Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Credit_DetailsCBS24312017915.xla.xlsx

Overview

General Information

Sample name:Credit_DetailsCBS24312017915.xla.xlsx
Analysis ID:1559099
MD5:eef29d1f4da931d2dedc293ceb773a81
SHA1:b99ca17da434e7b3a5879c2e8b44adeedccb81e5
SHA256:704bec281fefdbd486f5fc253e6c011a045b632e022dfba7b8e1e0782dc53075
Tags:xlaxlsxuser-abuse_ch
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Machine Learning detection for sample
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Document misses a certain OLE stream usually present in this Microsoft Office document type
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Suricata IDS alerts with low severity for network traffic
Unable to load, office file is protected or invalid
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 1492 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: 4A871771235598812032C822E6F68F19)
    • splwow64.exe (PID: 7544 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)
    • Acrobat.exe (PID: 7716 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" -Embedding MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
  • EXCEL.EXE (PID: 8120 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\Credit_DetailsCBS24312017915.xla.xlsx" MD5: 4A871771235598812032C822E6F68F19)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Excel Network Connections
Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 5.45.108.48, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 1492, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 50000
Sigma detected: Suspicious Office Outbound Connections
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.5, DestinationIsIpv6: false, DestinationPort: 50000, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 1492, Protocol: tcp, SourceIp: 5.45.108.48, SourceIsIpv6: false, SourcePort: 443

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-20T08:06:53.089665+010020283713Unknown Traffic192.168.2.55000213.107.246.45443TCP
2024-11-20T08:07:00.281065+010020283713Unknown Traffic192.168.2.55000313.107.246.45443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: Credit_DetailsCBS24312017915.xla.xlsxReversingLabs: Detection: 26%
Machine Learning detection for sample
Source: Credit_DetailsCBS24312017915.xla.xlsxJoe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
Source: unknownHTTPS traffic detected: 5.45.108.48:443 -> 192.168.2.5:50000 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.5:50002 version: TLS 1.2

