Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
gamme #U00e9talon CPG.xlsx

Overview

General Information

Sample name:gamme #U00e9talon CPG.xlsx
renamed because original name is a hash value
Original sample name:gamme talon CPG.xlsx
Analysis ID:1522665
MD5:3bc820335842b679d5a17f7675b05e83
SHA1:5276b9c117c8068601a48f23d8b9bdd0db971ea5
SHA256:3d25aba9124d9f921c93c31ccdf5e171db997236f4a9dcf2dddd696c90b1a32d
Infos:

Detection

Score:4
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 6412 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: 4A871771235598812032C822E6F68F19)
    • splwow64.exe (PID: 5772 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Excel Network Connections
Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 13.107.246.60, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 6412, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 64248
Sigma detected: Suspicious Office Outbound Connections
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.4, DestinationIsIpv6: false, DestinationPort: 64248, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 6412, Protocol: tcp, SourceIp: 13.107.246.60, SourceIsIpv6: false, SourcePort: 443

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
Source: unknownHTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:64249 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:64250 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:64248 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:64251 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:64252 version: TLS 1.2
Source: global trafficTCP traffic: 192.168.2.4:64249 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64248 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64250 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64251 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64252 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64253 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64254 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64255 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64256 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64257 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64248 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64248 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64249 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64250 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64249 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64250 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64248 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64249 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64250 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64251 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64251 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64251 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64252 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64252 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64252 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64249 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64249 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64249 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64250 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64248 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64248 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64250 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64251 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64251 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64248 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64250 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64251 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64252 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64252 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64252 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64249 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64250 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64251 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64248 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64248 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64252 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64248 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64248 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64252 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64252 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64251 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64251 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64250 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64250 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64249 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64249 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64253 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64253 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64253 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64254 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64254 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64254 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64255 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64255 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64255 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64256 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64256 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64256 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64257 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64257 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64257 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64253 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64253 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64254 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64254 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64255 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64255 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64256 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64256 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64257 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64257 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64254 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64253 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64253 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64253 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64254 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64254 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64255 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64255 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64255 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64256 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64256 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64256 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64257 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64257 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64257 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64248 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64248
Source: global trafficTCP traffic: 192.168.2.4:64248 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64249 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64249
Source: global trafficTCP traffic: 192.168.2.4:64250 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64250
Source: global trafficTCP traffic: 192.168.2.4:64249 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64250 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64248 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64248
Source: global trafficTCP traffic: 192.168.2.4:64249 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64249
Source: global trafficTCP traffic: 192.168.2.4:64250 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64250
Source: global trafficTCP traffic: 192.168.2.4:64251 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64251
Source: global trafficTCP traffic: 192.168.2.4:64251 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64251 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64251
Source: global trafficTCP traffic: 192.168.2.4:64252 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64252
Source: global trafficTCP traffic: 192.168.2.4:64252 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64252 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64252
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64249
Source: global trafficTCP traffic: 192.168.2.4:64249 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64249 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64249
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64249
Source: global trafficTCP traffic: 192.168.2.4:64249 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64250
Source: global trafficTCP traffic: 192.168.2.4:64250 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64248
Source: global trafficTCP traffic: 192.168.2.4:64248 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64248 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64248
Source: global trafficTCP traffic: 192.168.2.4:64250 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64250
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64248
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64251
Source: global trafficTCP traffic: 192.168.2.4:64251 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64250
Source: global trafficTCP traffic: 192.168.2.4:64251 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64251
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64251
Source: global trafficTCP traffic: 192.168.2.4:64248 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64250 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64251 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64252
Source: global trafficTCP traffic: 192.168.2.4:64252 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64252 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64252
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64252
Source: global trafficTCP traffic: 192.168.2.4:64252 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64249
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64251
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64250
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64248
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64252
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64249
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64249
Source: global trafficTCP traffic: 192.168.2.4:64249 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64250
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64250
Source: global trafficTCP traffic: 192.168.2.4:64250 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64251
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64251
Source: global trafficTCP traffic: 192.168.2.4:64251 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64248
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64248
Source: global trafficTCP traffic: 192.168.2.4:64248 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64248
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64248
Source: global trafficTCP traffic: 192.168.2.4:64248 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64252
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64252
Source: global trafficTCP traffic: 192.168.2.4:64252 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64248 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64248
Source: global trafficTCP traffic: 192.168.2.4:64248 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64248
Source: global trafficTCP traffic: 192.168.2.4:64252 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64252 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64252
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64252
Source: global trafficTCP traffic: 192.168.2.4:64251 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64251
Source: global trafficTCP traffic: 192.168.2.4:64251 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64251
Source: global trafficTCP traffic: 192.168.2.4:64250 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64250 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64250
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64250
Source: global trafficTCP traffic: 192.168.2.4:64249 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64249
Source: global trafficTCP traffic: 192.168.2.4:64249 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64249
Source: global trafficTCP traffic: 192.168.2.4:64253 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64253
Source: global trafficTCP traffic: 192.168.2.4:64253 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64253 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64253
Source: global trafficTCP traffic: 192.168.2.4:64254 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64254
Source: global trafficTCP traffic: 192.168.2.4:64254 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64254 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64254
Source: global trafficTCP traffic: 192.168.2.4:64255 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64255
Source: global trafficTCP traffic: 192.168.2.4:64255 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64255 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64255
Source: global trafficTCP traffic: 192.168.2.4:64256 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64256
Source: global trafficTCP traffic: 192.168.2.4:64256 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64256 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64256
Source: global trafficTCP traffic: 192.168.2.4:64257 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64257
Source: global trafficTCP traffic: 192.168.2.4:64257 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64257 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64257
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64253
Source: global trafficTCP traffic: 192.168.2.4:64253 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64253
Source: global trafficTCP traffic: 192.168.2.4:64253 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64253
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64254
Source: global trafficTCP traffic: 192.168.2.4:64254 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64254
Source: global trafficTCP traffic: 192.168.2.4:64254 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64254
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64255
Source: global trafficTCP traffic: 192.168.2.4:64255 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64255
Source: global trafficTCP traffic: 192.168.2.4:64255 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64255
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64256
Source: global trafficTCP traffic: 192.168.2.4:64256 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64256
Source: global trafficTCP traffic: 192.168.2.4:64256 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64256
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64257
Source: global trafficTCP traffic: 192.168.2.4:64257 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64257
Source: global trafficTCP traffic: 192.168.2.4:64257 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64257
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64254
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64253
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64254
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64253
Source: global trafficTCP traffic: 192.168.2.4:64254 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64253 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64253 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64253
Source: global trafficTCP traffic: 192.168.2.4:64253 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64254 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64253
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64254
Source: global trafficTCP traffic: 192.168.2.4:64254 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64254
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64255
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64255
Source: global trafficTCP traffic: 192.168.2.4:64255 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64255 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64255 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64255
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64255
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64256
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64256
Source: global trafficTCP traffic: 192.168.2.4:64256 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64256 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64256
Source: global trafficTCP traffic: 192.168.2.4:64256 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64256
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64257
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64257
Source: global trafficTCP traffic: 192.168.2.4:64257 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64257 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:64257 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64257
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:64257
Source: excel.exeMemory has grown: Private usage: 1MB later: 120MB
Source: Joe Sandbox ViewIP Address: 13.107.246.60 13.107.246.60
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: global trafficHTTP traffic detected: GET /rules/rule170022v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule63067v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule170012v12s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule490016v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule324001v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule324003v5s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule324002v5s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule324004v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule324005v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule324006v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64251
Source: unknownNetwork traffic detected: HTTP traffic on port 64256 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64250
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64253
Source: unknownNetwork traffic detected: HTTP traffic on port 64255 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64252
Source: unknownNetwork traffic detected: HTTP traffic on port 64257 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 64250 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 64251 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 64248 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 64249 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64255
Source: unknownNetwork traffic detected: HTTP traffic on port 64253 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 64254 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64254
Source: unknownNetwork traffic detected: HTTP traffic on port 64252 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64257
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64256
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64248
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64249
Source: unknownHTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:64249 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:64250 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:64248 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:64251 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:64252 version: TLS 1.2
Source: classification engineClassification label: clean4.winXLSX@3/9@0/1
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\Desktop\~$gamme #U00e9talon CPG.xlsxJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{D0D59A53-C9B2-422E-8CDC-AE9ACDC9F952} - OProcSessId.datJump to behavior
Source: gamme #U00e9talon CPG.xlsxOLE indicator, Workbook stream: true
Source: DC830000.0.drOLE indicator, Workbook stream: true
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d96a0f-f192-11d4-a65f-0040963251e5}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: gamme #U00e9talon CPG.xlsxInitial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: gamme #U00e9talon CPG.xlsxInitial sample: OLE zip file path = xl/charts/chart4.xml
Source: gamme #U00e9talon CPG.xlsxInitial sample: OLE zip file path = xl/charts/chart2.xml
Source: gamme #U00e9talon CPG.xlsxInitial sample: OLE zip file path = xl/charts/chart3.xml
Source: gamme #U00e9talon CPG.xlsxInitial sample: OLE zip file path = xl/charts/chart1.xml
Source: gamme #U00e9talon CPG.xlsxInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: gamme #U00e9talon CPG.xlsxInitial sample: OLE zip file path = xl/calcChain.xml
Source: DC830000.0.drInitial sample: OLE zip file path = xl/charts/chart1.xml
Source: DC830000.0.drInitial sample: OLE zip file path = xl/charts/chart2.xml
Source: DC830000.0.drInitial sample: OLE zip file path = xl/charts/chart3.xml
Source: DC830000.0.drInitial sample: OLE zip file path = xl/charts/chart4.xml
Source: DC830000.0.drInitial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: DC830000.0.drInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: DC830000.0.drInitial sample: OLE zip file path = xl/calcChain.xml
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
Source: gamme #U00e9talon CPG.xlsxInitial sample: OLE indicators vbamacros = False
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 782Jump to behavior
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information queried: ProcessInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Exploitation for Client Execution		Path Interception1
Process Injection		2
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
Extra Window Memory Injection		1
Virtualization/Sandbox Evasion		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account Manager1
Application Window Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Extra Window Memory Injection		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput Capture2
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
bg.microsoft.map.fastly.net0%VirustotalBrowse
s-part-0032.t-0009.t-msedge.net0%VirustotalBrowse

