Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BSA software Inventory Form 2022.xlsx

Overview

General Information

Sample name:BSA software Inventory Form 2022.xlsx
Analysis ID:1431565
MD5:2fda56e16c57152a3ad44964d1052045
SHA1:ff8849ab6fd3a6eacec413542c75326026cab662
SHA256:ad703b8fbca8fcef73df0b02691b70627c62199a609e5af426c72a36ea37ca4f
Infos:

Detection

Score:4
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections

Classification

Analysis Advice

Sample is a picture (JPEG, PNG, GIF etc), nothing to analyze
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
No malicious behavior found, analyze the document also on other version of Office / Acrobat

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 7276 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: 4A871771235598812032C822E6F68F19)
    • splwow64.exe (PID: 7052 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Excel Network Connections
Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 13.107.213.41, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7276, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49756
Sigma detected: Suspicious Office Outbound Connections
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.4, DestinationIsIpv6: false, DestinationPort: 49756, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7276, Protocol: tcp, SourceIp: 13.107.213.41, SourceIsIpv6: false, SourcePort: 443

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
Source: unknownHTTPS traffic detected: 13.107.213.41:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.213.41:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.213.41:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.213.41:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.213.41:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49763 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49765 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49764 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49763 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49763 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49763 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49764 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49764 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49764 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49765 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49765 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49765 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49763 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49763 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49765 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49764 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49765 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49764 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49765 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49765 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49763 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49763 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49763 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49764 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49764 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49764 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49756
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49757
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49758
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49759
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49760
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49760
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49756
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49757
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49758
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49759
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49760
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49757
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49757
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49757
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49760
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49760
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49759
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49758
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49756
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49759
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49759
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49758
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49758
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49756
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49756
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49760
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49757
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49756
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49758
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49759
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49757
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49757
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49757
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49757
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49757
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49757
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49761
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49761
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49758
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49758
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49758
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49758
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49762
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49762
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49759
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49759
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49759
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49759
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49756
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49756
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49756
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49756
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49756
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49756
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49760
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49760
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49760
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49760
Source: global trafficTCP traffic: 192.168.2.4:49763 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49763
Source: global trafficTCP traffic: 192.168.2.4:49763 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49763 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49763
Source: global trafficTCP traffic: 192.168.2.4:49764 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49764
Source: global trafficTCP traffic: 192.168.2.4:49764 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49764 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49764
Source: global trafficTCP traffic: 192.168.2.4:49765 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49765
Source: global trafficTCP traffic: 192.168.2.4:49765 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49765 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49765
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49761
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49761
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49761
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49762
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49762
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49762
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49763
Source: global trafficTCP traffic: 192.168.2.4:49763 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49763
Source: global trafficTCP traffic: 192.168.2.4:49763 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49763
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49765
Source: global trafficTCP traffic: 192.168.2.4:49765 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49765
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49764
Source: global trafficTCP traffic: 192.168.2.4:49764 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49764
Source: global trafficTCP traffic: 192.168.2.4:49765 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49765
Source: global trafficTCP traffic: 192.168.2.4:49764 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49764
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49761
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49761
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49761
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49761
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49762
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49762
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49762
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49762
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49765
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49765
Source: global trafficTCP traffic: 192.168.2.4:49765 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49765 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49765
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49763
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49763
Source: global trafficTCP traffic: 192.168.2.4:49763 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49763 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49763
Source: global trafficTCP traffic: 192.168.2.4:49763 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49763
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49764
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49764
Source: global trafficTCP traffic: 192.168.2.4:49764 -> 13.107.213.41:443
Source: global trafficTCP traffic: 192.168.2.4:49764 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49764
Source: global trafficTCP traffic: 192.168.2.4:49764 -> 13.107.213.41:443
Source: global trafficTCP traffic: 13.107.213.41:443 -> 192.168.2.4:49764
Source: Joe Sandbox ViewIP Address: 13.107.213.41 13.107.213.41
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: global trafficHTTP traffic detected: GET /rules/rule324002v5s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule170012v10s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule490016v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule324001v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule63067v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule324003v5s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule324004v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule324007v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule324006v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule324005v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
Source: unknownHTTPS traffic detected: 13.107.213.41:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.213.41:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.213.41:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.213.41:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.213.41:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: classification engineClassification label: clean4.winXLSX@3/2@0/1
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\Desktop\~$BSA software Inventory Form 2022.xlsxJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{AB4C9DB0-5597-447E-AFD8-B796FDB1E0A5} - OProcSessId.datJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 532Jump to behavior
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information queried: ProcessInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Exploitation for Client Execution		Path Interception1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Virtualization/Sandbox Evasion		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account Manager1
Application Window Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS1
File and Directory Discovery		Distributed Component Object ModelInput Capture1
Ingress Tool Transfer		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
BSA software Inventory Form 2022.xlsx0%ReversingLabs
BSA software Inventory Form 2022.xlsx0%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
bg.microsoft.map.fastly.net0%VirustotalBrowse
part-0013.t-0009.t-msedge.net0%VirustotalBrowse

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.210.172
truefalseunknown
part-0013.t-0009.t-msedge.net
13.107.213.41
truefalseunknown

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
13.107.213.41
part-0013.t-0009.t-msedge.netUnited States
8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1431565
Start date and time:2024-04-25 13:18:16 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 25s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:9
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:BSA software Inventory Form 2022.xlsx
Detection:CLEAN
Classification:clean4.winXLSX@3/2@0/1
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .xlsx

