Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
annual-allowance.xlsm

Overview

General Information

Sample name:annual-allowance.xlsm
Analysis ID:1522520
MD5:7585482be8438af062027305c41def13
SHA1:fcd9f9f67f6bfe445a8222744011fecc663219d0
SHA256:990a2304fc6c1e8eefb20f0923d772a2e2d2bb2b6b46d09a819ce6ae61f01bc2
Tags:xlsmuser-abuse_ch
Infos:

Detection

Score:5
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Abnormal high CPU Usage
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Unable to load, office file is protected or invalid

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 6692 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: 4A871771235598812032C822E6F68F19)
    • splwow64.exe (PID: 648 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Excel Network Connections
Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 13.107.246.60, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 6692, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 58297
Sigma detected: Suspicious Office Outbound Connections
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.4, DestinationIsIpv6: false, DestinationPort: 58297, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 6692, Protocol: tcp, SourceIp: 13.107.246.60, SourceIsIpv6: false, SourcePort: 443
Sigma detected: Office Macro File Creation
Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, ProcessId: 6692, TargetFilename: C:\Users\user\Desktop\~$annual-allowance.xlsm

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
Source: unknownHTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:58299 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:58297 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:58298 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:58301 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:58300 version: TLS 1.2
Source: global trafficTCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58297
Source: global trafficTCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58298
Source: global trafficTCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58299
Source: global trafficTCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58300
Source: global trafficTCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58301
Source: global trafficTCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58298
Source: global trafficTCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58297
Source: global trafficTCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58299
Source: global trafficTCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58301
Source: global trafficTCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58300
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58299
Source: global trafficTCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58299
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58299
Source: global trafficTCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58297
Source: global trafficTCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58298
Source: global trafficTCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58297
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58297
Source: global trafficTCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58298
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58298
Source: global trafficTCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58301
Source: global trafficTCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58300
Source: global trafficTCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58301
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58301
Source: global trafficTCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58300
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58300
Source: global trafficTCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58299
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58298
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58297
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58300
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58301
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58299
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58299
Source: global trafficTCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58299 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58299
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58299
Source: global trafficTCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58302
Source: global trafficTCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58302
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58298
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58297
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58297
Source: global trafficTCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58297 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58297
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58297
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58298
Source: global trafficTCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58298 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58298
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58298
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58301
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58301
Source: global trafficTCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58301 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58301
Source: global trafficTCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58303
Source: global trafficTCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58304
Source: global trafficTCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58303
Source: global trafficTCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58304
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58300
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58300
Source: global trafficTCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58300
Source: global trafficTCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58300
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58300
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58300
Source: global trafficTCP traffic: 192.168.2.4:58300 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58305
Source: global trafficTCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58305
Source: global trafficTCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58306
Source: global trafficTCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58306
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58302
Source: global trafficTCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58302
Source: global trafficTCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58302
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58305
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58303
Source: global trafficTCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58305
Source: global trafficTCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58303
Source: global trafficTCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58305
Source: global trafficTCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58303
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58306
Source: global trafficTCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58306
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58306
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58304
Source: global trafficTCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58304
Source: global trafficTCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58304
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58302
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58302
Source: global trafficTCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58302 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58302
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58302
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58305
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58305
Source: global trafficTCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58305 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58305
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58305
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58303
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58303
Source: global trafficTCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58303 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58303
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58306
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58306
Source: global trafficTCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58306
Source: global trafficTCP traffic: 192.168.2.4:58306 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58306
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58304
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58304
Source: global trafficTCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:58304 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:58304
Source: excel.exeMemory has grown: Private usage: 2MB later: 99MB
Source: Joe Sandbox ViewIP Address: 13.107.246.60 13.107.246.60
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: global trafficHTTP traffic detected: GET /rules/rule490016v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule170022v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule170012v12s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule324001v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule63067v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule324002v5s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule324005v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule324003v5s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule324006v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule324004v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: unknownNetwork traffic detected: HTTP traffic on port 58304 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 58305 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 58297 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58304
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58303
Source: unknownNetwork traffic detected: HTTP traffic on port 58298 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58306
Source: unknownNetwork traffic detected: HTTP traffic on port 58299 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58305
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58300
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58299
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58302
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58301
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58298
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58297
Source: unknownNetwork traffic detected: HTTP traffic on port 58306 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 58300 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 58303 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 58301 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 58302 -> 443
Source: unknownHTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:58299 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:58297 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:58298 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:58301 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:58300 version: TLS 1.2
Source: C:\Windows\splwow64.exeProcess Stats: CPU usage > 49%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEWindow title found: microsoft visual basic run-time error '1004':the cell or chart you're trying to change is on a protected sheet. to make a change unprotect the sheet. you might be requested to enter a password.&continue&end&debug&help
Source: classification engineClassification label: clean5.winXLSM@3/2@0/1
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\Desktop\~$annual-allowance.xlsmJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{843418D4-01E2-4775-9192-E7D524E9DC22} - OProcSessId.datJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 1806Jump to behavior
Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 8116Jump to behavior
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information queried: ProcessInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Exploitation for Client Execution		Path Interception1
Process Injection		2
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
Extra Window Memory Injection		1
Virtualization/Sandbox Evasion		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account Manager1
Application Window Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Extra Window Memory Injection		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput Capture2
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
annual-allowance.xlsm0%ReversingLabs
annual-allowance.xlsm2%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
s-part-0032.t-0009.t-msedge.net0%VirustotalBrowse
windowsupdatebg.s.llnwi.net1%VirustotalBrowse

