Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
5dd GYD.xlsm

Overview

General Information

Sample name:5dd GYD.xlsm
renamed because original name is a hash value
Original sample name: GYD.xlsm
Analysis ID:1523180
MD5:d0f828fc4c0bc794cfe6b201de7e8dd7
SHA1:c4075209d0332a33d625c00a5d0046e005481e1a
SHA256:9f670c7000df69e7c363f89e1aa96bf66a1a0a8472de17c771ab4e74de13bde9
Infos:

Detection

Score:4
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 4340 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: 4A871771235598812032C822E6F68F19)
    • splwow64.exe (PID: 3804 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Excel Network Connections
Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 13.107.246.45, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 4340, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49754
Sigma detected: Suspicious Office Outbound Connections
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.4, DestinationIsIpv6: false, DestinationPort: 49754, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 4340, Protocol: tcp, SourceIp: 13.107.246.45, SourceIsIpv6: false, SourcePort: 443
Sigma detected: Office Macro File Creation
Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, ProcessId: 4340, TargetFilename: C:\Users\user\Desktop\~$5dd GYD.xlsm

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
Source: unknownHTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49755 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49754 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49763 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49754 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49755 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49754 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49755 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49754 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49755 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49755 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49755 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49755 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49754 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49754 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49754 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49755 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49755 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49755 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49754 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49754 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49754 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49763 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49763 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49763 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49763 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49763 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49763 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49763 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49763 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49754 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49754
Source: global trafficTCP traffic: 192.168.2.4:49755 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49755
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49754 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49756
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49755 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49754 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49754
Source: global trafficTCP traffic: 192.168.2.4:49755 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49755
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49756
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49757
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49758
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49758
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49757
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49755
Source: global trafficTCP traffic: 192.168.2.4:49755 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49756
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49755 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49755
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49756
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49755
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49756
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49755 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49758
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49758
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49758
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49754
Source: global trafficTCP traffic: 192.168.2.4:49754 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49754 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49754
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49754
Source: global trafficTCP traffic: 192.168.2.4:49754 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49757
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49757
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49757
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49755
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49756
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49758
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49754
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49757
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49755
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49755
Source: global trafficTCP traffic: 192.168.2.4:49755 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49756
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49756
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49756
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49756
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49755 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49756
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49755
Source: global trafficTCP traffic: 192.168.2.4:49755 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49755
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49758
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49758
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49758
Source: global trafficTCP traffic: 192.168.2.4:49758 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49758
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49759
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49759
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49760
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49760
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49761
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49761
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49757
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49757
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49757
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49757
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49754
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49754
Source: global trafficTCP traffic: 192.168.2.4:49754 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49754 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49754
Source: global trafficTCP traffic: 192.168.2.4:49754 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49754
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49762
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49762
Source: global trafficTCP traffic: 192.168.2.4:49763 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49763
Source: global trafficTCP traffic: 192.168.2.4:49763 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49763 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49763
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49760
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49760
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49760
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49761
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49761
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49761
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49759
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49759
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49759
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49762
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49762
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49762
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49760
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49760
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49760 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49760
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49760
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49761
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49761
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49761 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49761
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49761
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49763
Source: global trafficTCP traffic: 192.168.2.4:49763 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49763
Source: global trafficTCP traffic: 192.168.2.4:49763 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49763
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49759
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49759
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49759 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49759
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49759
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49762
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49762
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49762 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49762
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49762
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49763
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49763
Source: global trafficTCP traffic: 192.168.2.4:49763 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49763 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.4:49763 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49763
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.4:49763
Source: excel.exeMemory has grown: Private usage: 2MB later: 175MB
Source: Joe Sandbox ViewIP Address: 13.107.246.45 13.107.246.45
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: global trafficHTTP traffic detected: GET /rules/rule63067v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule170012v12s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule324001v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule170022v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule490016v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule324004v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule324003v5s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule324002v5s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule324005v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule324006v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
Source: unknownHTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: classification engineClassification label: clean4.winXLSM@3/2@0/1
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\Desktop\~$5dd GYD.xlsmJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{606F75B0-ED2F-49D4-8F12-1A7E28AFDA5F} - OProcSessId.datJump to behavior
Source: 5dd GYD.xlsmOLE indicator, Workbook stream: true
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: 5dd GYD.xlsmInitial sample: OLE zip file path = xl/worksheets/sheet4.xml
Source: 5dd GYD.xlsmInitial sample: OLE zip file path = xl/calcChain.xml
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: 5dd GYD.xlsmStatic file information: File size 23770562 > 1048576
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
Source: 5dd GYD.xlsmInitial sample: OLE indicators vbamacros = False
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 1632Jump to behavior
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information queried: ProcessInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Exploitation for Client Execution		Path Interception1
Process Injection		2
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
Extra Window Memory Injection		1
Virtualization/Sandbox Evasion		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account Manager1
Application Window Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Extra Window Memory Injection		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput Capture2
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
s-part-0017.t-0009.t-msedge.net0%VirustotalBrowse
fp2e7a.wpc.phicdn.net0%VirustotalBrowse

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0017.t-0009.t-msedge.net
13.107.246.45
truefalseunknown
fp2e7a.wpc.phicdn.net
192.229.221.95
truefalseunknown