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 52.109.0.91, 52.113.194.132, 23.63.206.91, 52.109.6.63, 199.232.210.172, 51.132.193.104
  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, onedscolprduks02.uksouth.cloudapp.azure.com, otelrules.afd.azureedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, eus2-azsc-000.roaming.officeapps.live.com, osiprod-eus2-buff-azsc-000.eastus2.cloudapp.azure.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, wus-azsc-config.officeapps.live.com, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, wu-bg-shim.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, us1.roaming1.live.com.akadns.net, s-0005.s-msedge.net, config.officeapps.live.com, us.configsvc1.live.com.akadns.net, azureedge-t-prod.t
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtCreateKey calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

TimeTypeDescription
13:20:18API Interceptor556x Sleep call for process: splwow64.exe modified

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
13.107.213.41Quotation.xlsGet hashmaliciousUnknownBrowse
  • 2s.gg/3zM
http://www.serviceadg.comGet hashmaliciousUnknownBrowse
  • fr.linkedin.com/company/service-adg

Domains

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
part-0013.t-0009.t-msedge.nethttp://confirmartucuentamsnaquimx.hstn.me/login.live.com_login_verify_credentials_outlook.htmlGet hashmaliciousHTMLPhisherBrowse
  • 13.107.213.41
https://pub-839300a9c6054ed7b1c425122a9dd984.r2.dev/doc.htmlGet hashmaliciousHTMLPhisherBrowse
  • 13.107.246.41
https://u44058082.ct.sendgrid.net/ls/click?upn=u001.wjMLvmoK1OC9dTKy5UL4VbqcIJmZWkGKJypB0ZF6j6rXk8HVnxe0g2af-2BenroUoONz6EEWthgE-2Bi2vVRUosKTZRVQ5v63hCdxrdKCztVooIv51imK8tr-2Bb3beAsH6u-2FNluJlUKmd7nST-2B9m-2Bl2Rgv4y6uHLimO0TjhZzZ-2F-2BDlllJQne3tT99z6x4W12pJpddTL-2BoJ2-2Bdo6961pFN3dV2Rg-3D-3DeWGT_h-2FW4DSvZGhKY-2FmU3Rq-2F3L-2FXo2OZSHdaVvlpgAgHQWDXPYB9CNYi-2FcvonFCbsEhjt9RP-2BQa7dTwbMJOOaP3JRnMW6mQAitl6qAb1EkaAR-2BmnZDE6Bi3ooqtCrrMW-2F3TPNMK3AVi1YKIdTOZivmUJGaXdrtbqCykfnTTkN9KMRy80rdRqf6LWUCYWGeeaXb-2BD6jokMbr-2FaJKvKMHDNWAfHyhaE6QO9pw7souFUseKb40g-3DGet hashmaliciousHTMLPhisherBrowse
  • 13.107.246.41
KxgGGaiW3E.exeGet hashmaliciousQuasarBrowse
  • 13.107.213.41
EXTERNAL Bonnie St Dryden is inviting you to collaborate on One_docx(Apr 23) DOC3848493.msgGet hashmaliciousHTMLPhisherBrowse
  • 13.107.213.41
https://lithiuimvalley.com/ssdGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
  • 13.107.213.41
https://u44056869.ct.sendgrid.net/ls/click?upn=u001.nH1ryR-2Btr2av-2Bkfc8quLEXKlGRKFonctFf3nB-2FAP-2Bjae3IsQgCoKtK-2FQ57cEEmmhZzRyd07G16kQ6rsc4EaJT6S7Rh48kOVsBPHV-2Fkkk9Vfz7cojLOCLuj4sUGVMM7pbdmwtinmtiLhfYkhEkgve628OiJsccHyeYc3lkmkn6epsOmmj4-2Fi-2BWjxfm73m7vUzCOGnDWnQJBmmd6DmkDcfIw-3D-3DlLb9_7VBE-2BPKrWdDFE8TeQU0FNoYmRNt3BbsAfHCQfpyMVcUv91cWM1GbR6tMnpfVZqwoeCii1Z-2FHB6Wp4CGi-2FJ4Nq2flvhbRyRKwbWUqyssDslf87wBQZbBQ0EZsTXlvzjuj1ZnarL4QCJJlvUup-2FiM-2F9GPG6X3nhhKKp6sQ0v-2BBs5Jrrpzc3e5B2aUKKEJUx1Hjrx3xc16wmpK1HmM2sLiNIweMaJlJ9frDis7-2BK565mLw-3DGet hashmaliciousHTMLPhisherBrowse
  • 13.107.246.41
https://www.jottacloud.com/s/359ee8b110b8ca8464998842a5d227ed979Get hashmaliciousHTMLPhisherBrowse
  • 13.107.213.41
https://assets-usa.mkt.dynamics.com/6f8aa86c-81f8-ee11-a1fa-0022482e8338/digitalassets/standaloneforms/4b367e61-8601-ef11-a1fd-0022482f3701Get hashmaliciousHTMLPhisherBrowse
  • 13.107.246.41
https://sunhos-my.sharepoint.com/:b:/g/personal/mcaffrey_suncrestcare_com/EVEm8VhV9TBDp7AQUrliImYB4Kt7rXcd_m6-8qNUjxBhTA?e=P3XNTL&xsdata=MDV8MDJ8cHJpY2hhcmRzb25AY2FsdG9uLmNvbXxkM2U5ZTc1MTlkNDA0NmI2OWMzODA4ZGM2M2JhOTA4Y3w3YjU1NzU2YTg5NTg0ZWNlODFkYzVkYTZhYmRiNmE5N3wwfDB8NjM4NDk0OTAwMTUyMzMwMjUxfFVua25vd258VFdGcGJHWnNiM2Q4ZXlKV0lqb2lNQzR3TGpBd01EQWlMQ0pRSWpvaVYybHVNeklpTENKQlRpSTZJazFoYVd3aUxDSlhWQ0k2TW4wPXwwfHx8&sdata=TldIbEg2OTJiSkRUS29RRElmU3dYbTBRQUlqUTBBMXZPcGlIaTlzNnlOQT0%3dGet hashmaliciousHTMLPhisherBrowse
  • 13.107.246.41
bg.microsoft.map.fastly.nethttp://ipscanadvsf.comGet hashmaliciousUnknownBrowse
  • 199.232.214.172
https://www.canva.com/design/DAGDNh45X_4/PPCLYIV4Y8uUaoEW7ZJrJQ/view?utm_content=DAGDNh45X_4&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousUnknownBrowse
  • 199.232.214.172
R0hb7jyBcv.exeGet hashmaliciousMars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRATBrowse
  • 199.232.210.172
https://bind.bestresulttostart.com/scripts/statistics.js?s=7.8.2Get hashmaliciousUnknownBrowse
  • 199.232.214.172
SaturdayNight.exeGet hashmaliciousUnknownBrowse
  • 199.232.210.172
FTG_PD_04024024001.vbsGet hashmaliciousFormBook, GuLoaderBrowse
  • 199.232.214.172
SWIFT.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
  • 199.232.210.172
https://docs.google.com/presentation/d/e/2PACX-1vRA7cYu2pjKyfaCRROgTu4J2OpPGWE_raEqtGhCVl21QDvJzZsVPQtIU_FG6khcCjqxbwzOTOoBBBx6/pub?start=false&loop=false&delayms=3000&slide=id.pGet hashmaliciousUnknownBrowse
  • 199.232.214.172
page97.exeGet hashmaliciousLonePageBrowse
  • 199.232.210.172
Minutes_of_15th_Session_of_PSC.pdf.exeGet hashmaliciousUnknownBrowse
  • 199.232.210.172