Software Vulnerabilities

barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Source: global trafficDNS query: name: link.uebie.de
Source: global trafficTCP traffic: 192.168.2.5:50000 -> 5.45.108.48:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50003 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50000 -> 5.45.108.48:443
Source: global trafficTCP traffic: 192.168.2.5:50000 -> 5.45.108.48:443
Source: global trafficTCP traffic: 192.168.2.5:50000 -> 5.45.108.48:443
Source: global trafficTCP traffic: 192.168.2.5:50000 -> 5.45.108.48:443
Source: global trafficTCP traffic: 192.168.2.5:50000 -> 5.45.108.48:443
Source: global trafficTCP traffic: 192.168.2.5:50000 -> 5.45.108.48:443
Source: global trafficTCP traffic: 192.168.2.5:50000 -> 5.45.108.48:443
Source: global trafficTCP traffic: 192.168.2.5:50000 -> 5.45.108.48:443
Source: global trafficTCP traffic: 192.168.2.5:50000 -> 5.45.108.48:443
Source: global trafficTCP traffic: 192.168.2.5:50000 -> 5.45.108.48:443
Source: global trafficTCP traffic: 192.168.2.5:50000 -> 5.45.108.48:443
Source: global trafficTCP traffic: 192.168.2.5:50000 -> 5.45.108.48:443
Source: global trafficTCP traffic: 192.168.2.5:50000 -> 5.45.108.48:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50003 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50003 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50003 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50003 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50003 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50003 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50003 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50003 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50003 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50000 -> 5.45.108.48:443
Source: global trafficTCP traffic: 5.45.108.48:443 -> 192.168.2.5:50000
Source: global trafficTCP traffic: 192.168.2.5:50000 -> 5.45.108.48:443
Source: global trafficTCP traffic: 192.168.2.5:50000 -> 5.45.108.48:443
Source: global trafficTCP traffic: 5.45.108.48:443 -> 192.168.2.5:50000
Source: global trafficTCP traffic: 5.45.108.48:443 -> 192.168.2.5:50000
Source: global trafficTCP traffic: 192.168.2.5:50000 -> 5.45.108.48:443
Source: global trafficTCP traffic: 192.168.2.5:50000 -> 5.45.108.48:443
Source: global trafficTCP traffic: 5.45.108.48:443 -> 192.168.2.5:50000
Source: global trafficTCP traffic: 5.45.108.48:443 -> 192.168.2.5:50000
Source: global trafficTCP traffic: 192.168.2.5:50000 -> 5.45.108.48:443
Source: global trafficTCP traffic: 192.168.2.5:50000 -> 5.45.108.48:443
Source: global trafficTCP traffic: 5.45.108.48:443 -> 192.168.2.5:50000
Source: global trafficTCP traffic: 5.45.108.48:443 -> 192.168.2.5:50000
Source: global trafficTCP traffic: 192.168.2.5:50000 -> 5.45.108.48:443
Source: global trafficTCP traffic: 5.45.108.48:443 -> 192.168.2.5:50000
Source: global trafficTCP traffic: 5.45.108.48:443 -> 192.168.2.5:50000
Source: global trafficTCP traffic: 192.168.2.5:50000 -> 5.45.108.48:443
Source: global trafficTCP traffic: 192.168.2.5:50000 -> 5.45.108.48:443
Source: global trafficTCP traffic: 192.168.2.5:50000 -> 5.45.108.48:443
Source: global trafficTCP traffic: 5.45.108.48:443 -> 192.168.2.5:50000
Source: global trafficTCP traffic: 192.168.2.5:50000 -> 5.45.108.48:443
Source: global trafficTCP traffic: 192.168.2.5:50000 -> 5.45.108.48:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50002
Source: global trafficTCP traffic: 192.168.2.5:50003 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50003
Source: global trafficTCP traffic: 192.168.2.5:50003 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50003 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50003
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50003
Source: global trafficTCP traffic: 192.168.2.5:50003 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50003
Source: global trafficTCP traffic: 192.168.2.5:50003 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50003
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50003
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50003
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50003
Source: global trafficTCP traffic: 192.168.2.5:50003 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50003 -> 13.107.246.45:443
Source: global trafficTCP traffic: 192.168.2.5:50003 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50003
Source: global trafficTCP traffic: 192.168.2.5:50003 -> 13.107.246.45:443
Source: global trafficTCP traffic: 13.107.246.45:443 -> 192.168.2.5:50003
Source: excel.exeMemory has grown: Private usage: 1MB later: 76MB
Source: Joe Sandbox ViewIP Address: 13.107.246.45 13.107.246.45
Source: Joe Sandbox ViewIP Address: 5.45.108.48 5.45.108.48
Source: Joe Sandbox ViewJA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50002 -> 13.107.246.45:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50003 -> 13.107.246.45:443
Source: global trafficHTTP traffic detected: GET /cHZmKc?&motorcar=judicious&keyboarding=hilarious&randomisation=obeisant&shop=wild&compute HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: link.uebie.deConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /cHZmKc?&motorcar=judicious&keyboarding=hilarious&randomisation=obeisant&shop=wild&compute HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: link.uebie.deConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /rules/excel.exe-Production-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120603v8s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficDNS traffic detected: DNS query: link.uebie.de
Source: Credit_DetailsCBS24312017915.xla.xlsx, A4A40000.1.drString found in binary or memory: https://link.uebie.de/cHZmKc?&motorcar=judicious&keyboarding=hilarious&randomisation=obeisant&shop=w
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50000
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50003
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50002
Source: unknownNetwork traffic detected: HTTP traffic on port 50002 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50000 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50003 -> 443
Source: unknownHTTPS traffic detected: 5.45.108.48:443 -> 192.168.2.5:50000 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.5:50002 version: TLS 1.2