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
13.107.246.45
s-part-0017.t-0009.t-msedge.netUnited States
8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1523180
Start date and time:2024-10-01 08:46:32 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 6m 9s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:Potential for more IOCs and behavior
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:5dd GYD.xlsm
renamed because original name is a hash value
Original Sample Name: GYD.xlsm
Detection:CLEAN
Classification:clean4.winXLSM@3/2@0/1
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .xlsm
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Scroll down
  • Close Viewer

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, sppsvc.exe, WMIADAP.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 13.85.23.86, 88.221.110.91, 2.16.100.168, 20.3.187.198, 52.165.164.15, 52.109.32.97, 52.113.194.132, 184.28.90.27, 52.109.28.47, 20.42.65.90
  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.afd.azureedge.net, onedscolprdeus14.eastus.cloudapp.azure.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, eur.roaming1.live.com.akadns.net, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, glb.cws.prod.dcat.dsp.trafficmanager.net, ocsp.edge.digicert.com, sls.update.microsoft.com, officeclient.microsoft.com, ukw-azsc-config.officeapps.live.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, osiprod-uks-buff-azsc-000.ukso
  • Report size getting too big, too many NtCreateKey calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

TimeTypeDescription
02:49:35API Interceptor1653x Sleep call for process: splwow64.exe modified

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
13.107.246.45https://pcefan.com/diary/index.php?st-manager=1&path=/click/track&id=4973&type=ranking&url=http://nam.dcv.ms/BxPVLH2cz4Get hashmaliciousHTMLPhisherBrowse
  • nam.dcv.ms/BxPVLH2cz4

Domains

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
s-part-0017.t-0009.t-msedge.nethttps://docs.zoom.us/doc/qMqlDrh-RUWwdmI-mAClTgGet hashmaliciousHTMLPhisherBrowse
  • 13.107.246.45
http://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=rCxHFZLdZUGNvhn9cgWChLhuCDtpfZJDs2F6orjCzx1UQTZXSUlaNE5INzZVSkgxRlBKR1RMSTVRTi4uGet hashmaliciousHTMLPhisherBrowse
  • 13.107.246.45
https://targetemissionservices.ezofficeinventory.com/users/sign_inGet hashmaliciousUnknownBrowse
  • 13.107.246.45
https://myworkspace183015a0ec.myclickfunnels.com/reviewdoc--96b32?preview=trueGet hashmaliciousUnknownBrowse
  • 13.107.246.45
SCAN_Client_No_XP9739270128398468932393.pdfGet hashmaliciousHTMLPhisherBrowse
  • 13.107.246.45
INVOICE DUE..xlsxGet hashmaliciousHTMLPhisherBrowse
  • 13.107.246.45
https://www.netigate.se/a/s.aspx?s=1236726X450166796X50614Get hashmaliciousUnknownBrowse
  • 13.107.246.45
PO554830092024.xlsGet hashmaliciousUnknownBrowse
  • 13.107.246.45
PI#0034250924.xla.xlsxGet hashmaliciousUnknownBrowse
  • 13.107.246.45
https://wwvmicrosx.live/office365/office_cookies/mainGet hashmaliciousHTMLPhisherBrowse
  • 13.107.246.45
fp2e7a.wpc.phicdn.nethttps://abby-gatenby.com/m/?c3Y9bzM2NV8xX29uZSZyYW5kPVNucEJVREU9JnVpZD1VU0VSMDMwOTIwMjRVNDYwOTAzMDE=N0123NGet hashmaliciousUnknownBrowse
  • 192.229.221.95
http://assets.watchasync.comGet hashmaliciousUnknownBrowse
  • 192.229.221.95
Adjunto factura.vbsGet hashmaliciousUnknownBrowse
  • 192.229.221.95
RFQ -SCHOTTEL Type SRP200.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
  • 192.229.221.95
https://www.afghanhayatrestaurant.com.au/Get hashmaliciousUnknownBrowse
  • 192.229.221.95
https://booking.com-partners.one/confirm/login/qAlElVVFGet hashmaliciousUnknownBrowse
  • 192.229.221.95
https://www.polorestobar.com/Get hashmaliciousUnknownBrowse
  • 192.229.221.95
https://jv.prenticeu.com/SAFlSIeECgRZt_tUKXhAOQHYyqb5e4/Get hashmaliciousHTMLPhisherBrowse
  • 192.229.221.95
http://www.toyotanation.com//help//termsGet hashmaliciousUnknownBrowse
  • 192.229.221.95
http://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=rCxHFZLdZUGNvhn9cgWChLhuCDtpfZJDs2F6orjCzx1UQTZXSUlaNE5INzZVSkgxRlBKR1RMSTVRTi4uGet hashmaliciousHTMLPhisherBrowse
  • 192.229.221.95