ASNs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
MICROSOFT-CORP-MSN-AS-BLOCKUSR0hb7jyBcv.exeGet hashmaliciousMars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRATBrowse
  • 20.157.87.45
https://starmicronics.com/support/download/starprnt-intelligence-software-setup-exe-file-v3-6-0a/#unlockGet hashmaliciousUnknownBrowse
  • 13.107.42.14
g77dRQ1Csm.exeGet hashmaliciousMars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRATBrowse
  • 20.157.87.45
http://confirmartucuentamsnaquimx.hstn.me/login.live.com_login_verify_credentials_outlook.htmlGet hashmaliciousHTMLPhisherBrowse
  • 13.107.213.41
https://pub-839300a9c6054ed7b1c425122a9dd984.r2.dev/doc.htmlGet hashmaliciousHTMLPhisherBrowse
  • 13.107.213.41
https://www.bing.com/////////////////////ck/a?!&&p=0533e94aab0b2a6eJmltdHM9MTcxMzQ4NDgwMCZpZ3VpZD0xNDE4NDZmNi1iZWY1LTY4NjUtMjQ0YS01MjkwYmYwZTY5ODQmaW5zaWQ9NTIyMA&ptn=3&ver=2&hsh=3&fclid=141846f6-bef5-6865-244a-5290bf0e6984&u=a1aHR0cHM6Ly9reDRrc3IuYXJ0aWNsZXdyaXRpbmdnZW5lcmF0b3IueHl6Lw#vds2aa29aYmRldmluc0B3ZS13b3JsZHdpZGUuY29tGet hashmaliciousHTMLPhisherBrowse
  • 52.96.190.194
http://electricalsworksflorida.com/j6uGet hashmaliciousHTMLPhisherBrowse
  • 13.107.213.69
https://gamma.app/docs/Shared-Document-9j9g6z8iqo1w0uuGet hashmaliciousHTMLPhisherBrowse
  • 13.107.246.69
https://calderamanufacturing-my.sharepoint.com/:b:/g/personal/rcuthbertson_summitsteelinc_com/EXRx7fLGAqJIpy0dNft_VNoBmqNR3C5b2tYm8DhDa2jZuQ?e=L3dfvEGet hashmaliciousUnknownBrowse
  • 52.104.109.39
https://mewarpolytex123-my.sharepoint.com/:b:/g/personal/vikas_neema_mewarpolytex_com/EcuKXONpgCBJueK6mARkdzgBWKWYEsPlZVnvj9b8YAr_dA?e=GZh1gsGet hashmaliciousUnknownBrowse
  • 52.105.237.41

JA3 Fingerprints

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
a0e9f5d64349fb13191bc781f81f42e1Iu4csQ2rwX.msiGet hashmaliciousAsyncRATBrowse
  • 13.107.213.41
o7b91j8vnJ.exeGet hashmaliciousLummaCBrowse
  • 13.107.213.41
SHEOrder-10524.exeGet hashmaliciousRemcos, DBatLoaderBrowse
  • 13.107.213.41
file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
  • 13.107.213.41
https://56hytuti5.weebly.com/Get hashmaliciousUnknownBrowse
  • 13.107.213.41
udVh4Ist4Z.exeGet hashmaliciousRemcos, DBatLoaderBrowse
  • 13.107.213.41
samradapps_datepicker_221114.xlamGet hashmaliciousUnknownBrowse
  • 13.107.213.41
Enquiry 230424.batGet hashmaliciousRemcos, DBatLoaderBrowse
  • 13.107.213.41
URGENTE_NOTIFICATION.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
  • 13.107.213.41
fu56fbrtn8.exeGet hashmaliciousRemcos, DBatLoaderBrowse
  • 13.107.213.41

