcsUpload1","max_age":604800,"endpoints":[{"url":"https://ecs.nel.measure.office.net?TenantId=Office&DestinationEndpoint=MIRA-WW-BN0&FrontEnd=MIRA"}],"include_subdomains":true} NEL: {"report_to":"NelEcsUpload1","max_age":604800,"include_subdomains":true,"failure_fraction":1.0,"success_fraction":0.01} X-Proxy-RoutingCorrectness: 1 X-MSEdge-Ref: MIRA: 56e78b50-f295-556d-8396-07206915b404 BN0PR04CA0191 2024-04-23T20:24:09.551Z X-Proxy-BackendServerStatus: 200 X-FirstHopCafeEFZ: LYH X-FEProxyInfo: BN0PR04CA0191.NAMPRD04.PROD.OUTLOOK.COM X-FEEFZInfo: LYH X-Powered-By: ASP.NET X-FEServer: BN0PR04CA0191 Date: Tue, 23 Apr 2024 20:24:08 GMT Connection: close
2024-04-23 20:24:09 UTC	15203	IN	Data Raw: 7b 22 45 43 53 22 3a 7b 22 43 6f 6e 66 69 67 4c 6f 67 54 61 72 67 65 74 22 3a 22 64 65 66 61 75 6c 74 22 2c 22 63 37 32 65 61 32 38 37 2d 65 64 37 37 2d 34 66 61 36 2d 61 34 38 30 2d 33 37 31 32 34 30 36 63 33 36 37 65 22 3a 22 61 6b 61 2e 6d 73 2f 45 63 73 43 61 6e 61 72 79 22 2c 22 43 61 63 68 65 45 78 70 69 72 79 49 6e 4d 69 6e 22 3a 32 34 30 2c 22 45 6e 61 62 6c 65 53 6d 61 72 74 45 54 61 67 22 3a 31 2c 22 43 6f 6e 66 69 67 49 64 44 65 6c 69 6d 69 74 65 72 49 6e 4c 6f 67 22 3a 22 3b 22 7d 2c 22 4e 61 6e 63 79 4f 66 66 69 63 65 54 65 61 6d 22 3a 7b 22 7a 68 65 74 61 6e 34 31 32 32 30 32 31 22 3a 74 72 75 65 7d 2c 22 4f 66 66 69 63 65 5f 41 63 63 65 73 73 22 3a 7b 22 55 73 65 46 6f 72 6d 54 68 65 6d 65 49 66 4e 6f 50 61 72 65 6e 74 53 65 63 74 69 6f 6e Data Ascii: {"ECS":{"ConfigLogTarget":"default","c72ea287-ed77-4fa6-a480-3712406c367e":"aka.ms/EcsCanary","CacheExpiryInMin":240,"EnableSmartETag":1,"ConfigIdDelimiterInLog":";"},"NancyOfficeTeam":{"zhetan4122021":true},"Office_Access":{"UseFormThemeIfNoParentSection
2024-04-23 20:24:09 UTC	16384	IN	Data Raw: 65 57 6f 70 69 45 6e 66 6f 72 63 65 48 74 74 70 73 4f 6e 52 65 73 70 6f 6e 73 65 22 3a 74 72 75 65 2c 22 57 6f 70 69 54 6f 6b 65 6e 54 69 6d 65 42 65 66 6f 72 65 52 65 66 72 65 73 68 49 6e 4d 69 6e 75 74 65 73 22 3a 32 2c 22 45 6e 61 62 6c 65 43 6c 6f 75 64 55 73 61 67 65 4d 65 74 72 69 63 73 41 70 69 22 3a 74 72 75 65 2c 22 44 6f 63 75 6d 65 6e 74 53 75 6d 6d 61 72 79 54 65 6c 65 6d 65 74 72 79 45 6e 61 62 6c 65 64 22 3a 74 72 75 65 2c 22 44 65 66 61 75 6c 74 54 6f 4f 44 42 49 6e 42 61 63 6b 73 74 61 67 65 53 61 76 65 50 61 6e 65 46 6f 72 4e 65 77 46 69 6c 65 22 3a 74 72 75 65 2c 22 49 73 43 53 44 46 6f 72 4f 75 74 6c 6f 6f 6b 41 74 74 61 63 68 6d 65 6e 74 45 78 63 65 6c 45 6e 61 62 6c 65 64 22 3a 74 72 75 65 2c 22 4c 69 73 74 65 6e 54 6f 48 6f 73 74 4e Data Ascii: eWopiEnforceHttpsOnResponse":true,"WopiTokenTimeBeforeRefreshInMinutes":2,"EnableCloudUsageMetricsApi":true,"DocumentSummaryTelemetryEnabled":true,"DefaultToODBInBackstageSavePaneForNewFile":true,"IsCSDForOutlookAttachmentExcelEnabled":true,"ListenToHostN
2024-04-23 20:24:09 UTC	1181	IN	Data Raw: 41 47 38 41 62 77 42 73 41 47 49 41 59 51 42 79 41 46 59 41 61 51 42 7a 41 47 6b 41 59 67 42 73 41 47 55 41 51 77 42 76 41 48 55 41 62 67 42 30 41 43 55 42 51 67 41 41 45 41 49 42 45 69 70 50 41 47 59 41 5a 67 42 70 41 47 4d 41 5a 51 41 75 41 46 4d 41 5a 51 42 6a 41 48 55 41 63 67 42 70 41 48 51 41 65 51 41 75 41 45 4d 41 62 41 42 77 41 43 34 41 51 77 42 4d 41 46 41 41 55 77 42 68 41 48 51 41 61 51 42 7a 41 47 59 41 61 51 42 6a 41 47 45 41 64 41 42 70 41 47 38 41 62 67 42 54 41 48 55 41 63 67 42 32 41 47 55 41 65 51 41 6c 41 55 49 42 63 41 51 41 41 46 41 43 63 41 36 4b 43 77 6f 42 45 41 49 42 43 68 41 43 41 52 49 37 54 77 42 6d 41 47 59 41 61 51 42 6a 41 47 55 41 49 41 42 71 41 48 55 41 63 77 42 30 41 43 41 41 63 77 42 31 41 47 63 41 5a 77 42 6c 41 48 4d Data Ascii: AG8AbwBsAGIAYQByAFYAaQBzAGkAYgBsAGUAQwBvAHUAbgB0ACUBQgAAEAIBEipPAGYAZgBpAGMAZQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAbABwAC4AQwBMAFAAUwBhAHQAaQBzAGYAaQBjAGEAdABpAG8AbgBTAHUAcgB2AGUAeQAlAUIBcAQAAFACcA6KCwoBEAIBChACARI7TwBmAGYAaQBjAGUAIABqAHUAcwB0ACAAcwB1AGcAZwBlAHM