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.210.172
truefalseunknown
s-part-0032.t-0009.t-msedge.net
13.107.246.60
truefalseunknown

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
13.107.246.60
s-part-0032.t-0009.t-msedge.netUnited States
8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1522665
Start date and time:2024-09-30 14:57:15 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 11s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:9
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:gamme #U00e9talon CPG.xlsx
renamed because original name is a hash value
Original Sample Name:gamme talon CPG.xlsx
Detection:CLEAN
Classification:clean4.winXLSX@3/9@0/1
Cookbook Comments:
  • Found application associated with file extension: .xlsx
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Scroll down
  • Close Viewer

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 52.109.28.46, 184.28.90.27, 52.109.28.47, 52.113.194.132, 199.232.210.172, 20.42.65.85
  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.afd.azureedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, eur.roaming1.live.com.akadns.net, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, onedscolprdeus05.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, osiprod-uks-buff-azsc-000.uksouth.cloudapp.azure.com, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, uks-azsc-000.roaming.officeapps.live.com, s-0005.s-msedge.net, c
  • Not all processes where analyzed, report is missing behavior information
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtCreateKey calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

TimeTypeDescription
08:59:12API Interceptor801x Sleep call for process: splwow64.exe modified

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
13.107.246.60https://protect-us.mimecast.com/s/wFHoCqxrAnt7V914iZaD1vGet hashmaliciousUnknownBrowse
  • www.mimecast.com/Customers/Support/Contact-support/
http://wellsfargo.dealogic.com/clientportal/Conferences/Registration/Form/368?menuItemId=5Get hashmaliciousUnknownBrowse
  • wellsfargo.dealogic.com/clientportal/Conferences/Registration/Form/368?menuItemId=5

Domains

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
s-part-0032.t-0009.t-msedge.netINVOICE DUE..xlsxGet hashmaliciousHTMLPhisherBrowse
  • 13.107.246.60
https://www.netigate.se/a/s.aspx?s=1236726X450166796X50614Get hashmaliciousUnknownBrowse
  • 13.107.246.60
Transmission Cost Database 2.0.xlsbGet hashmaliciousUnknownBrowse
  • 13.107.246.60
https://www.marketbeat.com/articles/music-streaming-site-spotify-temporarily-goes-down-2024-09-29/?utm_source=newsletter&utm_medium=email&utm_campaign=newsletterclick&source=ARNDaily&AccountID=13091940&hash=99E2922EEB6FEC86743F5DB2C0E84BA5899D68F68F1472F885291F590EAD713452D3376C362A15DEDE29DFC4761637FD6FDD698F31176C60366847F610D6C32CGet hashmaliciousUnknownBrowse
  • 13.107.246.60
https://ebookkeepers.com.pk/Get hashmaliciousUnknownBrowse
  • 13.107.246.60
http://microsoft.biosency.com/Get hashmaliciousUnknownBrowse
  • 13.107.246.60
http://www.etissallatss.com/Get hashmaliciousUnknownBrowse
  • 13.107.246.60
http://yusdydsfjuuxx.weebly.com/Get hashmaliciousHTMLPhisherBrowse
  • 13.107.246.60
Website_Redesign_Project.xlsGet hashmaliciousUnknownBrowse
  • 13.107.246.60
http://serviceappinfms12.pages.dev/Get hashmaliciousTechSupportScamBrowse
  • 13.107.246.60
bg.microsoft.map.fastly.netSCAN_Client_No_XP9739270128398468932393.pdfGet hashmaliciousHTMLPhisherBrowse
  • 199.232.214.172
https://cganet.com/Get hashmaliciousUnknownBrowse
  • 199.232.214.172
UhkzPftQIt.exeGet hashmaliciousScreenConnect ToolBrowse
  • 199.232.214.172
7LC2izrr9u.exeGet hashmaliciousScreenConnect ToolBrowse
  • 199.232.214.172
UhkzPftQIt.exeGet hashmaliciousScreenConnect ToolBrowse
  • 199.232.214.172
7LC2izrr9u.exeGet hashmaliciousScreenConnect ToolBrowse
  • 199.232.214.172
https://ck.storematch.jp/bc?d=11044D9580EY4W1C2FD019VB3VD27BCW862C0351F9E0EA8-cdlaq4&B=a4f71fd1c235a114f94297e8a0a36c6e&sc_i=shp_pc_promo_mdRMBP_disp_mcad&rd=//interglobalcargoexpress.com/yuuuii#aW5mb0B2b3NzbG9oLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
  • 199.232.214.172
INVOICE DUE..xlsxGet hashmaliciousHTMLPhisherBrowse
  • 199.232.214.172
http://tayakay.comGet hashmaliciousUnknownBrowse
  • 199.232.214.172
test5.exeGet hashmaliciousXWormBrowse
  • 199.232.214.172