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0032.t-0009.t-msedge.net
13.107.246.60
truefalseunknown
windowsupdatebg.s.llnwi.net
41.63.96.0
truefalseunknown

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
13.107.246.60
s-part-0032.t-0009.t-msedge.netUnited States
8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1522520
Start date and time:2024-09-30 10:25:53 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 11m 48s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:Potential for more IOCs and behavior
Number of analysed new started processes analysed:9
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Sample name:annual-allowance.xlsm
Detection:CLEAN
Classification:clean5.winXLSM@3/2@0/1
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .xlsm
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Active Button Object
  • Active Button Object
  • Active Button Object
  • Active Button Object
  • Active Button Object

Warnings

  • Max analysis timeout: 600s exceeded, the analysis took too long
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 52.109.32.97, 52.113.194.132, 184.28.90.27, 52.109.28.47, 41.63.96.0, 20.189.173.10, 20.189.173.6
  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.afd.azureedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, eur.roaming1.live.com.akadns.net, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, ukw-azsc-config.officeapps.live.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, osiprod-uks-buff-azsc-000.uksouth.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com, uks-azsc-000.roaming.officeapps.live.com, s-0005.s-msedge.net, config.officeapps.live.com, onedscolprdwus09.westus.cloudapp.azure.com, azureedge-
  • Not all processes where analyzed, report is missing behavior information
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtCreateKey calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

TimeTypeDescription
04:26:55API Interceptor40725637x Sleep call for process: splwow64.exe modified

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
13.107.246.60https://protect-us.mimecast.com/s/wFHoCqxrAnt7V914iZaD1vGet hashmaliciousUnknownBrowse
  • www.mimecast.com/Customers/Support/Contact-support/
http://wellsfargo.dealogic.com/clientportal/Conferences/Registration/Form/368?menuItemId=5Get hashmaliciousUnknownBrowse
  • wellsfargo.dealogic.com/clientportal/Conferences/Registration/Form/368?menuItemId=5

Domains

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
s-part-0032.t-0009.t-msedge.netTransmission Cost Database 2.0.xlsbGet hashmaliciousUnknownBrowse
  • 13.107.246.60
https://www.marketbeat.com/articles/music-streaming-site-spotify-temporarily-goes-down-2024-09-29/?utm_source=newsletter&utm_medium=email&utm_campaign=newsletterclick&source=ARNDaily&AccountID=13091940&hash=99E2922EEB6FEC86743F5DB2C0E84BA5899D68F68F1472F885291F590EAD713452D3376C362A15DEDE29DFC4761637FD6FDD698F31176C60366847F610D6C32CGet hashmaliciousUnknownBrowse
  • 13.107.246.60
https://ebookkeepers.com.pk/Get hashmaliciousUnknownBrowse
  • 13.107.246.60
http://microsoft.biosency.com/Get hashmaliciousUnknownBrowse
  • 13.107.246.60
http://www.etissallatss.com/Get hashmaliciousUnknownBrowse
  • 13.107.246.60
http://yusdydsfjuuxx.weebly.com/Get hashmaliciousHTMLPhisherBrowse
  • 13.107.246.60
Website_Redesign_Project.xlsGet hashmaliciousUnknownBrowse
  • 13.107.246.60
http://serviceappinfms12.pages.dev/Get hashmaliciousTechSupportScamBrowse
  • 13.107.246.60
https://palomaestro1211.github.io/microsoftlogin/Get hashmaliciousHTMLPhisherBrowse
  • 13.107.246.60
http://pub-3424228f58ac440c9523afb01100ed68.r2.dev/emerald.htmlGet hashmaliciousHTMLPhisherBrowse
  • 13.107.246.60
windowsupdatebg.s.llnwi.nethttps://cpanel.whitewestinghouse.com.py/Get hashmaliciousUnknownBrowse
  • 87.248.204.0
https://www.givingday.communityschoolnaples.org/Get hashmaliciousUnknownBrowse
  • 46.228.146.128
https://metaamaassilogg.gitbook.io/Get hashmaliciousUnknownBrowse
  • 87.248.204.0
https://krakennylog.gitbook.io/us/Get hashmaliciousHTMLPhisherBrowse
  • 87.248.205.0
https://metasdask-login.gitbook.io/usGet hashmaliciousHTMLPhisherBrowse
  • 87.248.205.0
https://att-100184.weeblysite.com/Get hashmaliciousHTMLPhisherBrowse
  • 87.248.204.0
https://b12thgst9.weeblysite.com/Get hashmaliciousUnknownBrowse
  • 87.248.205.0
http://nftpack4.vercel.app/Get hashmaliciousHTMLPhisherBrowse
  • 87.248.205.0
http://pub-0cc0980a246e413285127dab939f7379.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
  • 87.248.205.0
https://inc-108749.weeblysite.com/Get hashmaliciousHTMLPhisherBrowse
  • 87.248.205.0