2024-04-23 20:24:10 UTC	16384	IN	Data Raw: 6c 6c 6f 75 74 2e 49 73 41 6e 63 68 6f 72 52 65 61 64 79 45 6e 61 62 6c 65 64 22 3a 74 72 75 65 2c 22 49 73 4e 65 77 55 78 45 6e 61 62 6c 65 64 22 3a 74 72 75 65 2c 22 45 78 63 65 6c 2e 53 75 72 76 65 79 73 2e 31 30 22 3a 22 43 68 41 73 4d 69 51 77 41 47 55 41 4e 51 41 77 41 44 67 41 4f 41 42 69 41 44 63 41 4c 51 41 35 41 44 4d 41 59 51 41 7a 41 43 30 41 4e 41 41 78 41 44 49 41 59 77 41 74 41 47 45 41 4d 41 41 78 41 44 59 41 4c 51 42 69 41 47 4d 41 4e 41 41 32 41 44 41 41 5a 51 41 77 41 44 63 41 59 51 41 78 41 47 59 41 4d 51 42 53 47 7a 49 41 4d 41 41 79 41 44 51 41 4c 51 41 77 41 44 59 41 4c 51 41 79 41 44 51 41 56 41 41 77 41 44 41 41 4f 67 41 77 41 44 41 41 4f 67 41 77 41 44 41 41 4c 67 41 77 41 44 41 41 4d 41 41 77 41 44 41 41 4d 41 41 77 41 47 6f 51 Data Ascii: llout.IsAnchorReadyEnabled":true,"IsNewUxEnabled":true,"Excel.Surveys.10":"ChAsMiQwAGUANQAwADgAOABiADcALQA5ADMAYQAzAC0ANAAxADIAYwAtAGEAMAAxADYALQBiAGMANAA2ADAAZQAwADcAYQAxAGYAMQBSGzIAMAAyADQALQAwADYALQAyADQAVAAwADAAOgAwADAAOgAwADAALgAwADAAMAAwADAAMAAwAGoQ
2024-04-23 20:24:10 UTC	16384	IN	Data Raw: 72 31 38 30 30 36 36 5f 30 22 3a 31 2c 22 72 31 38 30 30 37 32 5f 30 22 3a 31 2c 22 72 31 38 30 30 37 37 5f 33 22 3a 31 2c 22 72 31 38 30 30 37 38 5f 31 22 3a 31 2c 22 72 31 38 30 30 37 39 5f 31 22 3a 31 2c 22 72 31 38 30 30 38 30 5f 30 22 3a 31 2c 22 72 31 38 30 30 38 34 5f 30 22 3a 31 2c 22 72 31 38 30 30 38 37 5f 33 22 3a 31 2c 22 72 31 38 30 31 33 36 5f 32 22 3a 31 2c 22 72 31 38 30 31 34 33 5f 30 22 3a 31 2c 22 72 31 38 30 31 36 31 5f 30 22 3a 31 2c 22 72 31 38 30 31 36 32 5f 30 22 3a 31 2c 22 72 31 38 30 31 36 33 5f 30 22 3a 31 2c 22 72 31 38 30 31 37 37 5f 30 22 3a 31 2c 22 72 31 38 30 31 39 35 5f 32 22 3a 31 2c 22 72 31 38 30 32 30 30 5f 30 22 3a 31 2c 22 72 34 34 30 30 30 30 5f 33 22 3a 31 2c 22 72 34 34 30 30 30 32 5f 39 22 3a 31 2c 22 72 34 34 Data Ascii: r180066_0":1,"r180072_0":1,"r180077_3":1,"r180078_1":1,"r180079_1":1,"r180080_0":1,"r180084_0":1,"r180087_3":1,"r180136_2":1,"r180143_0":1,"r180161_0":1,"r180162_0":1,"r180163_0":1,"r180177_0":1,"r180195_2":1,"r180200_0":1,"r440000_3":1,"r440002_9":1,"r44
2024-04-23 20:24:10 UTC	16384	IN	Data Raw: 44 6f 41 75 74 6f 52 65 63 6f 76 65 72 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 35 31 32 7d 2c 22 58 6c 52 65 6c 69 61 62 6c 65 46 69 6c 65 49 4f 4c 69 73 74 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 2c 22 53 43 43 6c 6f 73 65 50 6f 73 74 70 6f 6e 65 64 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 2c 22 47 72 62 69 74 42 61 64 50 74 67 73 49 6e 52 67 63 65 43 63 65 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 2c 22 41 75 74 6f 52 65 63 6f 76 65 72 79 50 72 65 66 65 72 65 6e 63 65 73 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 7d 7d 2c 22 4c 69 6e 6b 65 64 45 6e 74 69 74 69 65 73 22 3a 7b 22 45 76 65 6e 74 73 22 3a 7b 22 46 69 6c 65 4c 6f 61 64 52 65 61 73 6f 6e 41 6e 64 43 61 6c 6c 73 74 61 63 6b 22 3a 7b 22 45 76 65 6e 74 Data Ascii: DoAutoRecover":{"EventFlag":512},"XlReliableFileIOList":{"EventFlag":2},"SCClosePostponed":{"EventFlag":2},"GrbitBadPtgsInRgceCce":{"EventFlag":2},"AutoRecoveryPreferences":{"EventFlag":2}}},"LinkedEntities":{"Events":{"FileLoadReasonAndCallstack":{"Event