ASNs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
MICROSOFT-CORP-MSN-AS-BLOCKUSSCAN_Client_No_XP9739270128398468932393.pdfGet hashmaliciousHTMLPhisherBrowse
  • 13.107.253.45
INVOICE DUE..xlsxGet hashmaliciousHTMLPhisherBrowse
  • 52.109.89.19
https://www.netigate.se/a/s.aspx?s=1236726X450166796X50614Get hashmaliciousUnknownBrowse
  • 52.146.128.240
Tonincasa Updated Employee sheet .pdfGet hashmaliciousHTMLPhisherBrowse
  • 150.171.27.10
PO554830092024.xlsGet hashmaliciousUnknownBrowse
  • 13.107.246.45
PI#0034250924.xla.xlsxGet hashmaliciousUnknownBrowse
  • 13.107.246.45
https://wwvmicrosx.live/office365/office_cookies/mainGet hashmaliciousHTMLPhisherBrowse
  • 13.107.246.67
https://en.softonic.comGet hashmaliciousUnknownBrowse
  • 13.107.246.60
SecuriteInfo.com.Linux.Siggen.9999.28931.8128.elfGet hashmaliciousMiraiBrowse
  • 20.94.30.16
SecuriteInfo.com.Linux.Siggen.9999.28522.3483.elfGet hashmaliciousMiraiBrowse
  • 20.31.86.98

JA3 Fingerprints

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
  • 13.107.246.60
file.exeGet hashmaliciousLummaCBrowse
  • 13.107.246.60
file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
  • 13.107.246.60
file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
  • 13.107.246.60
PO554830092024.xlsGet hashmaliciousUnknownBrowse
  • 13.107.246.60
PI#0034250924.xla.xlsxGet hashmaliciousUnknownBrowse
  • 13.107.246.60
file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
  • 13.107.246.60
file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
  • 13.107.246.60
Transmission Cost Database 2.0.xlsbGet hashmaliciousUnknownBrowse
  • 13.107.246.60
https://downcheck.nyc3.cdn.digitaloceanspaces.com/peltgon.zipGet hashmaliciousLummaCBrowse
  • 13.107.246.60

Dropped Files

No context

Created / dropped Files

C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):118
Entropy (8bit):3.5700810731231707
Encrypted:false
SSDEEP:3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
MD5:573220372DA4ED487441611079B623CD
SHA1:8F9D967AC6EF34640F1F0845214FBC6994C0CB80
SHA-256:BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
SHA-512:F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
Malicious:false
Reputation:moderate, very likely benign file
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:data
Category:dropped
Size (bytes):338
Entropy (8bit):3.4561211698933287
Encrypted:false
SSDEEP:6:kKZW8ZJFN+SkQlPlEGYRMY9z+s3Ql2DUevat:shkPlE99SCQl2DUevat
MD5:D59B5385E76FA1C33815AB168713CBC1
SHA1:6768004A4E65FA1AA0D232952F5B220014297B24
SHA-256:2A3AA62AEDDF2A064BCB583834DFF46B9EA2885B773B80079FD0B5FD629DDFC4
SHA-512:FC98383C69E5DC55FAAAEFF92477DF9F3EF0E55670EFD8EF66DAAB14B3514C39B163DD412F56CF320EFE038F8442F6F49DB19CA54425FEEEE99AFA3E0BA40906
Malicious:false
Reputation:low
Preview:p...... ...........f8...(...............................................x.5.@... .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\mso2C91.tmp

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:PNG image data, 977 x 1024, 8-bit/color RGBA, non-interlaced
Category:dropped
Size (bytes):5477
Entropy (8bit):3.123605833485142
Encrypted:false
SSDEEP:24:Lc8/6BJvNMOOEqeeenkOEEBeeennMREieeeenMGeeennMMOEEieeennMMpPWeeer:Lv/6BH
MD5:C4C38A7D937C652FE5C5A39C668F8D86
SHA1:BAACAB0836AFC11765E1896388D06F7A5DEB9253
SHA-256:48B090CBFA1300A7A60F6EAAFA08DDACCFC96943C8A3E943A4B9D9E45A18B52A
SHA-512:68C53BF3920CF12E2BCF5129DFE2AC61B4A0EF4BFF6692DAED401E53FDA7EEDA73A80FF13ED83D29FB03F97B8C5F5F3AD88890ACFFD3C12DF0F3710DCD4D7CAF
Malicious:false
Reputation:moderate, very likely benign file
Preview:.PNG........IHDR................w....pHYs.................tEXtSoftware.Adobe ImageReadyq.e<....IDATx.....0.EA.2....3D.O`..G.5.....m.u...s.J......9M...."....D4....h........ ....@D...."....D4....h........ ....@D.........D4....h........ ....@D.........D4....h........ ....@D...............h........ ....@D.............."......... ....@D.............."......... ....@D.............."....D4... ....@D.............."....D4... ....@D.............."....D4....h...@D.............."....D4....h..................."....D4....h..................."....D4....h........ .........."....D4....h........ ....@D.....D4....h........ ....@D.........D4....h........ ....@D...............h........ ....@D...............h........ ....@D.............."......... ....@D.............."....D4... ....@D.............."....D4... ....@D.............."....D4....h...@D.............."....D4....h...@D.............."....D4....h..................."....D4....h........ .........."....D4....h........ .........."....D4....h........ ...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\mso9800.tmp