ASNs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
MICROSOFT-CORP-MSN-AS-BLOCKUShttps://docs.zoom.us/doc/qMqlDrh-RUWwdmI-mAClTgGet hashmaliciousHTMLPhisherBrowse
  • 40.126.32.68
1_13904442253.xla.xlsxGet hashmaliciousUnknownBrowse
  • 13.107.246.60
https://u47113775.ct.sendgrid.net/ls/click?upn=u001.NLjCc2NrF5-2Fl1RHefgLH74dDCI-2FlQUMQCuknF0akr34-3DPZ74_Bz-2FoIC9YMuvgy8ZsoekpZ-2Fn96y0OCAueT5LjwQn-2FX25AbFWdd2iGOJMfOUDymLwSDnjLWUuKOfyExMHrLPQc6sWuvBEF4PT9PwlcB-2BK9NQmoQucfLOeGSzPQg4J-2Bvn2C-2FT7DBGI3L6HQml9TPdefbzANw58o8IwtiN3AMNw21dRhcIy1JE5InQL6ZhzyniB-2FPrKB2Vn9uUJ7Mm1QrvUZh95-2FIqg1tkHnn-2FLCgLCOHUCdp1zwu5x-2Fprfv3kPHwI33RA9-2FJGY9xYPl-2BGH4uHP30vXeaFOwuVkWjx1bpQcAiato1uxhbL8AJAqpgT-2Bg5yQp7xXBACsCORIJr0VehkYFdFdFkgZPx7KSQblwloMm5OUc-2B9bb1d0siCBq5u36Pp2iCgmhq5PmipxmWr1HvrLZkdUUXJjpaRdjjEopb-2Fhw3b-2BUOpmNbUIJywjWyMBcUA9ScKtkpotTga2qo5ZaX-2B7AVyqz8KXtUfTb8SopobzuOWPiU-2BhBa8i7lRIGGQBQZmYU1TWv5mQ8uRPPf-2FWdH9RREF8cMLDET4k24yu8dJdqteeATx8Jfw8MWOWehX6ZTxJWGswooAVOvW116fDJmFNO-2F-2BecR-2Fd9NmRwCYnnK4Bh3IM-3DGet hashmaliciousHTMLPhisherBrowse
  • 150.171.27.10
Arrival Notice_pdf.exeGet hashmaliciousFormBookBrowse
  • 52.187.43.40
https://content.app-us1.com/1REPZ7/2024/09/30/ff91983f-ef4d-4288-b1e8-8d1ab94f757b.pdfGet hashmaliciousHTMLPhisherBrowse
  • 150.171.28.10
http://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=rCxHFZLdZUGNvhn9cgWChLhuCDtpfZJDs2F6orjCzx1UQTZXSUlaNE5INzZVSkgxRlBKR1RMSTVRTi4uGet hashmaliciousHTMLPhisherBrowse
  • 13.107.246.60
https://url.uk.m.mimecastprotect.com/s/879wCp9pjInpwnDHPf7CG_Zsy?domain=aerographicsut-my.sharepoint.comGet hashmaliciousHTMLPhisherBrowse
  • 52.97.135.98
phish_alert_sp2_2.0.0.0.emlGet hashmaliciousUnknownBrowse
  • 150.171.28.10
(No subject) (82).emlGet hashmaliciousUnknownBrowse
  • 104.47.64.28
https://www.allegiantair.com/deals//smsgiveawayGet hashmaliciousUnknownBrowse
  • 150.171.27.10

JA3 Fingerprints

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
a0e9f5d64349fb13191bc781f81f42e11_13904442253.xla.xlsxGet hashmaliciousUnknownBrowse
  • 13.107.246.45
46L03o2EOY.exeGet hashmaliciousUnknownBrowse
  • 13.107.246.45
6JA2YPtbeB.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
  • 13.107.246.45
46L03o2EOY.exeGet hashmaliciousUnknownBrowse
  • 13.107.246.45
hTR7xY0d0V.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
  • 13.107.246.45
N83LFtMTUS.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
  • 13.107.246.45
msimg32.dllGet hashmaliciousLummaCBrowse
  • 13.107.246.45
1bhYyrjyNk.vbsGet hashmaliciousUnknownBrowse
  • 13.107.246.45
WQRNV7bMS5.vbsGet hashmaliciousUnknownBrowse
  • 13.107.246.45
6L9vCf48mN.vbsGet hashmaliciousUnknownBrowse
  • 13.107.246.45

Dropped Files

No context

Created / dropped Files

C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):118
Entropy (8bit):3.5700810731231707
Encrypted:false
SSDEEP:3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
MD5:573220372DA4ED487441611079B623CD
SHA1:8F9D967AC6EF34640F1F0845214FBC6994C0CB80
SHA-256:BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
SHA-512:F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
Malicious:false
Reputation:moderate, very likely benign file
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

C:\Users\user\Desktop\~$5dd GYD.xlsm

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:data
Category:dropped
Size (bytes):165
Entropy (8bit):1.4377382811115937
Encrypted:false
SSDEEP:3:KVC+cAmltV:KVC+cR
MD5:9C7132B2A8CABF27097749F4D8447635
SHA1:71D7F78718A7AFC3EAB22ED395321F6CBE2F9899
SHA-256:7029AE5479F0CD98D892F570A22B2AE8302747DCFF3465B2DE64D974AE815A83
SHA-512:333AC8A4987CC7DF5981AE81238A77D123996DB2C4C97053E8BD2048A64FDCF33E1245DEE6839358161F6B5EEA6BFD8D2358BC4A9188D786295C22F79E2D635E
Malicious:false
Reputation:moderate, very likely benign file
Preview:.user ..j.o.n.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General