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:data
Category:dropped
Size (bytes):338
Entropy (8bit):3.462038329656643
Encrypted:false
SSDEEP:6:kK6I8iZPiJFN+SkQlPlEGYRMY9z+s3Ql2DUevat:SIFZpkPlE99SCQl2DUevat
MD5:2B854659B0C5B9E5F77BE095F8089BDC
SHA1:E09C39B3B83879E214C98B59F4F6B2D81012722A
SHA-256:6AB0FB1A3F345ADE926F61C1F22991A0AA923065F841AF0920D025AF377E87FF
SHA-512:3396D60280410A8CE78391BF2EA27D4D97A51A1EC95CED033D42ABB68DB59100D2C25F57C96BEA900DB6F661BCAE7E63A8E1EA8C37D5F8C12DE49CD6B44B9C83
Malicious:false
Reputation:low
Preview:p...... ........ASjj....(.................................................@... .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

C:\Users\user\Desktop\~$BSA software Inventory Form 2022.xlsx

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:data
Category:dropped
Size (bytes):165
Entropy (8bit):1.4377382811115937
Encrypted:false
SSDEEP:3:KVC+cAmltV:KVC+cR
MD5:9C7132B2A8CABF27097749F4D8447635
SHA1:71D7F78718A7AFC3EAB22ED395321F6CBE2F9899
SHA-256:7029AE5479F0CD98D892F570A22B2AE8302747DCFF3465B2DE64D974AE815A83
SHA-512:333AC8A4987CC7DF5981AE81238A77D123996DB2C4C97053E8BD2048A64FDCF33E1245DEE6839358161F6B5EEA6BFD8D2358BC4A9188D786295C22F79E2D635E
Malicious:false
Reputation:moderate, very likely benign file
Preview:.user ..j.o.n.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General

File type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 96x96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS3 Windows, datetime=2011:03:02 16:34:39], baseline, precision 8, 19x26, components 3
Entropy (8bit):6.0445397533358225
TrID:
  • JFIF-EXIF JPEG Bitmap (5003/1) 32.25%
  • JFIF JPEG Bitmap (4007/3) 25.83%
  • JPEG Bitmap (3003/1) 19.36%
  • MP3 audio (ID3 v1.x tag) (2501/1) 16.12%
  • MP3 audio (1001/1) 6.45%
File name:BSA software Inventory Form 2022.xlsx
File size:9'499 bytes
MD5:2fda56e16c57152a3ad44964d1052045
SHA1:ff8849ab6fd3a6eacec413542c75326026cab662
SHA256:ad703b8fbca8fcef73df0b02691b70627c62199a609e5af426c72a36ea37ca4f
SHA512:30b10dfa167cdfb05df033cddbda0b9796b3945fd98dfb1ee1ff610539940d4566751ce1d90443298055a4d0be2dc1338bcb731762d36f04d28f57926c386269
SSDEEP:96:YL06F4DN73QJgP6sPn7ON7fknmWKbX/292MW4tmZ49sYV2j5KSgb6X6:w05DEgnqxkn4++4tmG9pmKx66
TLSH:121207197783DE60FAC08AB488B6E6C6A211AF9676A32A83755D35C6BF317D10D5C303
File Content Preview:......JFIF.....`.`......Adobe.d.........Exif..MM.*.............................b...........j.(...........1.........r.2...........i.............&......'.......'.Adobe Photoshop CS3 Windows.2011:03:02 16:34:39...................................00..........0