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:PNG image data, 977 x 1024, 8-bit/color RGBA, non-interlaced
Category:dropped
Size (bytes):5477
Entropy (8bit):3.123605833485142
Encrypted:false
SSDEEP:24:Lc8/6BJvNMOOEqeeenkOEEBeeennMREieeeenMGeeennMMOEEieeennMMpPWeeer:Lv/6BH
MD5:C4C38A7D937C652FE5C5A39C668F8D86
SHA1:BAACAB0836AFC11765E1896388D06F7A5DEB9253
SHA-256:48B090CBFA1300A7A60F6EAAFA08DDACCFC96943C8A3E943A4B9D9E45A18B52A
SHA-512:68C53BF3920CF12E2BCF5129DFE2AC61B4A0EF4BFF6692DAED401E53FDA7EEDA73A80FF13ED83D29FB03F97B8C5F5F3AD88890ACFFD3C12DF0F3710DCD4D7CAF
Malicious:false
Reputation:moderate, very likely benign file
Preview:.PNG........IHDR................w....pHYs.................tEXtSoftware.Adobe ImageReadyq.e<....IDATx.....0.EA.2....3D.O`..G.5.....m.u...s.J......9M...."....D4....h........ ....@D...."....D4....h........ ....@D.........D4....h........ ....@D.........D4....h........ ....@D...............h........ ....@D.............."......... ....@D.............."......... ....@D.............."....D4... ....@D.............."....D4... ....@D.............."....D4....h...@D.............."....D4....h..................."....D4....h..................."....D4....h........ .........."....D4....h........ ....@D.....D4....h........ ....@D.........D4....h........ ....@D...............h........ ....@D...............h........ ....@D.............."......... ....@D.............."....D4... ....@D.............."....D4... ....@D.............."....D4....h...@D.............."....D4....h...@D.............."....D4....h..................."....D4....h........ .........."....D4....h........ .........."....D4....h........ ...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\mso9811.tmp

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:PNG image data, 977 x 1024, 8-bit/color RGBA, non-interlaced
Category:dropped
Size (bytes):5477
Entropy (8bit):3.123605833485142
Encrypted:false
SSDEEP:24:Lc8/6BJvNMOOEqeeenkOEEBeeennMREieeeenMGeeennMMOEEieeennMMpPWeeer:Lv/6BH
MD5:C4C38A7D937C652FE5C5A39C668F8D86
SHA1:BAACAB0836AFC11765E1896388D06F7A5DEB9253
SHA-256:48B090CBFA1300A7A60F6EAAFA08DDACCFC96943C8A3E943A4B9D9E45A18B52A
SHA-512:68C53BF3920CF12E2BCF5129DFE2AC61B4A0EF4BFF6692DAED401E53FDA7EEDA73A80FF13ED83D29FB03F97B8C5F5F3AD88890ACFFD3C12DF0F3710DCD4D7CAF
Malicious:false
Reputation:moderate, very likely benign file
Preview:.PNG........IHDR................w....pHYs.................tEXtSoftware.Adobe ImageReadyq.e<....IDATx.....0.EA.2....3D.O`..G.5.....m.u...s.J......9M...."....D4....h........ ....@D...."....D4....h........ ....@D.........D4....h........ ....@D.........D4....h........ ....@D...............h........ ....@D.............."......... ....@D.............."......... ....@D.............."....D4... ....@D.............."....D4... ....@D.............."....D4....h...@D.............."....D4....h..................."....D4....h..................."....D4....h........ .........."....D4....h........ ....@D.....D4....h........ ....@D.........D4....h........ ....@D...............h........ ....@D...............h........ ....@D.............."......... ....@D.............."....D4... ....@D.............."....D4... ....@D.............."....D4....h...@D.............."....D4....h...@D.............."....D4....h..................."....D4....h........ .........."....D4....h........ .........."....D4....h........ ...

C:\Users\user\Desktop\DC830000

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:Microsoft Excel 2007+
Category:dropped
Size (bytes):21794
Entropy (8bit):7.474033971148992
Encrypted:false
SSDEEP:384:B8BrEJN2sEjss+diIZFF42XfxMQDMMV/jEaEqmQl:myJdAf+d7x3MMZjEaEqmQl
MD5:9AC8B53A26E303B3283CB30A9319941F
SHA1:CF8826B456C1F7B3BFBF693D1E66FC58EE9D8A00
SHA-256:176DAC9D7201E316E902AB731A10EB6B01F3D7AE4212B7376C13C610547C7976
SHA-512:ECF28FC17FE112348DEFC6E7446D08DCAE5C2D74681D775574ACF822705C120D5109E6F0C11DF4A854F17F5C2F4E10D1C2F5A9774140DCD61F8A60F7BFA12C83
Malicious:false
Preview:PK..........!..I.....t.......[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................V.N.0..#.;D....X!..r... ..`.ic.-.........*$..I..~.cOf..../..._..r*..:..x|.=9....F....@q9.q4{.D...=V.&..R...QX...g.!5..1-eTz.. O..3..'.4..C.g.P...5.~S.d.(..k.*.btV+b...O$..XX.&..K.......W.d.1....C!wr&p..sUrd...........|....H.@q...Q.{.k'_CZ=..*...MMNQ.(....Q..xd!....S....A\. .ux*2...H..8..g.C.J`.w.rt.....0I...dw3<....^...e.F..c)....^..op.....s........7....[snaw)D......mKj.'.. ......p.g..;.1.=...-.?../...

C:\Users\user\Desktop\DC830000:Zone.Identifier

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):26
Entropy (8bit):3.95006375643621
Encrypted:false
SSDEEP:3:ggPYV:rPYV
MD5:187F488E27DB4AF347237FE461A079AD
SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:false
Preview:[ZoneTransfer]....ZoneId=0

C:\Users\user\Desktop\gamme #U00e9talon CPG.xlsx (copy)

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:Microsoft Excel 2007+
Category:dropped
Size (bytes):21794
Entropy (8bit):7.474033971148992
Encrypted:false
SSDEEP:384:B8BrEJN2sEjss+diIZFF42XfxMQDMMV/jEaEqmQl:myJdAf+d7x3MMZjEaEqmQl
MD5:9AC8B53A26E303B3283CB30A9319941F
SHA1:CF8826B456C1F7B3BFBF693D1E66FC58EE9D8A00
SHA-256:176DAC9D7201E316E902AB731A10EB6B01F3D7AE4212B7376C13C610547C7976
SHA-512:ECF28FC17FE112348DEFC6E7446D08DCAE5C2D74681D775574ACF822705C120D5109E6F0C11DF4A854F17F5C2F4E10D1C2F5A9774140DCD61F8A60F7BFA12C83
Malicious:false
Preview:PK..........!..I.....t.......[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................V.N.0..#.;D....X!..r... ..`.ic.-.........*$..I..~.cOf..../..._..r*..:..x|.=9....F....@q9.q4{.D...=V.&..R...QX...g.!5..1-eTz.. O..3..'.4..C.g.P...5.~S.d.(..k.*.btV+b...O$..XX.&..K.......W.d.1....C!wr&p..sUrd...........|....H.@q...Q.{.k'_CZ=..*...MMNQ.(....Q..xd!....S....A\. .ux*2...H..8..g.C.J`.w.rt.....0I...dw3<....^...e.F..c)....^..op.....s........7....[snaw)D......mKj.'.. ......p.g..;.1.=...-.?../...