File type:Microsoft Excel 2007+
Entropy (8bit):7.990574180044856
TrID:
  • Excel Microsoft Office Open XML Format document (35004/1) 81.40%
  • ZIP compressed archive (8000/1) 18.60%
File name:5dd GYD.xlsm
File size:23'770'562 bytes
MD5:d0f828fc4c0bc794cfe6b201de7e8dd7
SHA1:c4075209d0332a33d625c00a5d0046e005481e1a
SHA256:9f670c7000df69e7c363f89e1aa96bf66a1a0a8472de17c771ab4e74de13bde9
SHA512:e14702b089db263c91969bc4b5d7b20d638a8e421c87984eebc64c62e5be249c7884221480139c81ebe17b907a5664e73566c727e967f3bedfbf76f2c8679f35
SSDEEP:393216:ifWQLHM/sBHC5PJ0dxYwod9r2BhIBPmxsMPNrs9hL64QyVjjl4JJ6Mwd6/c4setO:ifnbM/sBHYJ0dyT9VBQ5sz64QKjB4JQ3
TLSH:B63733D1CD9A288E1DA891BD108D8BE5F27C49FD659148D3683ABC1827EFAC35F70E41
File Content Preview:PK..........!.................[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon

Icon Hash:1d356664a4a09519

Static OLE Info

General

Document Type:OpenXML
Number of OLE Files:1

OLE File "5dd GYD.xlsm"

Indicators
Has Summary Info:
Application Name:
Encrypted Document:False
Contains Word Document Stream:False
Contains Workbook/Book Stream:True
Contains PowerPoint Document Stream:False
Contains Visio Document Stream:False
Contains ObjectPool Stream:False
Flash Objects Count:0
Contains VBA Macros:False