File Icon

Icon Hash:35e58a8c0c8a85b9

Network Behavior

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Apr 25, 2024 13:20:24.289150000 CEST49756443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.289181948 CEST4434975613.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.289273024 CEST49757443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.289310932 CEST4434975713.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.289313078 CEST49756443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.289401054 CEST49758443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.289423943 CEST49757443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.289439917 CEST4434975813.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.289499998 CEST49759443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.289529085 CEST4434975913.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.289547920 CEST49758443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.289582968 CEST49759443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.289820910 CEST49760443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.289832115 CEST4434976013.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.289997101 CEST49760443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.290683031 CEST49760443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.290698051 CEST4434976013.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.291080952 CEST49756443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.291094065 CEST4434975613.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.292021990 CEST49757443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.292036057 CEST4434975713.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.292300940 CEST49758443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.292319059 CEST4434975813.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.292572975 CEST49759443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.292587996 CEST4434975913.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.633093119 CEST4434976013.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.633193016 CEST49760443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.634030104 CEST4434975713.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.634113073 CEST49757443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.635827065 CEST49757443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.635833979 CEST4434975713.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.636257887 CEST4434975713.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.636516094 CEST49760443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.636532068 CEST4434976013.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.636811018 CEST4434976013.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.636907101 CEST4434975913.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.636996031 CEST49759443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.637096882 CEST4434975813.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.637164116 CEST49758443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.637326956 CEST4434975613.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.637382030 CEST49756443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.638403893 CEST49760443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.638478041 CEST49757443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.639111042 CEST49759443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.639118910 CEST4434975913.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.639367104 CEST4434975913.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.640008926 CEST49758443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.640014887 CEST4434975813.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.640281916 CEST4434975813.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.640732050 CEST49756443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.640738010 CEST4434975613.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.640980005 CEST4434975613.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.641009092 CEST49759443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.641863108 CEST49758443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.642096043 CEST49756443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.680136919 CEST4434976013.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.680147886 CEST4434975713.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.684151888 CEST4434975613.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.688117981 CEST4434975813.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.688122988 CEST4434975913.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.853692055 CEST4434975713.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.853749037 CEST4434975713.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.853843927 CEST49757443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.853854895 CEST4434975713.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.853957891 CEST4434975713.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.854688883 CEST49757443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.854705095 CEST4434975713.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.854727030 CEST49757443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.854732990 CEST4434975713.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.863291979 CEST49761443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.863334894 CEST4434976113.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.863406897 CEST49761443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.863600969 CEST49761443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.863615036 CEST4434976113.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.871457100 CEST4434975813.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.871737003 CEST4434975813.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.871882915 CEST49758443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.871987104 CEST49758443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.872004986 CEST4434975813.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.872014999 CEST49758443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.872023106 CEST4434975813.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.880251884 CEST49762443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.880285978 CEST4434976213.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.880546093 CEST49762443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.880908966 CEST49762443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.880919933 CEST4434976213.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.994559050 CEST4434975913.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.995070934 CEST4434975913.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.995148897 CEST49759443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.995250940 CEST49759443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.995285034 CEST4434975913.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.995300055 CEST49759443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.995306969 CEST4434975913.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.999228001 CEST4434975613.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.999241114 CEST4434975613.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.999286890 CEST49756443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.999296904 CEST4434975613.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.999521017 CEST49756443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.999532938 CEST4434975613.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.999537945 CEST49756443192.168.2.413.107.213.41
Apr 25, 2024 13:20:24.999722958 CEST4434975613.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.999752998 CEST4434975613.107.213.41192.168.2.4
Apr 25, 2024 13:20:24.999804020 CEST49756443192.168.2.413.107.213.41
Apr 25, 2024 13:20:25.014214039 CEST4434976013.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.014410973 CEST4434976013.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.014460087 CEST49760443192.168.2.413.107.213.41
Apr 25, 2024 13:20:25.014604092 CEST49760443192.168.2.413.107.213.41
Apr 25, 2024 13:20:25.014624119 CEST4434976013.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.014635086 CEST49760443192.168.2.413.107.213.41
Apr 25, 2024 13:20:25.014640093 CEST4434976013.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.031826973 CEST49763443192.168.2.413.107.213.41
Apr 25, 2024 13:20:25.031863928 CEST4434976313.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.031923056 CEST49763443192.168.2.413.107.213.41
Apr 25, 2024 13:20:25.033117056 CEST49763443192.168.2.413.107.213.41
Apr 25, 2024 13:20:25.033129930 CEST4434976313.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.036284924 CEST49764443192.168.2.413.107.213.41
Apr 25, 2024 13:20:25.036303997 CEST4434976413.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.036459923 CEST49764443192.168.2.413.107.213.41
Apr 25, 2024 13:20:25.036916971 CEST49764443192.168.2.413.107.213.41
Apr 25, 2024 13:20:25.036927938 CEST4434976413.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.039056063 CEST49765443192.168.2.413.107.213.41
Apr 25, 2024 13:20:25.039081097 CEST4434976513.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.039144993 CEST49765443192.168.2.413.107.213.41
Apr 25, 2024 13:20:25.039751053 CEST49765443192.168.2.413.107.213.41
Apr 25, 2024 13:20:25.039762020 CEST4434976513.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.200869083 CEST4434976113.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.201634884 CEST49761443192.168.2.413.107.213.41
Apr 25, 2024 13:20:25.201646090 CEST4434976113.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.202626944 CEST49761443192.168.2.413.107.213.41
Apr 25, 2024 13:20:25.202631950 CEST4434976113.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.215009928 CEST4434976213.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.215775013 CEST49762443192.168.2.413.107.213.41
Apr 25, 2024 13:20:25.215785980 CEST4434976213.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.217163086 CEST49762443192.168.2.413.107.213.41
Apr 25, 2024 13:20:25.217169046 CEST4434976213.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.370348930 CEST4434976313.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.370970964 CEST49763443192.168.2.413.107.213.41
Apr 25, 2024 13:20:25.370995045 CEST4434976313.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.371879101 CEST49763443192.168.2.413.107.213.41
Apr 25, 2024 13:20:25.371885061 CEST4434976313.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.373235941 CEST4434976513.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.373604059 CEST49765443192.168.2.413.107.213.41
Apr 25, 2024 13:20:25.373615026 CEST4434976513.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.373712063 CEST4434976413.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.374249935 CEST49764443192.168.2.413.107.213.41
Apr 25, 2024 13:20:25.374264956 CEST4434976413.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.374418974 CEST49765443192.168.2.413.107.213.41
Apr 25, 2024 13:20:25.374437094 CEST4434976513.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.375221014 CEST49764443192.168.2.413.107.213.41
Apr 25, 2024 13:20:25.375226021 CEST4434976413.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.445843935 CEST4434976113.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.446080923 CEST4434976113.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.446161032 CEST49761443192.168.2.413.107.213.41
Apr 25, 2024 13:20:25.446463108 CEST49761443192.168.2.413.107.213.41
Apr 25, 2024 13:20:25.446479082 CEST4434976113.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.446491003 CEST49761443192.168.2.413.107.213.41
Apr 25, 2024 13:20:25.446496964 CEST4434976113.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.483747005 CEST4434976213.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.484064102 CEST4434976213.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.484132051 CEST49762443192.168.2.413.107.213.41
Apr 25, 2024 13:20:25.484193087 CEST49762443192.168.2.413.107.213.41
Apr 25, 2024 13:20:25.484209061 CEST4434976213.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.484239101 CEST49762443192.168.2.413.107.213.41
Apr 25, 2024 13:20:25.484246969 CEST4434976213.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.619524956 CEST4434976513.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.620488882 CEST4434976513.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.620569944 CEST49765443192.168.2.413.107.213.41
Apr 25, 2024 13:20:25.620608091 CEST49765443192.168.2.413.107.213.41
Apr 25, 2024 13:20:25.620615005 CEST4434976513.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.657936096 CEST4434976313.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.658361912 CEST4434976313.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.658421040 CEST49763443192.168.2.413.107.213.41
Apr 25, 2024 13:20:25.658525944 CEST49763443192.168.2.413.107.213.41
Apr 25, 2024 13:20:25.658546925 CEST4434976313.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.658559084 CEST49763443192.168.2.413.107.213.41
Apr 25, 2024 13:20:25.658565044 CEST4434976313.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.747487068 CEST4434976413.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.747663975 CEST4434976413.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.747747898 CEST49764443192.168.2.413.107.213.41
Apr 25, 2024 13:20:25.747988939 CEST49764443192.168.2.413.107.213.41
Apr 25, 2024 13:20:25.748003960 CEST4434976413.107.213.41192.168.2.4
Apr 25, 2024 13:20:25.748013973 CEST49764443192.168.2.413.107.213.41
Apr 25, 2024 13:20:25.748019934 CEST4434976413.107.213.41192.168.2.4