2024-04-23 20:24:10 UTC	16384	IN	Data Raw: 68 6f 77 54 72 75 73 74 55 49 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 35 36 7d 2c 22 44 65 65 70 4c 69 6e 6b 69 6e 67 54 72 75 73 74 52 65 73 75 6c 74 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 35 36 7d 2c 22 45 77 73 4c 61 73 74 55 70 64 61 74 65 53 74 61 74 75 73 49 74 65 6d 43 6c 69 63 6b 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 35 36 7d 2c 22 45 77 73 4c 61 73 74 55 70 64 61 74 65 53 74 61 74 75 73 49 74 65 6d 53 68 6f 77 6e 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 35 36 7d 2c 22 47 65 6e 31 41 63 74 69 76 69 74 79 41 67 67 72 65 67 61 74 65 64 42 61 73 65 53 75 62 72 75 6c 65 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 35 36 7d 2c 22 47 65 6e 31 41 63 74 69 76 69 74 79 41 67 67 72 65 67 61 74 65 64 46 61 69 6c 75 72 65 Data Ascii: howTrustUI":{"EventFlag":256},"DeepLinkingTrustResult":{"EventFlag":256},"EwsLastUpdateStatusItemClick":{"EventFlag":256},"EwsLastUpdateStatusItemShown":{"EventFlag":256},"Gen1ActivityAggregatedBaseSubrule":{"EventFlag":256},"Gen1ActivityAggregatedFailure
2024-04-23 20:24:10 UTC	16384	IN	Data Raw: 6e 67 65 64 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 2c 22 44 69 73 70 61 74 63 68 43 6f 6d 6d 65 6e 74 73 43 68 61 6e 67 65 64 45 76 65 6e 74 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 2c 22 44 69 73 70 61 74 63 68 43 6f 6d 6d 65 6e 74 53 65 6c 65 63 74 65 64 45 76 65 6e 74 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 2c 22 44 69 73 70 61 74 63 68 43 72 65 61 74 65 43 6f 6d 6d 65 6e 74 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 2c 22 44 69 73 70 61 74 63 68 44 6f 63 43 68 61 6e 67 65 64 45 76 65 6e 74 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 2c 22 44 69 73 70 61 74 63 68 45 6e 64 43 6f 6d 6d 65 6e 74 53 65 73 73 69 6f 6e 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 2c 22 44 69 73 70 61 74 63 68 45 6e 64 44 Data Ascii: nged":{"EventFlag":2},"DispatchCommentsChangedEvent":{"EventFlag":2},"DispatchCommentSelectedEvent":{"EventFlag":2},"DispatchCreateComment":{"EventFlag":2},"DispatchDocChangedEvent":{"EventFlag":2},"DispatchEndCommentSession":{"EventFlag":2},"DispatchEndD
2024-04-23 20:24:10 UTC	16384	IN	Data Raw: 7d 2c 22 53 68 61 72 65 64 53 65 72 70 6c 65 74 45 6e 61 62 6c 65 4e 61 74 69 76 65 46 69 6c 65 53 65 61 72 63 68 46 6f 72 45 6e 74 65 72 70 72 69 73 65 22 3a 74 72 75 65 2c 22 53 68 61 72 65 64 53 65 72 70 6c 65 74 45 6e 61 62 6c 65 50 6c 61 63 65 73 43 61 72 64 22 3a 74 72 75 65 2c 22 45 6e 61 62 6c 65 4e 61 74 69 76 65 46 69 6c 65 53 65 61 72 63 68 22 3a 74 72 75 65 2c 22 54 65 6c 6c 4d 65 2e 49 73 41 70 70 53 70 65 63 69 66 69 63 46 69 6e 64 49 6e 44 6f 63 75 6d 65 6e 74 48 65 61 64 65 72 45 6e 61 62 6c 65 64 22 3a 74 72 75 65 2c 22 53 68 61 72 65 64 53 65 72 70 6c 65 74 46 65 61 74 75 72 65 47 61 74 65 33 35 22 3a 74 72 75 65 2c 22 54 65 6c 6c 4d 65 2e 49 73 53 65 61 72 63 68 54 65 61 63 68 69 6e 67 4c 61 62 65 6c 46 6f 72 41 63 74 69 76 65 53 74 61 Data Ascii: },"SharedSerpletEnableNativeFileSearchForEnterprise":true,"SharedSerpletEnablePlacesCard":true,"EnableNativeFileSearch":true,"TellMe.IsAppSpecificFindInDocumentHeaderEnabled":true,"SharedSerpletFeatureGate35":true,"TellMe.IsSearchTeachingLabelForActiveSta
2024-04-23 20:24:10 UTC	16384	IN	Data Raw: 2d 35 2c 6c 61 6c 61 6e 32 33 31 3a 31 34 30 37 38 31 22 2c 22 4f 66 66 69 63 65 5f 4c 65 67 61 63 79 22 3a 22 50 2d 58 2d 31 32 32 39 36 32 35 2d 34 2d 39 2c 50 2d 58 2d 31 31 31 37 34 37 31 2d 31 2d 39 2c 50 2d 58 2d 31 30 35 36 38 30 33 2d 32 2d 32 34 2c 50 2d 58 2d 31 30 35 34 36 36 33 2d 31 2d 35 2c 50 2d 58 2d 38 35 37 34 31 2d 31 2d 31 37 2c 50 2d 58 2d 31 31 33 35 30 31 2d 32 2d 38 2c 50 2d 58 2d 31 30 33 37 38 36 2d 31 2d 33 2c 50 2d 58 2d 37 38 35 34 36 2d 31 2d 35 2c 50 2d 52 2d 31 32 33 30 38 35 30 2d 31 34 2d 31 36 2c 50 2d 52 2d 36 31 32 34 38 2d 31 38 2d 36 2c 50 2d 52 2d 35 31 39 39 35 2d 31 38 2d 32 38 2c 50 2d 52 2d 35 32 30 30 30 2d 33 30 2d 32 38 2c 50 2d 52 2d 34 32 38 39 36 2d 37 34 2d 31 34 31 2c 69 69 37 35 30 33 39 32 2d 32 3a 35 Data Ascii: -5,lalan231:140781","Office_Legacy":"P-X-1229625-4-9,P-X-1117471-1-9,P-X-1056803-2-24,P-X-1054663-1-5,P-X-85741-1-17,P-X-113501-2-8,P-X-103786-1-3,P-X-78546-1-5,P-R-1230850-14-16,P-R-61248-18-6,P-R-51995-18-28,P-R-52000-30-28,P-R-42896-74-141,ii750392-2:5