ASNs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
MICROSOFT-CORP-MSN-AS-BLOCKUSPO554830092024.xlsGet hashmaliciousUnknownBrowse
  • 13.107.246.45
PI#0034250924.xla.xlsxGet hashmaliciousUnknownBrowse
  • 13.107.246.45
https://wwvmicrosx.live/office365/office_cookies/mainGet hashmaliciousHTMLPhisherBrowse
  • 13.107.246.67
https://en.softonic.comGet hashmaliciousUnknownBrowse
  • 13.107.246.60
SecuriteInfo.com.Linux.Siggen.9999.28931.8128.elfGet hashmaliciousMiraiBrowse
  • 20.94.30.16
SecuriteInfo.com.Linux.Siggen.9999.28522.3483.elfGet hashmaliciousMiraiBrowse
  • 20.31.86.98
Transmission Cost Database 2.0.xlsbGet hashmaliciousUnknownBrowse
  • 13.107.246.60
https://www.marketbeat.com/articles/music-streaming-site-spotify-temporarily-goes-down-2024-09-29/?utm_source=newsletter&utm_medium=email&utm_campaign=newsletterclick&source=ARNDaily&AccountID=13091940&hash=99E2922EEB6FEC86743F5DB2C0E84BA5899D68F68F1472F885291F590EAD713452D3376C362A15DEDE29DFC4761637FD6FDD698F31176C60366847F610D6C32CGet hashmaliciousUnknownBrowse
  • 13.107.246.60
https://downcheck.nyc3.cdn.digitaloceanspaces.com/dengo.zipGet hashmaliciousUnknownBrowse
  • 20.42.65.92
https://downcheck.nyc3.cdn.digitaloceanspaces.com/telop.zipGet hashmaliciousUnknownBrowse
  • 20.189.173.21

JA3 Fingerprints

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
a0e9f5d64349fb13191bc781f81f42e1PO554830092024.xlsGet hashmaliciousUnknownBrowse
  • 13.107.246.60
PI#0034250924.xla.xlsxGet hashmaliciousUnknownBrowse
  • 13.107.246.60
file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
  • 13.107.246.60
file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
  • 13.107.246.60
Transmission Cost Database 2.0.xlsbGet hashmaliciousUnknownBrowse
  • 13.107.246.60
https://downcheck.nyc3.cdn.digitaloceanspaces.com/peltgon.zipGet hashmaliciousLummaCBrowse
  • 13.107.246.60
Loader.exeGet hashmaliciousLummaCBrowse
  • 13.107.246.60
Full-Setup.exeGet hashmaliciousLummaCBrowse
  • 13.107.246.60
file.exeGet hashmaliciousLummaC, VidarBrowse
  • 13.107.246.60
kuly.exeGet hashmaliciousLummaCBrowse
  • 13.107.246.60

Dropped Files

No context

Created / dropped Files

C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):118
Entropy (8bit):3.5700810731231707
Encrypted:false
SSDEEP:3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
MD5:573220372DA4ED487441611079B623CD
SHA1:8F9D967AC6EF34640F1F0845214FBC6994C0CB80
SHA-256:BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
SHA-512:F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
Malicious:false
Reputation:moderate, very likely benign file
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:data
Category:dropped
Size (bytes):338
Entropy (8bit):3.453887774916514
Encrypted:false
SSDEEP:6:kKL9GW8OIaJFN+SkQlPlEGYRMY9z+s3Ql2DUevat:D9ZEkPlE99SCQl2DUevat
MD5:F51709BCE4166E42058CB5B85BDC1ECE
SHA1:EC20AB9D65A442FBD936F556E9A8B489B3DF34C7
SHA-256:1BB3BCB513512E885321671FD7F8064B85691F86EBA5939BA7B47FEBBF16BE6A
SHA-512:AE85F04106FBE1C0916D497C40188F4CB081E8DEE50E44E482B18B5085CC36A1A055259B36FE88B67B7A4D23E2A63FB8086DB58858467D549AD40BBFC36CADC6
Malicious:false
Reputation:low
Preview:p...... ...............(...............................................1%..@... .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

Static File Info

General

File type:Microsoft Excel 2007+
Entropy (8bit):7.871478121504628
TrID:
  • Excel Microsoft Office Open XML Format document with Macro (52504/1) 54.97%
  • Excel Microsoft Office Open XML Format document (35004/1) 36.65%
  • ZIP compressed archive (8000/1) 8.38%
File name:annual-allowance.xlsm
File size:142'109 bytes
MD5:7585482be8438af062027305c41def13
SHA1:fcd9f9f67f6bfe445a8222744011fecc663219d0
SHA256:990a2304fc6c1e8eefb20f0923d772a2e2d2bb2b6b46d09a819ce6ae61f01bc2
SHA512:59ac36bed9363f08442f67bb8e4ed189e3e073a2b36bfb6d06482c5214b840677819ccf3536a6548cdbacc0d1715f8302f0ca1cf38b68ab7c4bff57845befd42
SSDEEP:1536:xIWnXV99rpI61YG4bacgKgrUyqamXNskrAlBCvTOZRH/vV7VHUOCM7T3EIdbbMzy:KWTjID5ng4paGskMlBZTU+P2z7RG3jc2
TLSH:17D3F128CB39AD1DD626D7BCD51C86E1602E271A8444ED0E64C4F18E4FC1BEF9B8E15E
File Content Preview:PK..........!.................[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon

Icon Hash:1d356664a4a09519

Network Behavior

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Sep 30, 2024 10:28:00.112833977 CEST58297443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.112873077 CEST4435829713.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.113034964 CEST58297443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.113332033 CEST58298443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.113341093 CEST4435829813.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.113399982 CEST58298443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.113473892 CEST58299443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.113524914 CEST4435829913.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.113578081 CEST58299443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.113718987 CEST58300443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.113756895 CEST4435830013.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.113831997 CEST58301443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.113856077 CEST58300443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.113859892 CEST4435830113.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.113940001 CEST58298443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.113953114 CEST4435829813.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.113957882 CEST58301443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.114065886 CEST58297443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.114075899 CEST4435829713.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.114128113 CEST58299443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.114140987 CEST4435829913.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.114218950 CEST58301443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.114231110 CEST4435830113.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.114358902 CEST58300443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.114373922 CEST4435830013.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.768357992 CEST4435829913.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.768480062 CEST58299443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.770303965 CEST58299443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.770315886 CEST4435829913.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.770629883 CEST4435829913.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.772156954 CEST58299443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.785187006 CEST4435829713.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.785269022 CEST58297443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.786185980 CEST4435829813.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.786329985 CEST58298443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.786587000 CEST58297443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.786597013 CEST4435829713.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.786883116 CEST4435829713.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.787570953 CEST58298443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.787575960 CEST4435829813.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.787867069 CEST4435829813.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.788311005 CEST58297443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.789088964 CEST58298443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.789894104 CEST4435830113.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.789968014 CEST58301443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.790261984 CEST4435830013.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.790469885 CEST58300443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.791098118 CEST58301443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.791120052 CEST4435830113.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.791362047 CEST4435830113.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.792640924 CEST58300443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.792689085 CEST4435830013.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.792999983 CEST4435830013.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.796580076 CEST58301443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.797548056 CEST58300443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.819400072 CEST4435829913.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.835410118 CEST4435829813.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.835428953 CEST4435829713.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.843403101 CEST4435830013.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.843409061 CEST4435830113.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.870146036 CEST4435829913.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.870217085 CEST4435829913.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.870697975 CEST58299443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.871262074 CEST58299443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.871262074 CEST58299443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.871287107 CEST4435829913.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.871292114 CEST4435829913.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.880206108 CEST58302443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.880253077 CEST4435830213.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.880347967 CEST58302443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.880559921 CEST58302443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.880584955 CEST4435830213.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.888433933 CEST4435829813.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.888434887 CEST4435829713.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.888492107 CEST4435829713.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.888740063 CEST58297443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.888762951 CEST58297443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.888762951 CEST58297443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.888781071 CEST4435829713.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.888786077 CEST4435829713.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.888797998 CEST4435829813.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.889060974 CEST58298443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.889091015 CEST58298443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.889091015 CEST58298443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.889096022 CEST4435829813.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.889101982 CEST4435829813.