Network Behavior

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Oct 1, 2024 08:49:39.517872095 CEST49754443192.168.2.413.107.246.45
Oct 1, 2024 08:49:39.517957926 CEST4434975413.107.246.45192.168.2.4
Oct 1, 2024 08:49:39.518023014 CEST49755443192.168.2.413.107.246.45
Oct 1, 2024 08:49:39.518053055 CEST4434975513.107.246.45192.168.2.4
Oct 1, 2024 08:49:39.518059015 CEST49756443192.168.2.413.107.246.45
Oct 1, 2024 08:49:39.518062115 CEST49754443192.168.2.413.107.246.45
Oct 1, 2024 08:49:39.518095970 CEST4434975613.107.246.45192.168.2.4
Oct 1, 2024 08:49:39.518251896 CEST49756443192.168.2.413.107.246.45
Oct 1, 2024 08:49:39.518275976 CEST49755443192.168.2.413.107.246.45
Oct 1, 2024 08:49:39.518416882 CEST49754443192.168.2.413.107.246.45
Oct 1, 2024 08:49:39.518445015 CEST4434975413.107.246.45192.168.2.4
Oct 1, 2024 08:49:39.518510103 CEST49755443192.168.2.413.107.246.45
Oct 1, 2024 08:49:39.518524885 CEST4434975513.107.246.45192.168.2.4
Oct 1, 2024 08:49:39.518619061 CEST49756443192.168.2.413.107.246.45
Oct 1, 2024 08:49:39.518634081 CEST4434975613.107.246.45192.168.2.4
Oct 1, 2024 08:49:39.524506092 CEST49757443192.168.2.413.107.246.45
Oct 1, 2024 08:49:39.524542093 CEST4434975713.107.246.45192.168.2.4
Oct 1, 2024 08:49:39.526284933 CEST49757443192.168.2.413.107.246.45
Oct 1, 2024 08:49:39.526590109 CEST49758443192.168.2.413.107.246.45
Oct 1, 2024 08:49:39.526597977 CEST4434975813.107.246.45192.168.2.4
Oct 1, 2024 08:49:39.526751041 CEST49758443192.168.2.413.107.246.45
Oct 1, 2024 08:49:39.526921034 CEST49758443192.168.2.413.107.246.45
Oct 1, 2024 08:49:39.526921034 CEST49757443192.168.2.413.107.246.45
Oct 1, 2024 08:49:39.526932955 CEST4434975813.107.246.45192.168.2.4
Oct 1, 2024 08:49:39.526947021 CEST4434975713.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.158858061 CEST4434975513.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.158921957 CEST49755443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.158972979 CEST4434975613.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.159041882 CEST49756443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.160959005 CEST49755443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.160959959 CEST49756443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.160965919 CEST4434975513.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.160970926 CEST4434975613.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.161183119 CEST4434975513.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.161207914 CEST4434975613.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.162642956 CEST49756443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.162771940 CEST49755443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.165065050 CEST4434975813.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.165128946 CEST49758443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.166457891 CEST49758443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.166464090 CEST4434975813.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.166954994 CEST4434975813.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.168718100 CEST49758443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.186177969 CEST4434975413.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.186271906 CEST49754443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.187288046 CEST49754443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.187308073 CEST4434975413.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.187653065 CEST4434975413.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.188703060 CEST49754443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.199579954 CEST4434975713.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.199647903 CEST49757443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.200587988 CEST49757443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.200592995 CEST4434975713.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.200829029 CEST4434975713.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.201822042 CEST49757443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.203424931 CEST4434975513.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.207403898 CEST4434975613.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.211404085 CEST4434975813.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.235414982 CEST4434975413.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.243442059 CEST4434975713.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.258194923 CEST4434975513.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.258455992 CEST4434975513.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.258512020 CEST49755443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.258554935 CEST4434975613.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.258575916 CEST4434975613.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.258615017 CEST49756443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.258625031 CEST4434975613.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.258874893 CEST4434975613.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.258918047 CEST49756443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.259497881 CEST49756443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.259500027 CEST49755443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.259511948 CEST4434975613.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.259516954 CEST4434975513.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.259517908 CEST49755443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.259525061 CEST4434975513.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.265310049 CEST4434975813.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.265377045 CEST4434975813.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.265424013 CEST49758443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.265650988 CEST49758443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.265661955 CEST4434975813.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.265670061 CEST49758443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.265675068 CEST4434975813.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.271133900 CEST49759443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.271156073 CEST4434975913.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.271328926 CEST49759443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.271487951 CEST49759443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.271497965 CEST4434975913.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.272890091 CEST49760443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.272897005 CEST4434976013.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.272967100 CEST49760443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.273283958 CEST49760443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.273298979 CEST4434976013.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.273504972 CEST49761443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.273519993 CEST4434976113.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.273574114 CEST49761443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.273715019 CEST49761443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.273725033 CEST4434976113.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.304662943 CEST4434975713.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.304709911 CEST4434975713.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.304883003 CEST49757443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.304923058 CEST49757443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.304927111 CEST4434975713.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.304953098 CEST49757443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.304956913 CEST4434975713.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.308660030 CEST4434975413.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.308873892 CEST4434975413.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.308940887 CEST49754443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.309170961 CEST49754443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.309202909 CEST4434975413.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.309237003 CEST49754443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.309251070 CEST4434975413.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.313688040 CEST49762443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.313698053 CEST4434976213.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.314268112 CEST49762443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.314533949 CEST49762443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.314543962 CEST4434976213.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.316186905 CEST49763443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.316200018 CEST4434976313.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.316437006 CEST49763443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.316576004 CEST49763443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.316592932 CEST4434976313.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.905819893 CEST4434976013.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.906339884 CEST49760443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.906357050 CEST4434976013.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.907193899 CEST49760443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.907197952 CEST4434976013.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.907495975 CEST4434976113.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.907788992 CEST49761443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.907802105 CEST4434976113.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.908626080 CEST49761443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.908629894 CEST4434976113.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.917234898 CEST4434975913.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.918230057 CEST49759443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.918240070 CEST4434975913.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.918477058 CEST49759443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.918479919 CEST4434975913.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.981170893 CEST4434976213.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.982223034 CEST49762443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.982229948 CEST4434976213.107.246.45192.168.2.4
Oct 1, 2024 08:49:40.982426882 CEST49762443192.168.2.413.107.246.45
Oct 1, 2024 08:49:40.982429981 CEST4434976213.107.246.45192.168.2.4
Oct 1, 2024 08:49:41.005606890 CEST4434976013.107.246.45192.168.2.4
Oct 1, 2024 08:49:41.005646944 CEST4434976013.107.246.45192.168.2.4
Oct 1, 2024 08:49:41.005853891 CEST49760443192.168.2.413.107.246.45
Oct 1, 2024 08:49:41.005980015 CEST49760443192.168.2.413.107.246.45
Oct 1, 2024 08:49:41.005980015 CEST49760443192.168.2.413.107.246.45
Oct 1, 2024 08:49:41.005995035 CEST4434976013.107.246.45192.168.2.4
Oct 1, 2024 08:49:41.006002903 CEST4434976013.107.246.45192.168.2.4
Oct 1, 2024 08:49:41.007762909 CEST4434976113.107.246.45192.168.2.4
Oct 1, 2024 08:49:41.007816076 CEST4434976113.107.246.45192.168.2.4
Oct 1, 2024 08:49:41.008008003 CEST49761443192.168.2.413.107.246.45
Oct 1, 2024 08:49:41.008049011 CEST49761443192.168.2.413.107.246.45
Oct 1, 2024 08:49:41.008049011 CEST49761443192.168.2.413.107.246.45
Oct 1, 2024 08:49:41.008055925 CEST4434976113.107.246.45192.168.2.4
Oct 1, 2024 08:49:41.008064032 CEST4434976113.107.246.45192.168.2.4
Oct 1, 2024 08:49:41.009807110 CEST4434976313.107.246.45192.168.2.4
Oct 1, 2024 08:49:41.010138035 CEST49763443192.168.2.413.107.246.45
Oct 1, 2024 08:49:41.010143995 CEST4434976313.107.246.45192.168.2.4
Oct 1, 2024 08:49:41.010910034 CEST49763443192.168.2.413.107.246.45
Oct 1, 2024 08:49:41.010912895 CEST4434976313.107.246.45192.168.2.4
Oct 1, 2024 08:49:41.019257069 CEST4434975913.107.246.45192.168.2.4
Oct 1, 2024 08:49:41.019311905 CEST4434975913.107.246.45192.168.2.4
Oct 1, 2024 08:49:41.019449949 CEST49759443192.168.2.413.107.246.45
Oct 1, 2024 08:49:41.019601107 CEST49759443192.168.2.413.107.246.45
Oct 1, 2024 08:49:41.019601107 CEST49759443192.168.2.413.107.246.45
Oct 1, 2024 08:49:41.019608974 CEST4434975913.107.246.45192.168.2.4
Oct 1, 2024 08:49:41.019612074 CEST4434975913.107.246.45192.168.2.4
Oct 1, 2024 08:49:41.085288048 CEST4434976213.107.246.45192.168.2.4
Oct 1, 2024 08:49:41.085519075 CEST4434976213.107.246.45192.168.2.4
Oct 1, 2024 08:49:41.085753918 CEST49762443192.168.2.413.107.246.45
Oct 1, 2024 08:49:41.085793972 CEST49762443192.168.2.413.107.246.45
Oct 1, 2024 08:49:41.085793972 CEST49762443192.168.2.413.107.246.45
Oct 1, 2024 08:49:41.085798025 CEST4434976213.107.246.45192.168.2.4
Oct 1, 2024 08:49:41.085803986 CEST4434976213.107.246.45192.168.2.4
Oct 1, 2024 08:49:41.120196104 CEST4434976313.107.246.45192.168.2.4
Oct 1, 2024 08:49:41.120254040 CEST4434976313.107.246.45192.168.2.4
Oct 1, 2024 08:49:41.120497942 CEST49763443192.168.2.413.107.246.45
Oct 1, 2024 08:49:41.120517015 CEST49763443192.168.2.413.107.246.45
Oct 1, 2024 08:49:41.120517015 CEST49763443192.168.2.413.107.246.45
Oct 1, 2024 08:49:41.120526075 CEST4434976313.107.246.45192.168.2.4
Oct 1, 2024 08:49:41.120532990 CEST4434976313.107.246.45192.168.2.4