DNS Answers

TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
Apr 25, 2024 13:19:19.887833118 CEST1.1.1.1192.168.2.40x60e9No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
Apr 25, 2024 13:19:19.887833118 CEST1.1.1.1192.168.2.40x60e9No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
Apr 25, 2024 13:20:24.287455082 CEST1.1.1.1192.168.2.40xf9cbNo error (0)shed.dual-low.part-0013.t-0009.t-msedge.netpart-0013.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
Apr 25, 2024 13:20:24.287455082 CEST1.1.1.1192.168.2.40xf9cbNo error (0)part-0013.t-0009.t-msedge.net13.107.213.41A (IP address)IN (0x0001)false
Apr 25, 2024 13:20:24.287455082 CEST1.1.1.1192.168.2.40xf9cbNo error (0)part-0013.t-0009.t-msedge.net13.107.246.41A (IP address)IN (0x0001)false

HTTP Request Dependency Graph

  • otelrules.azureedge.net

HTTPS Proxied Packets

Session IDSource IPSource PortDestination IPDestination PortPIDProcess
0192.168.2.44976013.107.213.414437276C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-04-25 11:20:24 UTC207OUTGET /rules/rule324002v5s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-04-25 11:20:25 UTC491INHTTP/1.1 200 OK
Date: Thu, 25 Apr 2024 11:20:24 GMT
Content-Type: text/xml
Content-Length: 833
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:27:33 GMT
ETag: "0x8DC582BD9758B35"
x-ms-request-id: d2555723-601e-008d-7ccd-965db6000000
x-ms-version: 2018-03-28
x-azure-ref: 20240425T112024Z-16f56cb894fm2nn6atvm3qhr2s00000003kg000000007m0e
x-fd-int-roxy-purgeid: 0
X-Cache-Info: L1_T2
X-Cache: TCP_HIT
Accept-Ranges: bytes
2024-04-25 11:20:25 UTC833INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 32 22 20 56 3d 22 35 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 44 65 63 6c 61 72 65 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 62 30
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324002" V="5" DC="SM" EN="Office.Extensibility.VbaTelemetryDeclare" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" DCa="DC PSP PSU" xmlns=""> <S> <UTS T="1" Id="b0


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
1192.168.2.44975713.107.213.414437276C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-04-25 11:20:24 UTC208OUTGET /rules/rule170012v10s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-04-25 11:20:24 UTC584INHTTP/1.1 200 OK
Date: Thu, 25 Apr 2024 11:20:24 GMT
Content-Type: text/xml
Content-Length: 1523
Connection: close
Vary: Accept-Encoding
Vary: Accept-Encoding
Vary: Accept-Encoding
Vary: Accept-Encoding
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:27:33 GMT
ETag: "0x8DC582BD969CD29"
x-ms-request-id: e8721880-f01e-00a0-2ebc-95139e000000
x-ms-version: 2018-03-28
x-azure-ref: 20240425T112024Z-16f56cb894f4g6rbudmdpega9000000003q0000000003avu
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-04-25 11:20:24 UTC1523INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 37 30 30 31 32 22 20 56 3d 22 31 30 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 47 72 61 70 68 69 63 73 2e 47 56 69 7a 49 6e 6b 53 74 72 6f 6b 65 22 20 41 54 54 3d 22 63 66 63 66 64 62 39 31 63 36 38 63 34 33 32 39 62 62 38 62 37 63 62 37 62 61 62 62 33 63 66 37 2d 65 30 38 32 63 32 66 32 2d 65 66 31 64 2d 34 32 37 61 2d 61 63 34 64 2d 62 30 62 37 30 30 61 66 65 37 61 37 2d 37 36 35 35 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="170012" V="10" DC="SM" EN="Office.Graphics.GVizInkStroke" ATT="cfcfdb91c68c4329bb8b7cb7babb3cf7-e082c2f2-ef1d-427a-ac4d-b0b700afe7a7-7655" SP="CriticalBusinessImpact" DCa="PSU" xmlns=""> <S> <UTS T