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.896548986 CEST4435830113.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.896606922 CEST4435830113.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.896853924 CEST58301443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.896853924 CEST58301443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.896924019 CEST58301443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.896951914 CEST4435830113.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.898041964 CEST58303443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.898082018 CEST4435830313.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.898138046 CEST58304443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.898175955 CEST4435830413.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.898202896 CEST58303443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.898363113 CEST58303443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.898376942 CEST4435830313.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.898406982 CEST58304443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.898539066 CEST58304443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.898551941 CEST4435830413.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.899055004 CEST4435830013.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.899075031 CEST4435830013.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.899142981 CEST58300443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.899162054 CEST4435830013.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.899319887 CEST58300443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.899319887 CEST58300443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.899349928 CEST4435830013.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.899502993 CEST4435830013.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.899530888 CEST4435830013.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.899688959 CEST58300443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.904890060 CEST58305443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.904910088 CEST4435830513.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.905019999 CEST58305443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.905132055 CEST58305443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.905143976 CEST4435830513.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.907816887 CEST58306443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.907824039 CEST4435830613.107.246.60192.168.2.4
Sep 30, 2024 10:28:00.907911062 CEST58306443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.908039093 CEST58306443192.168.2.413.107.246.60
Sep 30, 2024 10:28:00.908051968 CEST4435830613.107.246.60192.168.2.4
Sep 30, 2024 10:28:01.515156031 CEST4435830213.107.246.60192.168.2.4
Sep 30, 2024 10:28:01.515706062 CEST58302443192.168.2.413.107.246.60
Sep 30, 2024 10:28:01.515734911 CEST4435830213.107.246.60192.168.2.4
Sep 30, 2024 10:28:01.516659975 CEST58302443192.168.2.413.107.246.60
Sep 30, 2024 10:28:01.516668081 CEST4435830213.107.246.60192.168.2.4
Sep 30, 2024 10:28:01.540591955 CEST4435830513.107.246.60192.168.2.4
Sep 30, 2024 10:28:01.541187048 CEST4435830313.107.246.60192.168.2.4
Sep 30, 2024 10:28:01.541218996 CEST58305443192.168.2.413.107.246.60
Sep 30, 2024 10:28:01.541238070 CEST4435830513.107.246.60192.168.2.4
Sep 30, 2024 10:28:01.541701078 CEST58303443192.168.2.413.107.246.60
Sep 30, 2024 10:28:01.541737080 CEST4435830313.107.246.60192.168.2.4
Sep 30, 2024 10:28:01.542037010 CEST58305443192.168.2.413.107.246.60
Sep 30, 2024 10:28:01.542045116 CEST4435830513.107.246.60192.168.2.4
Sep 30, 2024 10:28:01.542671919 CEST58303443192.168.2.413.107.246.60
Sep 30, 2024 10:28:01.542680979 CEST4435830313.107.246.60192.168.2.4
Sep 30, 2024 10:28:01.554651022 CEST4435830613.107.246.60192.168.2.4
Sep 30, 2024 10:28:01.555887938 CEST58306443192.168.2.413.107.246.60
Sep 30, 2024 10:28:01.555887938 CEST58306443192.168.2.413.107.246.60
Sep 30, 2024 10:28:01.555897951 CEST4435830613.107.246.60192.168.2.4
Sep 30, 2024 10:28:01.555916071 CEST4435830613.107.246.60192.168.2.4
Sep 30, 2024 10:28:01.571563959 CEST4435830413.107.246.60192.168.2.4
Sep 30, 2024 10:28:01.572371960 CEST58304443192.168.2.413.107.246.60
Sep 30, 2024 10:28:01.572397947 CEST4435830413.107.246.60192.168.2.4
Sep 30, 2024 10:28:01.572758913 CEST58304443192.168.2.413.107.246.60
Sep 30, 2024 10:28:01.572765112 CEST4435830413.107.246.60192.168.2.4
Sep 30, 2024 10:28:01.615350008 CEST4435830213.107.246.60192.168.2.4
Sep 30, 2024 10:28:01.615428925 CEST4435830213.107.246.60192.168.2.4
Sep 30, 2024 10:28:01.615696907 CEST58302443192.168.2.413.107.246.60
Sep 30, 2024 10:28:01.615724087 CEST58302443192.168.2.413.107.246.60
Sep 30, 2024 10:28:01.615724087 CEST58302443192.168.2.413.107.246.60
Sep 30, 2024 10:28:01.615746021 CEST4435830213.107.246.60192.168.2.4
Sep 30, 2024 10:28:01.615758896 CEST4435830213.107.246.60192.168.2.4
Sep 30, 2024 10:28:01.640486956 CEST4435830513.107.246.60192.168.2.4
Sep 30, 2024 10:28:01.640557051 CEST4435830513.107.246.60192.168.2.4
Sep 30, 2024 10:28:01.640755892 CEST58305443192.168.2.413.107.246.60
Sep 30, 2024 10:28:01.640902996 CEST58305443192.168.2.413.107.246.60
Sep 30, 2024 10:28:01.640902996 CEST58305443192.168.2.413.107.246.60
Sep 30, 2024 10:28:01.640924931 CEST4435830513.107.246.60192.168.2.4
Sep 30, 2024 10:28:01.640935898 CEST4435830513.107.246.60192.168.2.4
Sep 30, 2024 10:28:01.643332005 CEST4435830313.107.246.60192.168.2.4
Sep 30, 2024 10:28:01.643419981 CEST4435830313.107.246.60192.168.2.4
Sep 30, 2024 10:28:01.643596888 CEST58303443192.168.2.413.107.246.60
Sep 30, 2024 10:28:01.643596888 CEST58303443192.168.2.413.107.246.60
Sep 30, 2024 10:28:01.643635035 CEST58303443192.168.2.413.107.246.60
Sep 30, 2024 10:28:01.643651009 CEST4435830313.107.246.60192.168.2.4
Sep 30, 2024 10:28:01.657042980 CEST4435830613.107.246.60192.168.2.4
Sep 30, 2024 10:28:01.657100916 CEST4435830613.107.246.60192.168.2.4
Sep 30, 2024 10:28:01.657193899 CEST58306443192.168.2.413.107.246.60
Sep 30, 2024 10:28:01.657454014 CEST58306443192.168.2.413.107.246.60
Sep 30, 2024 10:28:01.657461882 CEST4435830613.107.246.60192.168.2.4
Sep 30, 2024 10:28:01.657636881 CEST58306443192.168.2.413.107.246.60
Sep 30, 2024 10:28:01.657644033 CEST4435830613.107.246.60192.168.2.4
Sep 30, 2024 10:28:01.677165985 CEST4435830413.107.246.60192.168.2.4
Sep 30, 2024 10:28:01.677253008 CEST4435830413.107.246.60192.168.2.4
Sep 30, 2024 10:28:01.678401947 CEST58304443192.168.2.413.107.246.60
Sep 30, 2024 10:28:01.678401947 CEST58304443192.168.2.413.107.246.60
Sep 30, 2024 10:28:01.678472042 CEST58304443192.168.2.413.107.246.60
Sep 30, 2024 10:28:01.678489923 CEST4435830413.107.246.60192.168.2.4