C:\Users\user\Desktop\~$gamme #U00e9talon CPG.xlsx

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:data
Category:dropped
Size (bytes):165
Entropy (8bit):1.4377382811115937
Encrypted:false
SSDEEP:3:KVC+cAmltV:KVC+cR
MD5:9C7132B2A8CABF27097749F4D8447635
SHA1:71D7F78718A7AFC3EAB22ED395321F6CBE2F9899
SHA-256:7029AE5479F0CD98D892F570A22B2AE8302747DCFF3465B2DE64D974AE815A83
SHA-512:333AC8A4987CC7DF5981AE81238A77D123996DB2C4C97053E8BD2048A64FDCF33E1245DEE6839358161F6B5EEA6BFD8D2358BC4A9188D786295C22F79E2D635E
Malicious:false
Preview:.user ..j.o.n.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General

File type:Microsoft Excel 2007+
Entropy (8bit):7.4641242936231595
TrID:
  • Excel Microsoft Office Open XML Format document (35004/1) 81.40%
  • ZIP compressed archive (8000/1) 18.60%
File name:gamme #U00e9talon CPG.xlsx
File size:21'388 bytes
MD5:3bc820335842b679d5a17f7675b05e83
SHA1:5276b9c117c8068601a48f23d8b9bdd0db971ea5
SHA256:3d25aba9124d9f921c93c31ccdf5e171db997236f4a9dcf2dddd696c90b1a32d
SHA512:fe79fd1ea0665f1bfdc795a21f84676059c28b46e85ffdd5f1b485919a2aa30607a5b9027fd49421b0132a05fde6e7e35fe27fec3f6aa2d95c93f479709209af
SSDEEP:384:Imi51Vej47IEI88b+WzDd0bfV7s69YwK208dK16:nOVej4sEI88SWzDyTd0kK16
TLSH:CDA29E58C556EC6CC32A1D3CD52A02F19A0C7251CA82F69D14C0FB9C1B46DEB47DF2AB
File Content Preview:PK..........!...I.....t.......[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon

Icon Hash:35e58a8c0c8a85b9

Static OLE Info

General

Document Type:OpenXML
Number of OLE Files:1

OLE File "gamme #U00e9talon CPG.xlsx"

Indicators
Has Summary Info:
Application Name:
Encrypted Document:False
Contains Word Document Stream:False
Contains Workbook/Book Stream:True
Contains PowerPoint Document Stream:False
Contains Visio Document Stream:False
Contains ObjectPool Stream:False
Flash Objects Count:0
Contains VBA Macros:False