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49756	13.107.246.41	443	6900	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-04-23 20:25:13 UTC	207	OUT	GET /rules/rule324002v5s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-04-23 20:25:13 UTC	491	IN	HTTP/1.1 200 OK Date: Tue, 23 Apr 2024 20:25:13 GMT Content-Type: text/xml Content-Length: 833 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:27:33 GMT ETag: "0x8DC582BD9758B35" x-ms-request-id: 02964dcc-e01e-003d-324f-952bf2000000 x-ms-version: 2018-03-28 x-azure-ref: 20240423T202513Z-16f56cb894fmjg64h30ef49wcc00000001c0000000008r9h x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-04-23 20:25:13 UTC	833	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 32 22 20 56 3d 22 35 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 44 65 63 6c 61 72 65 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 62 30 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324002" V="5" DC="SM" EN="Office.Extensibility.VbaTelemetryDeclare" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" DCa="DC PSP PSU" xmlns=""> <S> <UTS T="1" Id="b0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49754	13.107.246.41	443	6900	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-04-23 20:25:13 UTC	208	OUT	GET /rules/rule170012v10s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-04-23 20:25:13 UTC	564	IN	HTTP/1.1 200 OK Date: Tue, 23 Apr 2024 20:25:13 GMT Content-Type: text/xml Content-Length: 1523 Connection: close Vary: Accept-Encoding Vary: Accept-Encoding Vary: Accept-Encoding Vary: Accept-Encoding Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:27:33 GMT ETag: "0x8DC582BD969CD29" x-ms-request-id: e8721880-f01e-00a0-2ebc-95139e000000 x-ms-version: 2018-03-28 x-azure-ref: 20240423T202513Z-16f56cb894fm2nn6atvm3qhr2s000000017g00000000gxgv x-fd-int-roxy-purgeid: 0 X-Cache: TCP_MISS Accept-Ranges: bytes
2024-04-23 20:25:13 UTC	1523	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 37 30 30 31 32 22 20 56 3d 22 31 30 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 47 72 61 70 68 69 63 73 2e 47 56 69 7a 49 6e 6b 53 74 72 6f 6b 65 22 20 41 54 54 3d 22 63 66 63 66 64 62 39 31 63 36 38 63 34 33 32 39 62 62 38 62 37 63 62 37 62 61 62 62 33 63 66 37 2d 65 30 38 32 63 32 66 32 2d 65 66 31 64 2d 34 32 37 61 2d 61 63 34 64 2d 62 30 62 37 30 30 61 66 65 37 61 37 2d 37 36 35 35 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="170012" V="10" DC="SM" EN="Office.Graphics.GVizInkStroke" ATT="cfcfdb91c68c4329bb8b7cb7babb3cf7-e082c2f2-ef1d-427a-ac4d-b0b700afe7a7-7655" SP="CriticalBusinessImpact" DCa="PSU" xmlns=""> <S> <UTS T