DNS Answers

TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
Oct 1, 2024 08:47:41.929560900 CEST1.1.1.1192.168.2.40x8984No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
Oct 1, 2024 08:47:41.929560900 CEST1.1.1.1192.168.2.40x8984No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
Oct 1, 2024 08:49:39.516933918 CEST1.1.1.1192.168.2.40x6c23No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
Oct 1, 2024 08:49:39.516933918 CEST1.1.1.1192.168.2.40x6c23No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false

HTTP Request Dependency Graph

  • otelrules.azureedge.net

HTTPS Proxied Packets

Session IDSource IPSource PortDestination IPDestination PortPIDProcess
0192.168.2.44975613.107.246.454434340C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-10-01 06:49:40 UTC206OUTGET /rules/rule63067v4s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-10-01 06:49:40 UTC584INHTTP/1.1 200 OK
Date: Tue, 01 Oct 2024 06:49:40 GMT
Content-Type: text/xml
Content-Length: 2871
Connection: close
Vary: Accept-Encoding
Vary: Accept-Encoding
Vary: Accept-Encoding
Vary: Accept-Encoding
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:28:05 GMT
ETag: "0x8DC582BEC5E84E0"
x-ms-request-id: 6fb6f6f2-401e-0083-5cc5-13075c000000
x-ms-version: 2018-03-28
x-azure-ref: 20241001T064940Z-15767c5fc55472x4k7dmphmadg00000007cg000000003r4r
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-10-01 06:49:40 UTC2871INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 36 33 30 36 37 22 20 56 3d 22 34 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 49 64 65 6e 74 69 74 79 2e 53 73 70 69 50 72 6f 6d 70 74 57 69 6e 33 32 22 20 41 54 54 3d 22 35 63 36 35 62 62 63 34 65 64 62 66 34 38 30 64 39 36 33 37 61 63 65 30 34 64 36 32 62 64 39 38 2d 31 32 38 34 34 38 39 33 2d 38 61 62 39 2d 34 64 64 65 2d 62 38 35 30 2d 35 36 31 32 63 62 31 32 65 30 66 32 2d 37 38 32 32 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 44 43 61 3d 22 44 43 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="63067" V="4" DC="SM" EN="Office.Identity.SspiPromptWin32" ATT="5c65bbc4edbf480d9637ace04d62bd98-12844893-8ab9-4dde-b850-5612cb12e0f2-7822" SP="CriticalBusinessImpact" DL="A" DCa="DC" xmlns=""> <S>


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
1192.168.2.44975513.107.246.454434340C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-10-01 06:49:40 UTC208OUTGET /rules/rule170012v12s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-10-01 06:49:40 UTC584INHTTP/1.1 200 OK
Date: Tue, 01 Oct 2024 06:49:40 GMT
Content-Type: text/xml
Content-Length: 1353
Connection: close
Vary: Accept-Encoding
Vary: Accept-Encoding
Vary: Accept-Encoding
Vary: Accept-Encoding
Cache-Control: public, max-age=604800, immutable
Last-Modified: Sat, 25 May 2024 18:28:18 GMT
ETag: "0x8DC7CE8734A2850"
x-ms-request-id: 0c52b10d-f01e-0096-56c5-1310ef000000
x-ms-version: 2018-03-28
x-azure-ref: 20241001T064940Z-15767c5fc55xsgnlxyxy40f4m000000007m000000000559y
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-10-01 06:49:40 UTC1353INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 37 30 30 31 32 22 20 56 3d 22 31 32 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 47 72 61 70 68 69 63 73 2e 47 56 69 7a 49 6e 6b 53 74 72 6f 6b 65 22 20 41 54 54 3d 22 63 66 63 66 64 62 39 31 63 36 38 63 34 33 32 39 62 62 38 62 37 63 62 37 62 61 62 62 33 63 66 37 2d 65 30 38 32 63 32 66 32 2d 65 66 31 64 2d 34 32 37 61 2d 61 63 34 64 2d 62 30 62 37 30 30 61 66 65 37 61 37 2d 37 36 35 35 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="170012" V="12" DC="SM" EN="Office.Graphics.GVizInkStroke" ATT="cfcfdb91c68c4329bb8b7cb7babb3cf7-e082c2f2-ef1d-427a-ac4d-b0b700afe7a7-7655" SP="CriticalBusinessImpact" DCa="PSU" xmlns=""> <S> <UTS T