Network Behavior

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Sep 30, 2024 14:59:14.071109056 CEST64248443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.071152925 CEST4436424813.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.071222067 CEST64248443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.071278095 CEST64249443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.071320057 CEST4436424913.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.071332932 CEST64250443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.071342945 CEST4436425013.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.071371078 CEST64249443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.071404934 CEST64250443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.071706057 CEST64248443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.071723938 CEST4436424813.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.071813107 CEST64249443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.071831942 CEST4436424913.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.071842909 CEST64250443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.071856976 CEST4436425013.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.099822044 CEST64251443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.099857092 CEST4436425113.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.099986076 CEST64251443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.100238085 CEST64251443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.100250006 CEST4436425113.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.103087902 CEST64252443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.103171110 CEST4436425213.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.103257895 CEST64252443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.103496075 CEST64252443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.103529930 CEST4436425213.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.725923061 CEST4436424913.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.725995064 CEST64249443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.727627993 CEST64249443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.727638960 CEST4436424913.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.727855921 CEST4436424913.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.729370117 CEST64249443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.731081963 CEST4436425013.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.731141090 CEST64250443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.731555939 CEST4436424813.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.731616020 CEST64248443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.733242989 CEST64248443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.733253002 CEST4436424813.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.733331919 CEST64250443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.733338118 CEST4436425013.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.733582973 CEST4436424813.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.733594894 CEST4436425113.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.733650923 CEST64251443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.733661890 CEST4436425013.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.734446049 CEST64251443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.734451056 CEST4436425113.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.734685898 CEST4436425113.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.735486984 CEST64248443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.736709118 CEST64250443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.737498999 CEST64251443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.738488913 CEST4436425213.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.738564968 CEST64252443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.739379883 CEST64252443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.739420891 CEST4436425213.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.739757061 CEST4436425213.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.740914106 CEST64252443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.775420904 CEST4436424913.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.779416084 CEST4436425113.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.779449940 CEST4436425013.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.779457092 CEST4436424813.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.787400007 CEST4436425213.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.825831890 CEST4436424913.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.825892925 CEST4436424913.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.825972080 CEST64249443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.833295107 CEST4436425013.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.833594084 CEST4436425013.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.833663940 CEST64250443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.834193945 CEST4436425113.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.834378958 CEST4436425113.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.834436893 CEST64251443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.838131905 CEST4436424813.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.838162899 CEST4436424813.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.838217974 CEST64248443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.838232040 CEST4436424813.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.838351965 CEST4436424813.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.838784933 CEST64248443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.843065977 CEST4436425213.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.843123913 CEST4436425213.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.843194962 CEST64252443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.870315075 CEST64248443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.870331049 CEST4436424813.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.870345116 CEST64248443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.870352983 CEST4436424813.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.870455027 CEST64252443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.870455027 CEST64252443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.870487928 CEST4436425213.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.870517015 CEST4436425213.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.870554924 CEST64251443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.870560884 CEST4436425113.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.870583057 CEST64251443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.870588064 CEST4436425113.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.870687008 CEST64250443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.870687008 CEST64250443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.870731115 CEST4436425013.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.870748043 CEST4436425013.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.872787952 CEST64249443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.872795105 CEST4436424913.107.246.60192.168.2.4
Sep 30, 2024 14:59:14.872807980 CEST64249443192.168.2.413.107.246.60
Sep 30, 2024 14:59:14.872813940 CEST4436424913.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.005530119 CEST64253443192.168.2.413.107.246.60
Sep 30, 2024 14:59:15.005635977 CEST4436425313.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.006237984 CEST64253443192.168.2.413.107.246.60
Sep 30, 2024 14:59:15.008119106 CEST64253443192.168.2.413.107.246.60
Sep 30, 2024 14:59:15.008157015 CEST4436425313.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.015964031 CEST64254443192.168.2.413.107.246.60
Sep 30, 2024 14:59:15.015974998 CEST4436425413.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.016679049 CEST64254443192.168.2.413.107.246.60
Sep 30, 2024 14:59:15.018376112 CEST64254443192.168.2.413.107.246.60
Sep 30, 2024 14:59:15.018390894 CEST4436425413.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.018479109 CEST64255443192.168.2.413.107.246.60
Sep 30, 2024 14:59:15.018536091 CEST4436425513.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.018774986 CEST64255443192.168.2.413.107.246.60
Sep 30, 2024 14:59:15.018930912 CEST64255443192.168.2.413.107.246.60
Sep 30, 2024 14:59:15.018960953 CEST4436425513.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.020571947 CEST64256443192.168.2.413.107.246.60
Sep 30, 2024 14:59:15.020601988 CEST4436425613.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.021279097 CEST64256443192.168.2.413.107.246.60
Sep 30, 2024 14:59:15.021518946 CEST64256443192.168.2.413.107.246.60
Sep 30, 2024 14:59:15.021536112 CEST4436425613.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.059768915 CEST64257443192.168.2.413.107.246.60
Sep 30, 2024 14:59:15.059793949 CEST4436425713.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.060353994 CEST64257443192.168.2.413.107.246.60
Sep 30, 2024 14:59:15.060503006 CEST64257443192.168.2.413.107.246.60
Sep 30, 2024 14:59:15.060513973 CEST4436425713.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.645488977 CEST4436425313.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.645947933 CEST64253443192.168.2.413.107.246.60
Sep 30, 2024 14:59:15.645976067 CEST4436425313.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.646684885 CEST64253443192.168.2.413.107.246.60
Sep 30, 2024 14:59:15.646691084 CEST4436425313.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.648113966 CEST4436425413.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.648432016 CEST64254443192.168.2.413.107.246.60
Sep 30, 2024 14:59:15.648441076 CEST4436425413.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.649209023 CEST64254443192.168.2.413.107.246.60
Sep 30, 2024 14:59:15.649214983 CEST4436425413.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.653008938 CEST4436425513.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.653378010 CEST64255443192.168.2.413.107.246.60
Sep 30, 2024 14:59:15.653412104 CEST4436425513.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.654038906 CEST64255443192.168.2.413.107.246.60
Sep 30, 2024 14:59:15.654052973 CEST4436425513.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.669058084 CEST4436425613.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.669373989 CEST64256443192.168.2.413.107.246.60
Sep 30, 2024 14:59:15.669394016 CEST4436425613.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.670123100 CEST64256443192.168.2.413.107.246.60
Sep 30, 2024 14:59:15.670130968 CEST4436425613.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.719984055 CEST4436425713.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.720324993 CEST64257443192.168.2.413.107.246.60
Sep 30, 2024 14:59:15.720336914 CEST4436425713.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.720969915 CEST64257443192.168.2.413.107.246.60
Sep 30, 2024 14:59:15.720973969 CEST4436425713.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.748344898 CEST4436425413.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.748368025 CEST4436425313.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.748394966 CEST4436425413.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.748434067 CEST4436425313.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.748452902 CEST64254443192.168.2.413.107.246.60
Sep 30, 2024 14:59:15.748482943 CEST64253443192.168.2.413.107.246.60
Sep 30, 2024 14:59:15.748636961 CEST64253443192.168.2.413.107.246.60
Sep 30, 2024 14:59:15.748657942 CEST4436425313.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.748671055 CEST64253443192.168.2.413.107.246.60
Sep 30, 2024 14:59:15.748671055 CEST64254443192.168.2.413.107.246.60
Sep 30, 2024 14:59:15.748682022 CEST4436425313.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.748692036 CEST4436425413.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.748702049 CEST64254443192.168.2.413.107.246.60
Sep 30, 2024 14:59:15.748707056 CEST4436425413.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.757147074 CEST4436425513.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.757211924 CEST4436425513.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.757380009 CEST64255443192.168.2.413.107.246.60
Sep 30, 2024 14:59:15.757433891 CEST64255443192.168.2.413.107.246.60
Sep 30, 2024 14:59:15.757433891 CEST64255443192.168.2.413.107.246.60
Sep 30, 2024 14:59:15.757471085 CEST4436425513.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.757493019 CEST4436425513.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.773858070 CEST4436425613.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.773893118 CEST4436425613.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.773988008 CEST64256443192.168.2.413.107.246.60
Sep 30, 2024 14:59:15.774152994 CEST64256443192.168.2.413.107.246.60
Sep 30, 2024 14:59:15.774168015 CEST4436425613.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.774179935 CEST64256443192.168.2.413.107.246.60
Sep 30, 2024 14:59:15.774184942 CEST4436425613.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.825243950 CEST4436425713.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.825285912 CEST4436425713.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.825334072 CEST64257443192.168.2.413.107.246.60
Sep 30, 2024 14:59:15.825495005 CEST64257443192.168.2.413.107.246.60
Sep 30, 2024 14:59:15.825495005 CEST64257443192.168.2.413.107.246.60
Sep 30, 2024 14:59:15.825508118 CEST4436425713.107.246.60192.168.2.4
Sep 30, 2024 14:59:15.825517893 CEST4436425713.107.246.60192.168.2.4

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Sep 30, 2024 14:58:30.581283092 CEST53574211.1.1.1192.168.2.4
Sep 30, 2024 14:58:57.128398895 CEST5361907162.159.36.2192.168.2.4
Sep 30, 2024 14:58:57.596862078 CEST53495101.1.1.1192.168.2.4

DNS Answers

TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
Sep 30, 2024 14:58:10.141052961 CEST1.1.1.1192.168.2.40x86f4No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
Sep 30, 2024 14:58:10.141052961 CEST1.1.1.1192.168.2.40x86f4No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
Sep 30, 2024 14:59:14.070173979 CEST1.1.1.1192.168.2.40x523bNo error (0)shed.dual-low.s-part-0032.t-0009.t-msedge.nets-part-0032.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
Sep 30, 2024 14:59:14.070173979 CEST1.1.1.1192.168.2.40x523bNo error (0)s-part-0032.t-0009.t-msedge.net13.107.246.60A (IP address)IN (0x0001)false