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Sep 30, 2024 10:27:11.889678955 CEST53599741.1.1.1192.168.2.4
Sep 30, 2024 10:27:14.370378017 CEST53653881.1.1.1192.168.2.4

DNS Answers

TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
Sep 30, 2024 10:26:56.491226912 CEST1.1.1.1192.168.2.40xd030No error (0)windowsupdatebg.s.llnwi.net41.63.96.0A (IP address)IN (0x0001)false
Sep 30, 2024 10:26:56.491226912 CEST1.1.1.1192.168.2.40xd030No error (0)windowsupdatebg.s.llnwi.net41.63.96.128A (IP address)IN (0x0001)false
Sep 30, 2024 10:28:00.111829042 CEST1.1.1.1192.168.2.40xe929No error (0)shed.dual-low.s-part-0032.t-0009.t-msedge.nets-part-0032.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
Sep 30, 2024 10:28:00.111829042 CEST1.1.1.1192.168.2.40xe929No error (0)s-part-0032.t-0009.t-msedge.net13.107.246.60A (IP address)IN (0x0001)false

HTTP Request Dependency Graph

  • otelrules.azureedge.net

HTTPS Proxied Packets

Session IDSource IPSource PortDestination IPDestination PortPIDProcess
0192.168.2.45829913.107.246.604436692C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-09-30 08:28:00 UTC207OUTGET /rules/rule490016v3s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-09-30 08:28:00 UTC491INHTTP/1.1 200 OK
Date: Mon, 30 Sep 2024 08:28:00 GMT
Content-Type: text/xml
Content-Length: 777
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:28:04 GMT
ETag: "0x8DC582BEC2AAB32"
x-ms-request-id: 02242695-901e-0048-63c1-12b800000000
x-ms-version: 2018-03-28
x-azure-ref: 20240930T082800Z-15767c5fc55xsgnlxyxy40f4m0000000063g00000000bp4m
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-09-30 08:28:00 UTC777INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 34 39 30 30 31 36 22 20 56 3d 22 33 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 46 65 65 64 62 61 63 6b 2e 53 75 72 76 65 79 2e 46 6c 6f 6f 64 67 61 74 65 43 6c 69 65 6e 74 2e 52 6f 61 6d 69 6e 67 53 75 63 63 65 73 73 66 75 6c 52 65 61 64 57 72 69 74 65 22 20 41 54 54 3d 22 64 37 39 65 38 32 34 33 38 36 63 34 34 34 31 63 62 38 63 31 64 34 61 65 31 35 36 39 30 35 32 36 2d 62 64 34 34 33 33 30 39 2d 35 34 39 34 2d 34 34 34 61 2d 61 62 61 39 2d 30 61 66 39 65 65 66 39 39 66 38 34 2d 37 33 36 30 22 20 54 3d 22 55 70 6c 6f 61 64 2d 4d 65 64 69 75 6d 22 20 44 4c 3d 22 4e 22 20 44 43 61 3d 22 50
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="490016" V="3" DC="SM" EN="Office.Feedback.Survey.FloodgateClient.RoamingSuccessfulReadWrite" ATT="d79e824386c4441cb8c1d4ae15690526-bd443309-5494-444a-aba9-0af9eef99f84-7360" T="Upload-Medium" DL="N" DCa="P


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
1192.168.2.45829713.107.246.604436692C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-09-30 08:28:00 UTC207OUTGET /rules/rule170022v2s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-09-30 08:28:00 UTC491INHTTP/1.1 200 OK
Date: Mon, 30 Sep 2024 08:28:00 GMT
Content-Type: text/xml
Content-Length: 756
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Sat, 27 Jul 2024 15:36:11 GMT
ETag: "0x8DCAE51D7B4AB9D"
x-ms-request-id: 764ec546-001e-0014-3dc1-125151000000
x-ms-version: 2018-03-28
x-azure-ref: 20240930T082800Z-15767c5fc552g4w83buhsr3htc00000006bg0000000027mp
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-09-30 08:28:00 UTC756INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 37 30 30 32 32 22 20 56 3d 22 32 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 47 72 61 70 68 69 63 73 2e 47 56 69 73 49 6e 6b 4c 6f 61 64 22 20 41 54 54 3d 22 63 66 63 66 64 62 39 31 63 36 38 63 34 33 32 39 62 62 38 62 37 63 62 37 62 61 62 62 33 63 66 37 2d 65 30 38 32 63 32 66 32 2d 65 66 31 64 2d 34 32 37 61 2d 61 63 34 64 2d 62 30 62 37 30 30 61 66 65 37 61 37 2d 37 36 35 35 22 20 53 3d 22 31 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 62 38 69 70 6a 22 20 41 3d 22 61 6e 75 69 35 22
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="170022" V="2" DC="SM" EN="Office.Graphics.GVisInkLoad" ATT="cfcfdb91c68c4329bb8b7cb7babb3cf7-e082c2f2-ef1d-427a-ac4d-b0b700afe7a7-7655" S="1" DCa="PSU" xmlns=""> <S> <UTS T="1" Id="b8ipj" A="anui5"