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
2192.168.2.44975813.107.246.454434340C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-10-01 06:49:40 UTC207OUTGET /rules/rule324001v4s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-10-01 06:49:40 UTC491INHTTP/1.1 200 OK
Date: Tue, 01 Oct 2024 06:49:40 GMT
Content-Type: text/xml
Content-Length: 513
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:27:31 GMT
ETag: "0x8DC582BD84BDCC1"
x-ms-request-id: 088c1420-201e-0071-50c5-13ff15000000
x-ms-version: 2018-03-28
x-azure-ref: 20241001T064940Z-15767c5fc5546rn6ch9zv310e000000000qg000000001rrf
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-10-01 06:49:40 UTC513INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 31 22 20 56 3d 22 34 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 50 72 6f 6a 65 63 74 4c 6f 61 64 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324001" V="4" DC="SM" EN="Office.Extensibility.VbaTelemetryProjectLoad" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" SP="CriticalBusinessImpact" DCa="DC PSP PSU" xmlns="


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
3192.168.2.44975413.107.246.454434340C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-10-01 06:49:40 UTC207OUTGET /rules/rule170022v2s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-10-01 06:49:40 UTC491INHTTP/1.1 200 OK
Date: Tue, 01 Oct 2024 06:49:40 GMT
Content-Type: text/xml
Content-Length: 756
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Sat, 27 Jul 2024 15:36:11 GMT
ETag: "0x8DCAE51D7B4AB9D"
x-ms-request-id: 240404f3-c01e-000b-68c5-13e255000000
x-ms-version: 2018-03-28
x-azure-ref: 20241001T064940Z-15767c5fc55gs96cphvgp5f5vc00000007q0000000000b2m
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-10-01 06:49:40 UTC756INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 37 30 30 32 32 22 20 56 3d 22 32 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 47 72 61 70 68 69 63 73 2e 47 56 69 73 49 6e 6b 4c 6f 61 64 22 20 41 54 54 3d 22 63 66 63 66 64 62 39 31 63 36 38 63 34 33 32 39 62 62 38 62 37 63 62 37 62 61 62 62 33 63 66 37 2d 65 30 38 32 63 32 66 32 2d 65 66 31 64 2d 34 32 37 61 2d 61 63 34 64 2d 62 30 62 37 30 30 61 66 65 37 61 37 2d 37 36 35 35 22 20 53 3d 22 31 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 62 38 69 70 6a 22 20 41 3d 22 61 6e 75 69 35 22
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="170022" V="2" DC="SM" EN="Office.Graphics.GVisInkLoad" ATT="cfcfdb91c68c4329bb8b7cb7babb3cf7-e082c2f2-ef1d-427a-ac4d-b0b700afe7a7-7655" S="1" DCa="PSU" xmlns=""> <S> <UTS T="1" Id="b8ipj" A="anui5"


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
4192.168.2.44975713.107.246.454434340C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-10-01 06:49:40 UTC207OUTGET /rules/rule490016v3s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-10-01 06:49:40 UTC491INHTTP/1.1 200 OK
Date: Tue, 01 Oct 2024 06:49:40 GMT
Content-Type: text/xml
Content-Length: 777
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:28:04 GMT
ETag: "0x8DC582BEC2AAB32"
x-ms-request-id: 55f4d361-401e-0015-12c5-130e8d000000
x-ms-version: 2018-03-28
x-azure-ref: 20241001T064940Z-15767c5fc55xgp8c992y5v5w1800000007p000000000g8q7
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-10-01 06:49:40 UTC777INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 34 39 30 30 31 36 22 20 56 3d 22 33 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 46 65 65 64 62 61 63 6b 2e 53 75 72 76 65 79 2e 46 6c 6f 6f 64 67 61 74 65 43 6c 69 65 6e 74 2e 52 6f 61 6d 69 6e 67 53 75 63 63 65 73 73 66 75 6c 52 65 61 64 57 72 69 74 65 22 20 41 54 54 3d 22 64 37 39 65 38 32 34 33 38 36 63 34 34 34 31 63 62 38 63 31 64 34 61 65 31 35 36 39 30 35 32 36 2d 62 64 34 34 33 33 30 39 2d 35 34 39 34 2d 34 34 34 61 2d 61 62 61 39 2d 30 61 66 39 65 65 66 39 39 66 38 34 2d 37 33 36 30 22 20 54 3d 22 55 70 6c 6f 61 64 2d 4d 65 64 69 75 6d 22 20 44 4c 3d 22 4e 22 20 44 43 61 3d 22 50
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="490016" V="3" DC="SM" EN="Office.Feedback.Survey.FloodgateClient.RoamingSuccessfulReadWrite" ATT="d79e824386c4441cb8c1d4ae15690526-bd443309-5494-444a-aba9-0af9eef99f84-7360" T="Upload-Medium" DL="N" DCa="P


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
5192.168.2.44976013.107.246.454434340C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-10-01 06:49:40 UTC207OUTGET /rules/rule324004v4s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-10-01 06:49:41 UTC491INHTTP/1.1 200 OK
Date: Tue, 01 Oct 2024 06:49:40 GMT
Content-Type: text/xml
Content-Length: 738
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:27:34 GMT
ETag: "0x8DC582BD9FE7D4B"
x-ms-request-id: 79ea2b94-301e-0052-50c5-1365d6000000
x-ms-version: 2018-03-28
x-azure-ref: 20241001T064940Z-15767c5fc55v7j95gq2uzq37a000000007t000000000efrt
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-10-01 06:49:41 UTC738INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 34 22 20 56 3d 22 34 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 43 6f 6d 4f 62 6a 65 63 74 49 6e 73 74 61 6e 74 69 61 74 65 64 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324004" V="4" DC="SM" EN="Office.Extensibility.VbaTelemetryComObjectInstantiated" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" DCa="DC PSP PSU" xmlns=""> <S> <UT