HTTP Request Dependency Graph

  • otelrules.azureedge.net

HTTPS Proxied Packets

Session IDSource IPSource PortDestination IPDestination PortPIDProcess
0192.168.2.46424913.107.246.604436412C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-09-30 12:59:14 UTC207OUTGET /rules/rule170022v2s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-09-30 12:59:14 UTC491INHTTP/1.1 200 OK
Date: Mon, 30 Sep 2024 12:59:14 GMT
Content-Type: text/xml
Content-Length: 756
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Sat, 27 Jul 2024 15:36:11 GMT
ETag: "0x8DCAE51D7B4AB9D"
x-ms-request-id: 764ec546-001e-0014-3dc1-125151000000
x-ms-version: 2018-03-28
x-azure-ref: 20240930T125914Z-15767c5fc55tp7hb6tzuygumb800000002gg00000000gf94
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-09-30 12:59:14 UTC756INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 37 30 30 32 32 22 20 56 3d 22 32 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 47 72 61 70 68 69 63 73 2e 47 56 69 73 49 6e 6b 4c 6f 61 64 22 20 41 54 54 3d 22 63 66 63 66 64 62 39 31 63 36 38 63 34 33 32 39 62 62 38 62 37 63 62 37 62 61 62 62 33 63 66 37 2d 65 30 38 32 63 32 66 32 2d 65 66 31 64 2d 34 32 37 61 2d 61 63 34 64 2d 62 30 62 37 30 30 61 66 65 37 61 37 2d 37 36 35 35 22 20 53 3d 22 31 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 62 38 69 70 6a 22 20 41 3d 22 61 6e 75 69 35 22
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="170022" V="2" DC="SM" EN="Office.Graphics.GVisInkLoad" ATT="cfcfdb91c68c4329bb8b7cb7babb3cf7-e082c2f2-ef1d-427a-ac4d-b0b700afe7a7-7655" S="1" DCa="PSU" xmlns=""> <S> <UTS T="1" Id="b8ipj" A="anui5"


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
1192.168.2.46424813.107.246.604436412C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-09-30 12:59:14 UTC206OUTGET /rules/rule63067v4s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-09-30 12:59:14 UTC584INHTTP/1.1 200 OK
Date: Mon, 30 Sep 2024 12:59:14 GMT
Content-Type: text/xml
Content-Length: 2871
Connection: close
Vary: Accept-Encoding
Vary: Accept-Encoding
Vary: Accept-Encoding
Vary: Accept-Encoding
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:28:05 GMT
ETag: "0x8DC582BEC5E84E0"
x-ms-request-id: d860cee4-b01e-00ab-5f10-13dafd000000
x-ms-version: 2018-03-28
x-azure-ref: 20240930T125914Z-15767c5fc55rg5b7sh1vuv8t7n00000006wg00000000d5ta
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-09-30 12:59:14 UTC2871INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 36 33 30 36 37 22 20 56 3d 22 34 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 49 64 65 6e 74 69 74 79 2e 53 73 70 69 50 72 6f 6d 70 74 57 69 6e 33 32 22 20 41 54 54 3d 22 35 63 36 35 62 62 63 34 65 64 62 66 34 38 30 64 39 36 33 37 61 63 65 30 34 64 36 32 62 64 39 38 2d 31 32 38 34 34 38 39 33 2d 38 61 62 39 2d 34 64 64 65 2d 62 38 35 30 2d 35 36 31 32 63 62 31 32 65 30 66 32 2d 37 38 32 32 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 44 43 61 3d 22 44 43 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="63067" V="4" DC="SM" EN="Office.Identity.SspiPromptWin32" ATT="5c65bbc4edbf480d9637ace04d62bd98-12844893-8ab9-4dde-b850-5612cb12e0f2-7822" SP="CriticalBusinessImpact" DL="A" DCa="DC" xmlns=""> <S>


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
2192.168.2.46425013.107.246.604436412C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-09-30 12:59:14 UTC208OUTGET /rules/rule170012v12s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-09-30 12:59:14 UTC563INHTTP/1.1 200 OK
Date: Mon, 30 Sep 2024 12:59:14 GMT
Content-Type: text/xml
Content-Length: 1353
Connection: close
Vary: Accept-Encoding
Vary: Accept-Encoding
Vary: Accept-Encoding
Vary: Accept-Encoding
Cache-Control: public, max-age=604800, immutable
Last-Modified: Sat, 25 May 2024 18:28:18 GMT
ETag: "0x8DC7CE8734A2850"
x-ms-request-id: 6e2d9c6b-a01e-000d-56c1-12d1ea000000
x-ms-version: 2018-03-28
x-azure-ref: 20240930T125914Z-15767c5fc55dtdv4d4saq7t47n00000006dg0000000052ba
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
Accept-Ranges: bytes
2024-09-30 12:59:14 UTC1353INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 37 30 30 31 32 22 20 56 3d 22 31 32 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 47 72 61 70 68 69 63 73 2e 47 56 69 7a 49 6e 6b 53 74 72 6f 6b 65 22 20 41 54 54 3d 22 63 66 63 66 64 62 39 31 63 36 38 63 34 33 32 39 62 62 38 62 37 63 62 37 62 61 62 62 33 63 66 37 2d 65 30 38 32 63 32 66 32 2d 65 66 31 64 2d 34 32 37 61 2d 61 63 34 64 2d 62 30 62 37 30 30 61 66 65 37 61 37 2d 37 36 35 35 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="170012" V="12" DC="SM" EN="Office.Graphics.GVizInkStroke" ATT="cfcfdb91c68c4329bb8b7cb7babb3cf7-e082c2f2-ef1d-427a-ac4d-b0b700afe7a7-7655" SP="CriticalBusinessImpact" DCa="PSU" xmlns=""> <S> <UTS T


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
3192.168.2.46425113.107.246.604436412C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-09-30 12:59:14 UTC207OUTGET /rules/rule490016v3s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-09-30 12:59:14 UTC491INHTTP/1.1 200 OK
Date: Mon, 30 Sep 2024 12:59:14 GMT
Content-Type: text/xml
Content-Length: 777
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:28:04 GMT
ETag: "0x8DC582BEC2AAB32"
x-ms-request-id: 02242695-901e-0048-63c1-12b800000000
x-ms-version: 2018-03-28
x-azure-ref: 20240930T125914Z-15767c5fc55rv8zjq9dg0musxg00000006fg00000000kgx2
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-09-30 12:59:14 UTC777INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 34 39 30 30 31 36 22 20 56 3d 22 33 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 46 65 65 64 62 61 63 6b 2e 53 75 72 76 65 79 2e 46 6c 6f 6f 64 67 61 74 65 43 6c 69 65 6e 74 2e 52 6f 61 6d 69 6e 67 53 75 63 63 65 73 73 66 75 6c 52 65 61 64 57 72 69 74 65 22 20 41 54 54 3d 22 64 37 39 65 38 32 34 33 38 36 63 34 34 34 31 63 62 38 63 31 64 34 61 65 31 35 36 39 30 35 32 36 2d 62 64 34 34 33 33 30 39 2d 35 34 39 34 2d 34 34 34 61 2d 61 62 61 39 2d 30 61 66 39 65 65 66 39 39 66 38 34 2d 37 33 36 30 22 20 54 3d 22 55 70 6c 6f 61 64 2d 4d 65 64 69 75 6d 22 20 44 4c 3d 22 4e 22 20 44 43 61 3d 22 50
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="490016" V="3" DC="SM" EN="Office.Feedback.Survey.FloodgateClient.RoamingSuccessfulReadWrite" ATT="d79e824386c4441cb8c1d4ae15690526-bd443309-5494-444a-aba9-0af9eef99f84-7360" T="Upload-Medium" DL="N" DCa="P