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
2192.168.2.45829813.107.246.604436692C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-09-30 08:28:00 UTC208OUTGET /rules/rule170012v12s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-09-30 08:28:00 UTC563INHTTP/1.1 200 OK
Date: Mon, 30 Sep 2024 08:28:00 GMT
Content-Type: text/xml
Content-Length: 1353
Connection: close
Vary: Accept-Encoding
Vary: Accept-Encoding
Vary: Accept-Encoding
Vary: Accept-Encoding
Cache-Control: public, max-age=604800, immutable
Last-Modified: Sat, 25 May 2024 18:28:18 GMT
ETag: "0x8DC7CE8734A2850"
x-ms-request-id: 6e2d9c6b-a01e-000d-56c1-12d1ea000000
x-ms-version: 2018-03-28
x-azure-ref: 20240930T082800Z-15767c5fc55xsgnlxyxy40f4m0000000067g00000000339x
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
Accept-Ranges: bytes
2024-09-30 08:28:00 UTC1353INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 37 30 30 31 32 22 20 56 3d 22 31 32 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 47 72 61 70 68 69 63 73 2e 47 56 69 7a 49 6e 6b 53 74 72 6f 6b 65 22 20 41 54 54 3d 22 63 66 63 66 64 62 39 31 63 36 38 63 34 33 32 39 62 62 38 62 37 63 62 37 62 61 62 62 33 63 66 37 2d 65 30 38 32 63 32 66 32 2d 65 66 31 64 2d 34 32 37 61 2d 61 63 34 64 2d 62 30 62 37 30 30 61 66 65 37 61 37 2d 37 36 35 35 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="170012" V="12" DC="SM" EN="Office.Graphics.GVizInkStroke" ATT="cfcfdb91c68c4329bb8b7cb7babb3cf7-e082c2f2-ef1d-427a-ac4d-b0b700afe7a7-7655" SP="CriticalBusinessImpact" DCa="PSU" xmlns=""> <S> <UTS T


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
3192.168.2.45830113.107.246.604436692C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-09-30 08:28:00 UTC207OUTGET /rules/rule324001v4s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-09-30 08:28:00 UTC491INHTTP/1.1 200 OK
Date: Mon, 30 Sep 2024 08:28:00 GMT
Content-Type: text/xml
Content-Length: 513
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:27:31 GMT
ETag: "0x8DC582BD84BDCC1"
x-ms-request-id: 909ffc80-501e-0064-6610-131f54000000
x-ms-version: 2018-03-28
x-azure-ref: 20240930T082800Z-15767c5fc55rv8zjq9dg0musxg00000006a00000000055f3
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-09-30 08:28:00 UTC513INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 31 22 20 56 3d 22 34 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 50 72 6f 6a 65 63 74 4c 6f 61 64 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324001" V="4" DC="SM" EN="Office.Extensibility.VbaTelemetryProjectLoad" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" SP="CriticalBusinessImpact" DCa="DC PSP PSU" xmlns="


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
4192.168.2.45830013.107.246.604436692C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-09-30 08:28:00 UTC206OUTGET /rules/rule63067v4s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-09-30 08:28:00 UTC584INHTTP/1.1 200 OK
Date: Mon, 30 Sep 2024 08:28:00 GMT
Content-Type: text/xml
Content-Length: 2871
Connection: close
Vary: Accept-Encoding
Vary: Accept-Encoding
Vary: Accept-Encoding
Vary: Accept-Encoding
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:28:05 GMT
ETag: "0x8DC582BEC5E84E0"
x-ms-request-id: d860cee4-b01e-00ab-5f10-13dafd000000
x-ms-version: 2018-03-28
x-azure-ref: 20240930T082800Z-15767c5fc55fdfx81a30vtr1fw00000006gg00000000dwgz
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-09-30 08:28:00 UTC2871INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 36 33 30 36 37 22 20 56 3d 22 34 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 49 64 65 6e 74 69 74 79 2e 53 73 70 69 50 72 6f 6d 70 74 57 69 6e 33 32 22 20 41 54 54 3d 22 35 63 36 35 62 62 63 34 65 64 62 66 34 38 30 64 39 36 33 37 61 63 65 30 34 64 36 32 62 64 39 38 2d 31 32 38 34 34 38 39 33 2d 38 61 62 39 2d 34 64 64 65 2d 62 38 35 30 2d 35 36 31 32 63 62 31 32 65 30 66 32 2d 37 38 32 32 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 44 43 61 3d 22 44 43 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="63067" V="4" DC="SM" EN="Office.Identity.SspiPromptWin32" ATT="5c65bbc4edbf480d9637ace04d62bd98-12844893-8ab9-4dde-b850-5612cb12e0f2-7822" SP="CriticalBusinessImpact" DL="A" DCa="DC" xmlns=""> <S>