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
2192.168.2.44975913.107.213.414437276C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-04-25 11:20:24 UTC207OUTGET /rules/rule490016v3s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-04-25 11:20:24 UTC471INHTTP/1.1 200 OK
Date: Thu, 25 Apr 2024 11:20:24 GMT
Content-Type: text/xml
Content-Length: 777
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:28:04 GMT
ETag: "0x8DC582BEC2AAB32"
x-ms-request-id: 9f3e566a-601e-00a1-2002-97389c000000
x-ms-version: 2018-03-28
x-azure-ref: 20240425T112024Z-16f7b4795d4shqjdw1uzvqg8cs00000007u00000000005ff
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_MISS
Accept-Ranges: bytes
2024-04-25 11:20:24 UTC777INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 34 39 30 30 31 36 22 20 56 3d 22 33 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 46 65 65 64 62 61 63 6b 2e 53 75 72 76 65 79 2e 46 6c 6f 6f 64 67 61 74 65 43 6c 69 65 6e 74 2e 52 6f 61 6d 69 6e 67 53 75 63 63 65 73 73 66 75 6c 52 65 61 64 57 72 69 74 65 22 20 41 54 54 3d 22 64 37 39 65 38 32 34 33 38 36 63 34 34 34 31 63 62 38 63 31 64 34 61 65 31 35 36 39 30 35 32 36 2d 62 64 34 34 33 33 30 39 2d 35 34 39 34 2d 34 34 34 61 2d 61 62 61 39 2d 30 61 66 39 65 65 66 39 39 66 38 34 2d 37 33 36 30 22 20 54 3d 22 55 70 6c 6f 61 64 2d 4d 65 64 69 75 6d 22 20 44 4c 3d 22 4e 22 20 44 43 61 3d 22 50
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="490016" V="3" DC="SM" EN="Office.Feedback.Survey.FloodgateClient.RoamingSuccessfulReadWrite" ATT="d79e824386c4441cb8c1d4ae15690526-bd443309-5494-444a-aba9-0af9eef99f84-7360" T="Upload-Medium" DL="N" DCa="P


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
3192.168.2.44975813.107.213.414437276C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-04-25 11:20:24 UTC207OUTGET /rules/rule324001v4s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-04-25 11:20:24 UTC491INHTTP/1.1 200 OK
Date: Thu, 25 Apr 2024 11:20:24 GMT
Content-Type: text/xml
Content-Length: 513
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:27:31 GMT
ETag: "0x8DC582BD84BDCC1"
x-ms-request-id: af8a2863-a01e-0015-7dec-96e2d0000000
x-ms-version: 2018-03-28
x-azure-ref: 20240425T112024Z-16f56cb894f4hxjjs88cmwhuqs00000003tg000000001cf0
x-fd-int-roxy-purgeid: 0
X-Cache-Info: L1_T2
X-Cache: TCP_HIT
Accept-Ranges: bytes
2024-04-25 11:20:24 UTC513INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 31 22 20 56 3d 22 34 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 50 72 6f 6a 65 63 74 4c 6f 61 64 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324001" V="4" DC="SM" EN="Office.Extensibility.VbaTelemetryProjectLoad" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" SP="CriticalBusinessImpact" DCa="DC PSP PSU" xmlns="


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
4192.168.2.44975613.107.213.414437276C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-04-25 11:20:24 UTC206OUTGET /rules/rule63067v4s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-04-25 11:20:24 UTC564INHTTP/1.1 200 OK
Date: Thu, 25 Apr 2024 11:20:24 GMT
Content-Type: text/xml
Content-Length: 2871
Connection: close
Vary: Accept-Encoding
Vary: Accept-Encoding
Vary: Accept-Encoding
Vary: Accept-Encoding
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:28:05 GMT
ETag: "0x8DC582BEC5E84E0"
x-ms-request-id: caae6fcf-501e-00aa-2002-971d8b000000
x-ms-version: 2018-03-28
x-azure-ref: 20240425T112024Z-16f7b4795d4gnpqthyae4e8q5n00000007zg000000001cpn
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_MISS
Accept-Ranges: bytes
2024-04-25 11:20:24 UTC2871INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 36 33 30 36 37 22 20 56 3d 22 34 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 49 64 65 6e 74 69 74 79 2e 53 73 70 69 50 72 6f 6d 70 74 57 69 6e 33 32 22 20 41 54 54 3d 22 35 63 36 35 62 62 63 34 65 64 62 66 34 38 30 64 39 36 33 37 61 63 65 30 34 64 36 32 62 64 39 38 2d 31 32 38 34 34 38 39 33 2d 38 61 62 39 2d 34 64 64 65 2d 62 38 35 30 2d 35 36 31 32 63 62 31 32 65 30 66 32 2d 37 38 32 32 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 44 43 61 3d 22 44 43 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="63067" V="4" DC="SM" EN="Office.Identity.SspiPromptWin32" ATT="5c65bbc4edbf480d9637ace04d62bd98-12844893-8ab9-4dde-b850-5612cb12e0f2-7822" SP="CriticalBusinessImpact" DL="A" DCa="DC" xmlns=""> <S>


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
5192.168.2.44976113.107.213.414437276C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-04-25 11:20:25 UTC207OUTGET /rules/rule324003v5s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-04-25 11:20:25 UTC491INHTTP/1.1 200 OK
Date: Thu, 25 Apr 2024 11:20:25 GMT
Content-Type: text/xml
Content-Length: 716
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:27:34 GMT
ETag: "0x8DC582BD9F5CC0A"
x-ms-request-id: 9f13af11-601e-00a1-2ff7-96389c000000
x-ms-version: 2018-03-28
x-azure-ref: 20240425T112025Z-16f56cb894fhr8rcrxcb44u4s400000003pg0000000069qs
x-fd-int-roxy-purgeid: 0
X-Cache-Info: L1_T2
X-Cache: TCP_HIT
Accept-Ranges: bytes
2024-04-25 11:20:25 UTC716INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 33 22 20 56 3d 22 35 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 52 65 66 65 72 65 6e 63 65 64 4c 69 62 72 61 72 79 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324003" V="5" DC="SM" EN="Office.Extensibility.VbaTelemetryReferencedLibrary" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" DCa="DC PSP PSU" xmlns=""> <S> <UTS T=