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
4192.168.2.46425213.107.246.604436412C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-09-30 12:59:14 UTC207OUTGET /rules/rule324001v4s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-09-30 12:59:14 UTC491INHTTP/1.1 200 OK
Date: Mon, 30 Sep 2024 12:59:14 GMT
Content-Type: text/xml
Content-Length: 513
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:27:31 GMT
ETag: "0x8DC582BD84BDCC1"
x-ms-request-id: 909ffc80-501e-0064-6610-131f54000000
x-ms-version: 2018-03-28
x-azure-ref: 20240930T125914Z-15767c5fc55dtdv4d4saq7t47n00000006a000000000fe54
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-09-30 12:59:14 UTC513INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 31 22 20 56 3d 22 34 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 50 72 6f 6a 65 63 74 4c 6f 61 64 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324001" V="4" DC="SM" EN="Office.Extensibility.VbaTelemetryProjectLoad" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" SP="CriticalBusinessImpact" DCa="DC PSP PSU" xmlns="


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
5192.168.2.46425313.107.246.604436412C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-09-30 12:59:15 UTC207OUTGET /rules/rule324003v5s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-09-30 12:59:15 UTC491INHTTP/1.1 200 OK
Date: Mon, 30 Sep 2024 12:59:15 GMT
Content-Type: text/xml
Content-Length: 716
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:27:34 GMT
ETag: "0x8DC582BD9F5CC0A"
x-ms-request-id: bd6d1276-501e-0016-4d10-13181b000000
x-ms-version: 2018-03-28
x-azure-ref: 20240930T125915Z-15767c5fc55gs96cphvgp5f5vc00000006f000000000d7hd
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-09-30 12:59:15 UTC716INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 33 22 20 56 3d 22 35 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 52 65 66 65 72 65 6e 63 65 64 4c 69 62 72 61 72 79 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324003" V="5" DC="SM" EN="Office.Extensibility.VbaTelemetryReferencedLibrary" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" DCa="DC PSP PSU" xmlns=""> <S> <UTS T=


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
6192.168.2.46425413.107.246.604436412C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-09-30 12:59:15 UTC207OUTGET /rules/rule324002v5s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-09-30 12:59:15 UTC470INHTTP/1.1 200 OK
Date: Mon, 30 Sep 2024 12:59:15 GMT
Content-Type: text/xml
Content-Length: 833
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:27:33 GMT
ETag: "0x8DC582BD9758B35"
x-ms-request-id: 06a8ff02-301e-003f-5210-13266f000000
x-ms-version: 2018-03-28
x-azure-ref: 20240930T125915Z-15767c5fc55gs96cphvgp5f5vc00000006f000000000d7he
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
Accept-Ranges: bytes
2024-09-30 12:59:15 UTC833INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 32 22 20 56 3d 22 35 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 44 65 63 6c 61 72 65 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 62 30
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324002" V="5" DC="SM" EN="Office.Extensibility.VbaTelemetryDeclare" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" DCa="DC PSP PSU" xmlns=""> <S> <UTS T="1" Id="b0


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
7192.168.2.46425513.107.246.604436412C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-09-30 12:59:15 UTC207OUTGET /rules/rule324004v4s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-09-30 12:59:15 UTC491INHTTP/1.1 200 OK
Date: Mon, 30 Sep 2024 12:59:15 GMT
Content-Type: text/xml
Content-Length: 738
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:27:34 GMT
ETag: "0x8DC582BD9FE7D4B"
x-ms-request-id: ed4ea32f-a01e-0084-5d10-139ccd000000
x-ms-version: 2018-03-28
x-azure-ref: 20240930T125915Z-15767c5fc55v7j95gq2uzq37a000000006ug000000008k7m
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-09-30 12:59:15 UTC738INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 34 22 20 56 3d 22 34 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 43 6f 6d 4f 62 6a 65 63 74 49 6e 73 74 61 6e 74 69 61 74 65 64 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324004" V="4" DC="SM" EN="Office.Extensibility.VbaTelemetryComObjectInstantiated" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" DCa="DC PSP PSU" xmlns=""> <S> <UT


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
8192.168.2.46425613.107.246.604436412C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-09-30 12:59:15 UTC207OUTGET /rules/rule324005v2s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-09-30 12:59:15 UTC491INHTTP/1.1 200 OK
Date: Mon, 30 Sep 2024 12:59:15 GMT
Content-Type: text/xml
Content-Length: 599
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:26:51 GMT
ETag: "0x8DC582BC0B3C3C8"
x-ms-request-id: 06a8ff13-301e-003f-6310-13266f000000
x-ms-version: 2018-03-28
x-azure-ref: 20240930T125915Z-15767c5fc559lm6vwp3h1khw8n00000006wg00000000cvyd
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-09-30 12:59:15 UTC599INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 35 22 20 56 3d 22 32 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 43 6f 6d 70 69 6c 65 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324005" V="2" DC="SM" EN="Office.Extensibility.VbaTelemetryCompile" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" SP="CriticalBusinessImpact" DCa="DC PSP PSU" xmlns="">


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
9192.168.2.46425713.107.246.604436412C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-09-30 12:59:15 UTC207OUTGET /rules/rule324006v2s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-09-30 12:59:15 UTC491INHTTP/1.1 200 OK
Date: Mon, 30 Sep 2024 12:59:15 GMT
Content-Type: text/xml
Content-Length: 599
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:26:44 GMT
ETag: "0x8DC582BBC83D642"
x-ms-request-id: e7046479-f01e-0020-7210-13956b000000
x-ms-version: 2018-03-28
x-azure-ref: 20240930T125915Z-15767c5fc55lghvzbxktxfqntw000000064000000000n2y2
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-09-30 12:59:15 UTC599INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 36 22 20 56 3d 22 32 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 53 68 6f 77 49 64 65 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324006" V="2" DC="SM" EN="Office.Extensibility.VbaTelemetryShowIde" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" SP="CriticalBusinessImpact" DCa="DC PSP PSU" xmlns="">


Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:08:58:05
Start date:30/09/2024
Path:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Wow64 process (32bit):true
Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Imagebase:0x8f0000
File size:53'161'064 bytes
MD5 hash:4A871771235598812032C822E6F68F19
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

General

Target ID:6
Start time:08:59:11
Start date:30/09/2024
Path:C:\Windows\splwow64.exe
Wow64 process (32bit):false
Commandline:C:\Windows\splwow64.exe 12288
Imagebase:0x7ff741ca0000
File size:163'840 bytes
MD5 hash:77DE7761B037061C7C112FD3C5B91E73
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

Disassembly

No disassembly