System Summary

barindex
Excel sheet contains many unusual embedded objects
Source: Credit_DetailsCBS24312017915.xla.xlsxOLE: Microsoft Excel 2007+
Source: ~DFF4B7119A51C723A1.TMP.1.drOLE: Microsoft Excel 2007+
Source: A4A40000.1.drOLE: Microsoft Excel 2007+
Source: Credit_DetailsCBS24312017915.xla.xlsxOLE indicator, VBA macros: true
Source: Credit_DetailsCBS24312017915.xla.xlsxStream path 'MBD001F0D5F/\x1Ole' : https://link.uebie.de/cHZmKc?&motorcar=judicious&keyboarding=hilarious&randomisation=obeisant&shop=wild&computeu@E!A4LNVm-ZLx;syakigC1lfAgfnptvzXvQbxOAZ6xiXWMhlClNG5mUwXqadhA4YByJE4skpMNrly5k1rq4mZH9TlEn5r5moJVuyQVOZuq3u8sCPxnEdja#Bv+<(en;d
Source: A4A40000.1.drStream path 'MBD001F0D5F/\x1Ole' : https://link.uebie.de/cHZmKc?&motorcar=judicious&keyboarding=hilarious&randomisation=obeisant&shop=wild&computeu@E!A4LNVm-ZLx;syakigC1lfAgfnptvzXvQbxOAZ6xiXWMhlClNG5mUwXqadhA4YByJE4skpMNrly5k1rq4mZH9TlEn5r5moJVuyQVOZuq3u8sCPxnEdja#Bv+<(en;d
Source: ~DFF4B7119A51C723A1.TMP.1.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEWindow title found: microsoft excel okexcel cannot open the file 'credit_detailscbs24312017915.xla.xlsx' because the file format or file extension is not valid. verify that the file has not been corrupted and that the file extension matches the format of the file.
Source: classification engineClassification label: mal60.expl.winXLSX@6/26@1/2
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Credit_DetailsCBS24312017915.xla.xlsxJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{15EB72A8-74FF-42E3-9F11-959133008E47} - OProcSessId.datJump to behavior
Source: Credit_DetailsCBS24312017915.xla.xlsxOLE indicator, Workbook stream: true
Source: A4A40000.1.drOLE indicator, Workbook stream: true
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: Credit_DetailsCBS24312017915.xla.xlsxReversingLabs: Detection: 26%
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\Credit_DetailsCBS24312017915.xla.xlsx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3EE60F5C-9BAD-4CD8-8E21-AD2D001D06EB}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEAutomated click: OK
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: Credit_DetailsCBS24312017915.xla.xlsxStatic file information: File size 1209344 > 1048576
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
Source: ~DFF4B7119A51C723A1.TMP.1.drInitial sample: OLE indicators vbamacros = False
Source: Credit_DetailsCBS24312017915.xla.xlsxInitial sample: OLE indicators encrypted = True
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: Credit_DetailsCBS24312017915.xla.xlsxStream path 'MBD001F0D5E/Package' entropy: 7.99660556778 (max. 8.0)
Source: Credit_DetailsCBS24312017915.xla.xlsxStream path 'Workbook' entropy: 7.99890133143 (max. 8.0)
Source: ~DFF4B7119A51C723A1.TMP.1.drStream path 'Package' entropy: 7.99541864111 (max. 8.0)
Source: A4A40000.1.drStream path 'MBD001F0D5E/Package' entropy: 7.99541864111 (max. 8.0)
Source: A4A40000.1.drStream path 'Workbook' entropy: 7.99855735707 (max. 8.0)
Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 1005Jump to behavior
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information queried: ProcessInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid Accounts13
Exploitation for Client Execution		1
Scripting		1
Process Injection		2
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
Extra Window Memory Injection		1
Virtualization/Sandbox Evasion		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account Manager1
Application Window Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput Capture13
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Extra Window Memory Injection		LSA Secrets1
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Credit_DetailsCBS24312017915.xla.xlsx26%ReversingLabsWin32.Exploit.CVE-2017-0199
Credit_DetailsCBS24312017915.xla.xlsx100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://link.uebie.de/cHZmKc?&motorcar=judicious&keyboarding=hilarious&randomisation=obeisant&shop=wild&compute0%Avira URL Cloudsafe
https://link.uebie.de/cHZmKc?&motorcar=judicious&keyboarding=hilarious&randomisation=obeisant&shop=w0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0014.t-0009.t-msedge.net
13.107.246.42
truefalse
    		high
    link.uebie.de
    		5.45.108.48
    		truefalse
      		high
      s-part-0017.t-0009.t-msedge.net
      		13.107.246.45
      		truefalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        https://link.uebie.de/cHZmKc?&motorcar=judicious&keyboarding=hilarious&randomisation=obeisant&shop=wild&computefalse
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://link.uebie.de/cHZmKc?&motorcar=judicious&keyboarding=hilarious&randomisation=obeisant&shop=wCredit_DetailsCBS24312017915.xla.xlsx, A4A40000.1.drfalse
        • Avira URL Cloud: safe
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        13.107.246.45
        		s-part-0017.t-0009.t-msedge.netUnited States
        		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
        5.45.108.48
        		link.uebie.deGermany
        		197540NETCUP-ASnetcupGmbHDEfalse