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
6192.168.2.44976113.107.246.454434340C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-10-01 06:49:40 UTC207OUTGET /rules/rule324003v5s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-10-01 06:49:41 UTC491INHTTP/1.1 200 OK
Date: Tue, 01 Oct 2024 06:49:40 GMT
Content-Type: text/xml
Content-Length: 716
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:27:34 GMT
ETag: "0x8DC582BD9F5CC0A"
x-ms-request-id: a3754404-d01e-005a-08c5-137fd9000000
x-ms-version: 2018-03-28
x-azure-ref: 20241001T064940Z-15767c5fc55472x4k7dmphmadg00000007ag000000007bys
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-10-01 06:49:41 UTC716INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 33 22 20 56 3d 22 35 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 52 65 66 65 72 65 6e 63 65 64 4c 69 62 72 61 72 79 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324003" V="5" DC="SM" EN="Office.Extensibility.VbaTelemetryReferencedLibrary" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" DCa="DC PSP PSU" xmlns=""> <S> <UTS T=


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
7192.168.2.44975913.107.246.454434340C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-10-01 06:49:40 UTC207OUTGET /rules/rule324002v5s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-10-01 06:49:41 UTC491INHTTP/1.1 200 OK
Date: Tue, 01 Oct 2024 06:49:40 GMT
Content-Type: text/xml
Content-Length: 833
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:27:33 GMT
ETag: "0x8DC582BD9758B35"
x-ms-request-id: 36d17ada-601e-0002-50c5-13a786000000
x-ms-version: 2018-03-28
x-azure-ref: 20241001T064940Z-15767c5fc55n4msds84xh4z67w000000018g00000000e0w2
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-10-01 06:49:41 UTC833INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 32 22 20 56 3d 22 35 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 44 65 63 6c 61 72 65 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 62 30
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324002" V="5" DC="SM" EN="Office.Extensibility.VbaTelemetryDeclare" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" DCa="DC PSP PSU" xmlns=""> <S> <UTS T="1" Id="b0


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
8192.168.2.44976213.107.246.454434340C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-10-01 06:49:40 UTC207OUTGET /rules/rule324005v2s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-10-01 06:49:41 UTC491INHTTP/1.1 200 OK
Date: Tue, 01 Oct 2024 06:49:41 GMT
Content-Type: text/xml
Content-Length: 599
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:26:51 GMT
ETag: "0x8DC582BC0B3C3C8"
x-ms-request-id: 671d7465-a01e-0084-65c5-139ccd000000
x-ms-version: 2018-03-28
x-azure-ref: 20241001T064941Z-15767c5fc554w2fgapsyvy8ua0000000075g000000006mdt
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-10-01 06:49:41 UTC599INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 35 22 20 56 3d 22 32 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 43 6f 6d 70 69 6c 65 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324005" V="2" DC="SM" EN="Office.Extensibility.VbaTelemetryCompile" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" SP="CriticalBusinessImpact" DCa="DC PSP PSU" xmlns="">


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
9192.168.2.44976313.107.246.454434340C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
TimestampBytes transferredDirectionData
2024-10-01 06:49:41 UTC207OUTGET /rules/rule324006v2s19.xml HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
Host: otelrules.azureedge.net
2024-10-01 06:49:41 UTC491INHTTP/1.1 200 OK
Date: Tue, 01 Oct 2024 06:49:41 GMT
Content-Type: text/xml
Content-Length: 599
Connection: close
Cache-Control: public, max-age=604800, immutable
Last-Modified: Tue, 09 Apr 2024 00:26:44 GMT
ETag: "0x8DC582BBC83D642"
x-ms-request-id: 0c52b2bd-f01e-0096-74c5-1310ef000000
x-ms-version: 2018-03-28
x-azure-ref: 20241001T064940Z-15767c5fc55v7j95gq2uzq37a000000007w0000000008012
x-fd-int-roxy-purgeid: 0
X-Cache: TCP_HIT
X-Cache-Info: L1_T2
Accept-Ranges: bytes
2024-10-01 06:49:41 UTC599INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 36 22 20 56 3d 22 32 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 53 68 6f 77 49 64 65 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a
Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324006" V="2" DC="SM" EN="Office.Extensibility.VbaTelemetryShowIde" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" SP="CriticalBusinessImpact" DCa="DC PSP PSU" xmlns="">


Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:02:48:30
Start date:01/10/2024
Path:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Wow64 process (32bit):true
Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Imagebase:0x770000
File size:53'161'064 bytes
MD5 hash:4A871771235598812032C822E6F68F19
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

General

Target ID:5
Start time:02:49:35
Start date:01/10/2024
Path:C:\Windows\splwow64.exe
Wow64 process (32bit):false
Commandline:C:\Windows\splwow64.exe 12288
Imagebase:0x7ff73f1a0000
File size:163'840 bytes
MD5 hash:77DE7761B037061C7C112FD3C5B91E73
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

Disassembly

No disassembly