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
6192.168.2.44976213.107.213.414437276C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-04-25 11:20:25 UTC207OUTGET /rules/rule324004v4s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-04-25 11:20:25 UTC491INHTTP/1.1 200 OK
Date: Thu, 25 Apr 2024 11:20:25 GMT
Content-Type: text/xml
Content-Length: 738
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:27:34 GMT
ETag: "0x8DC582BD9FE7D4B"
x-ms-request-id: 610a687c-f01e-008c-06f7-9676b4000000
x-ms-version: 2018-03-28
x-azure-ref: 20240425T112025Z-16f56cb894fxtkfbk1uh2xw5y40000000220000000007g6x
x-fd-int-roxy-purgeid: 0
X-Cache-Info: L1_T2
X-Cache: TCP_HIT
Accept-Ranges: bytes
2024-04-25 11:20:25 UTC738INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 34 22 20 56 3d 22 34 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 43 6f 6d 4f 62 6a 65 63 74 49 6e 73 74 61 6e 74 69 61 74 65 64 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324004" V="4" DC="SM" EN="Office.Extensibility.VbaTelemetryComObjectInstantiated" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" DCa="DC PSP PSU" xmlns=""> <S> <UT


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
7192.168.2.44976313.107.213.414437276C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-04-25 11:20:25 UTC207OUTGET /rules/rule324007v2s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-04-25 11:20:25 UTC471INHTTP/1.1 200 OK
Date: Thu, 25 Apr 2024 11:20:25 GMT
Content-Type: text/xml
Content-Length: 611
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:26:50 GMT
ETag: "0x8DC582BBFB58BC6"
x-ms-request-id: eabd0dd8-701e-003c-3702-9700f0000000
x-ms-version: 2018-03-28
x-azure-ref: 20240425T112025Z-16f56cb894fqlhb6ssxt4emkw800000003y0000000001cr4
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_MISS
Accept-Ranges: bytes
2024-04-25 11:20:25 UTC611INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 37 22 20 56 3d 22 32 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 49 64 65 4d 61 63 72 6f 52 75 6e 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324007" V="2" DC="SM" EN="Office.Extensibility.VbaTelemetryIdeMacroRun" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" SP="CriticalBusinessImpact" DCa="DC PSP PSU" xmlns="


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
8192.168.2.44976513.107.213.414437276C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-04-25 11:20:25 UTC207OUTGET /rules/rule324006v2s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-04-25 11:20:25 UTC491INHTTP/1.1 200 OK
Date: Thu, 25 Apr 2024 11:20:25 GMT
Content-Type: text/xml
Content-Length: 599
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:26:44 GMT
ETag: "0x8DC582BBC83D642"
x-ms-request-id: 86450606-301e-0050-70f7-96b6cb000000
x-ms-version: 2018-03-28
x-azure-ref: 20240425T112025Z-16f56cb894fkl2jqzdqzzfp6ys00000002tg00000000746f
x-fd-int-roxy-purgeid: 0
X-Cache-Info: L1_T2
X-Cache: TCP_HIT
Accept-Ranges: bytes
2024-04-25 11:20:25 UTC599INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 36 22 20 56 3d 22 32 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 53 68 6f 77 49 64 65 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324006" V="2" DC="SM" EN="Office.Extensibility.VbaTelemetryShowIde" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" SP="CriticalBusinessImpact" DCa="DC PSP PSU" xmlns="">


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
9192.168.2.44976413.107.213.414437276C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-04-25 11:20:25 UTC207OUTGET /rules/rule324005v2s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-04-25 11:20:25 UTC471INHTTP/1.1 200 OK
Date: Thu, 25 Apr 2024 11:20:25 GMT
Content-Type: text/xml
Content-Length: 599
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:26:51 GMT
ETag: "0x8DC582BC0B3C3C8"
x-ms-request-id: caae70bb-501e-00aa-7302-971d8b000000
x-ms-version: 2018-03-28
x-azure-ref: 20240425T112025Z-16f7b4795d4pfbdj6q9eu17xg4000000088g000000001zgd
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_MISS
Accept-Ranges: bytes
2024-04-25 11:20:25 UTC599INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 35 22 20 56 3d 22 32 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 43 6f 6d 70 69 6c 65 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324005" V="2" DC="SM" EN="Office.Extensibility.VbaTelemetryCompile" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" SP="CriticalBusinessImpact" DCa="DC PSP PSU" xmlns="">


Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:13:19:13
Start date:25/04/2024
Path:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Wow64 process (32bit):true
Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Imagebase:0xa20000
File size:53'161'064 bytes
MD5 hash:4A871771235598812032C822E6F68F19
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate
Has exited:false

General

Target ID:6
Start time:13:20:18
Start date:25/04/2024
Path:C:\Windows\splwow64.exe
Wow64 process (32bit):false
Commandline:C:\Windows\splwow64.exe 12288
Imagebase:0x7ff711d30000
File size:163'840 bytes
MD5 hash:77DE7761B037061C7C112FD3C5B91E73
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate
Has exited:false

Disassembly

No disassembly