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49755	13.107.246.41	443	6900	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-04-23 20:25:13 UTC	207	OUT	GET /rules/rule490016v3s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-04-23 20:25:13 UTC	471	IN	HTTP/1.1 200 OK Date: Tue, 23 Apr 2024 20:25:13 GMT Content-Type: text/xml Content-Length: 777 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:28:04 GMT ETag: "0x8DC582BEC2AAB32" x-ms-request-id: 99c3c621-a01e-0051-5cbc-959dc9000000 x-ms-version: 2018-03-28 x-azure-ref: 20240423T202513Z-16f56cb894fff7nsaw34vw5a9w000000018g00000000etz2 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_MISS Accept-Ranges: bytes
2024-04-23 20:25:13 UTC	777	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 34 39 30 30 31 36 22 20 56 3d 22 33 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 46 65 65 64 62 61 63 6b 2e 53 75 72 76 65 79 2e 46 6c 6f 6f 64 67 61 74 65 43 6c 69 65 6e 74 2e 52 6f 61 6d 69 6e 67 53 75 63 63 65 73 73 66 75 6c 52 65 61 64 57 72 69 74 65 22 20 41 54 54 3d 22 64 37 39 65 38 32 34 33 38 36 63 34 34 34 31 63 62 38 63 31 64 34 61 65 31 35 36 39 30 35 32 36 2d 62 64 34 34 33 33 30 39 2d 35 34 39 34 2d 34 34 34 61 2d 61 62 61 39 2d 30 61 66 39 65 65 66 39 39 66 38 34 2d 37 33 36 30 22 20 54 3d 22 55 70 6c 6f 61 64 2d 4d 65 64 69 75 6d 22 20 44 4c 3d 22 4e 22 20 44 43 61 3d 22 50 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="490016" V="3" DC="SM" EN="Office.Feedback.Survey.FloodgateClient.RoamingSuccessfulReadWrite" ATT="d79e824386c4441cb8c1d4ae15690526-bd443309-5494-444a-aba9-0af9eef99f84-7360" T="Upload-Medium" DL="N" DCa="P