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
5192.168.2.45830213.107.246.604436692C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-09-30 08:28:01 UTC207OUTGET /rules/rule324002v5s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-09-30 08:28:01 UTC491INHTTP/1.1 200 OK
Date: Mon, 30 Sep 2024 08:28:01 GMT
Content-Type: text/xml
Content-Length: 833
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:27:33 GMT
ETag: "0x8DC582BD9758B35"
x-ms-request-id: 06a8ff02-301e-003f-5210-13266f000000
x-ms-version: 2018-03-28
x-azure-ref: 20240930T082801Z-15767c5fc55n4msda3xfqxy5w000000006cg000000007d3n
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-09-30 08:28:01 UTC833INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 32 22 20 56 3d 22 35 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 44 65 63 6c 61 72 65 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 62 30
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324002" V="5" DC="SM" EN="Office.Extensibility.VbaTelemetryDeclare" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" DCa="DC PSP PSU" xmlns=""> <S> <UTS T="1" Id="b0


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
6192.168.2.45830513.107.246.604436692C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-09-30 08:28:01 UTC207OUTGET /rules/rule324005v2s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-09-30 08:28:01 UTC491INHTTP/1.1 200 OK
Date: Mon, 30 Sep 2024 08:28:01 GMT
Content-Type: text/xml
Content-Length: 599
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:26:51 GMT
ETag: "0x8DC582BC0B3C3C8"
x-ms-request-id: 06a8ff13-301e-003f-6310-13266f000000
x-ms-version: 2018-03-28
x-azure-ref: 20240930T082801Z-15767c5fc55gs96cphvgp5f5vc00000006700000000046w9
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-09-30 08:28:01 UTC599INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 35 22 20 56 3d 22 32 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 43 6f 6d 70 69 6c 65 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324005" V="2" DC="SM" EN="Office.Extensibility.VbaTelemetryCompile" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" SP="CriticalBusinessImpact" DCa="DC PSP PSU" xmlns="">


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
7192.168.2.45830313.107.246.604436692C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-09-30 08:28:01 UTC207OUTGET /rules/rule324003v5s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-09-30 08:28:01 UTC491INHTTP/1.1 200 OK
Date: Mon, 30 Sep 2024 08:28:01 GMT
Content-Type: text/xml
Content-Length: 716
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:27:34 GMT
ETag: "0x8DC582BD9F5CC0A"
x-ms-request-id: bd6d1276-501e-0016-4d10-13181b000000
x-ms-version: 2018-03-28
x-azure-ref: 20240930T082801Z-15767c5fc552g4w83buhsr3htc0000000690000000007tnv
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-09-30 08:28:01 UTC716INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 33 22 20 56 3d 22 35 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 52 65 66 65 72 65 6e 63 65 64 4c 69 62 72 61 72 79 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324003" V="5" DC="SM" EN="Office.Extensibility.VbaTelemetryReferencedLibrary" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" DCa="DC PSP PSU" xmlns=""> <S> <UTS T=


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
8192.168.2.45830613.107.246.604436692C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-09-30 08:28:01 UTC207OUTGET /rules/rule324006v2s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-09-30 08:28:01 UTC491INHTTP/1.1 200 OK
Date: Mon, 30 Sep 2024 08:28:01 GMT
Content-Type: text/xml
Content-Length: 599
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:26:44 GMT
ETag: "0x8DC582BBC83D642"
x-ms-request-id: e7046479-f01e-0020-7210-13956b000000
x-ms-version: 2018-03-28
x-azure-ref: 20240930T082801Z-15767c5fc55xgp8c992y5v5w18000000069g00000000e5ga
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-09-30 08:28:01 UTC599INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 36 22 20 56 3d 22 32 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 53 68 6f 77 49 64 65 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324006" V="2" DC="SM" EN="Office.Extensibility.VbaTelemetryShowIde" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" SP="CriticalBusinessImpact" DCa="DC PSP PSU" xmlns="">


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
9192.168.2.45830413.107.246.604436692C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-09-30 08:28:01 UTC207OUTGET /rules/rule324004v4s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-09-30 08:28:01 UTC491INHTTP/1.1 200 OK
Date: Mon, 30 Sep 2024 08:28:01 GMT
Content-Type: text/xml
Content-Length: 738
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:27:34 GMT
ETag: "0x8DC582BD9FE7D4B"
x-ms-request-id: ed4ea32f-a01e-0084-5d10-139ccd000000
x-ms-version: 2018-03-28
x-azure-ref: 20240930T082801Z-15767c5fc55dtdv4d4saq7t47n000000062g000000005s5q
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-09-30 08:28:01 UTC738INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 34 22 20 56 3d 22 34 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 43 6f 6d 4f 62 6a 65 63 74 49 6e 73 74 61 6e 74 69 61 74 65 64 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324004" V="4" DC="SM" EN="Office.Extensibility.VbaTelemetryComObjectInstantiated" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" DCa="DC PSP PSU" xmlns=""> <S> <UT


Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:04:26:50
Start date:30/09/2024
Path:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Wow64 process (32bit):true
Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Imagebase:0xd10000
File size:53'161'064 bytes
MD5 hash:4A871771235598812032C822E6F68F19
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

General

Target ID:3
Start time:04:26:55
Start date:30/09/2024
Path:C:\Windows\splwow64.exe
Wow64 process (32bit):false
Commandline:C:\Windows\splwow64.exe 12288
Imagebase:0x7ff700420000
File size:163'840 bytes
MD5 hash:77DE7761B037061C7C112FD3C5B91E73
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

Disassembly

No disassembly