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49753	13.107.246.41	443	6900	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-04-23 20:25:13 UTC	206	OUT	GET /rules/rule63067v4s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-04-23 20:25:13 UTC	584	IN	HTTP/1.1 200 OK Date: Tue, 23 Apr 2024 20:25:13 GMT Content-Type: text/xml Content-Length: 2871 Connection: close Vary: Accept-Encoding Vary: Accept-Encoding Vary: Accept-Encoding Vary: Accept-Encoding Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:28:05 GMT ETag: "0x8DC582BEC5E84E0" x-ms-request-id: c8e678c6-c01e-0047-5d45-95d7e7000000 x-ms-version: 2018-03-28 x-azure-ref: 20240423T202513Z-16f56cb894fhc4lbn16aaspyen00000001b00000000064g2 x-fd-int-roxy-purgeid: 0 X-Cache-Info: L1_T2 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-04-23 20:25:13 UTC	2871	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 36 33 30 36 37 22 20 56 3d 22 34 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 49 64 65 6e 74 69 74 79 2e 53 73 70 69 50 72 6f 6d 70 74 57 69 6e 33 32 22 20 41 54 54 3d 22 35 63 36 35 62 62 63 34 65 64 62 66 34 38 30 64 39 36 33 37 61 63 65 30 34 64 36 32 62 64 39 38 2d 31 32 38 34 34 38 39 33 2d 38 61 62 39 2d 34 64 64 65 2d 62 38 35 30 2d 35 36 31 32 63 62 31 32 65 30 66 32 2d 37 38 32 32 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 44 43 61 3d 22 44 43 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="63067" V="4" DC="SM" EN="Office.Identity.SspiPromptWin32" ATT="5c65bbc4edbf480d9637ace04d62bd98-12844893-8ab9-4dde-b850-5612cb12e0f2-7822" SP="CriticalBusinessImpact" DL="A" DCa="DC" xmlns=""> <S>

Target ID:	0
Start time:	22:24:03
Start date:	23/04/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Imagebase:	0x7f0000
File size:	53'161'064 bytes
MD5 hash:	4A871771235598812032C822E6F68F19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	22:25:06
Start date:	23/04/2024
Path:	C:\Windows\splwow64.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\splwow64.exe 12288
Imagebase:	0x7ff6af5f0000
File size:	163'840 bytes
MD5 hash:	77DE7761B037061C7C112FD3C5B91E73
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ( Security Software Discovery ) to evade.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Finalization-report-04-19-2024-06_23_25.csv

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

Compliance

Software Vulnerabilities

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: EXCEL.EXEPID: 6900, Parent PID: 752

General

Chronological Activities

Analysis Process: splwow64.exePID: 7632, Parent PID: 6900

General

Chronological Activities

Disassembly

Windows Analysis Report
Finalization-report-04-19-2024-06_23_25.csv