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1559099
        Start date and time:2024-11-20 08:04:25 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 5m 30s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:defaultwindowsofficecookbook.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Run name:Potential for more IOCs and behavior
        Number of analysed new started processes analysed:12
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • GSI enabled (VBA)
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:Credit_DetailsCBS24312017915.xla.xlsx
        Detection:MAL
        Classification:mal60.expl.winXLSX@6/26@1/2
        EGA Information:Failed
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 0
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Found application associated with file extension: .xlsx
        • Found Word or Excel or PowerPoint or XPS Viewer
        • Attach to Office via COM
        • Active ActiveX Object
        • Active ActiveX Object
        • Scroll down
        • Close Viewer

        Warnings

        • Exclude process from analysis (whitelisted): dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
        • Excluded IPs from analysis (whitelisted): 52.109.32.97, 52.113.194.132, 52.109.28.47, 23.43.61.160, 13.78.111.198, 13.89.178.27
        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.afd.azureedge.net, onedscolprdjpe00.japaneast.cloudapp.azure.com, eur.roaming1.live.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, mobile.events.data.microsoft.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, ukw-azsc-config.officeapps.live.com, prod.fs.microsoft.com.akadns.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, onedscolprdcus03.centralus.cloudapp.azure.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, osiprod-uks-buff-azsc-000.uksouth.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com, uks-azsc-000.roaming.officeapps.live.com, s-0005.s-msedge.net, config.officeapps.live.com, azu
        • Report size getting too big, too many NtCreateKey calls found.
        • Report size getting too big, too many NtQueryAttributesFile calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • Report size getting too big, too many NtReadVirtualMemory calls found.
        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
        • VT rate limit hit for: Credit_DetailsCBS24312017915.xla.xlsx

        Simulations

        Behavior and APIs

        TimeTypeDescription
        02:06:46API Interceptor1052x Sleep call for process: splwow64.exe modified

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        13.107.246.45https://pcefan.com/diary/index.php?st-manager=1&path=/click/track&id=4973&type=ranking&url=http://nam.dcv.ms/BxPVLH2cz4Get hashmaliciousHTMLPhisherBrowse
        • nam.dcv.ms/BxPVLH2cz4
        5.45.108.48PO-000041492.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
          #U3010TW-S PO#U3011PO#3311-20241118003.xlsGet hashmaliciousHTMLPhisher, SmokeLoaderBrowse
            Payment Advice.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
              Payment Advice.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                Order_Summary.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                  Signert kontrakt og faktura.xlsGet hashmaliciousUnknownBrowse
                    New order.xlsGet hashmaliciousUnknownBrowse
                      Purchase order (1).xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                        Purchase order (2).xlsGet hashmaliciousHTMLPhisher, LokibotBrowse

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          s-part-0014.t-0009.t-msedge.nethttps://www.amtso.org/check-desktop-phishing-page/Get hashmaliciousUnknownBrowse
                          • 13.107.246.42
                          file.exeGet hashmaliciousLummaCBrowse
                          • 13.107.246.42
                          file.exeGet hashmaliciousLummaCBrowse
                          • 13.107.246.42
                          file.exeGet hashmaliciousLummaCBrowse
                          • 13.107.246.42
                          INVOICE DUE.xlsxGet hashmaliciousUnknownBrowse
                          • 13.107.246.42
                          PO-54752454235.htaGet hashmaliciousRemcosBrowse
                          • 13.107.246.42
                          http://frenzelit.powerappsportals.comGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                          • 13.107.246.42
                          https://gen-techs.site/s/ind.html#123@123.comGet hashmaliciousHTMLPhisherBrowse
                          • 13.107.246.42
                          https://app.bitdam.com/api/v1.0/links/rewrite_click/?rewrite_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyZXdyaXRlX2lkIjoiNjcyOGQ2YzliOTFmMDRhNDE1NjM3NTRhIiwidXJsIjoiIiwib3JnYW5pemF0aW9uX2lkIjo1ODQwfQ.Uhd2nS1gN1sUzvqpPDTmoAH1ZU9vF-hNz1sM06cv-iA&url=https%3A//www.google.it/url%3Fq%3Dhttps%3A//www.google.it/url%3Fq%3Dhttps%3A//www.google.it/url%3Fq%3Dhttps%3A//www.google.ro/url%3Fq%3Dhttps%3A//www.google.nl/url%3Fq%3DZFCKQSES42J831UCOWMB4MEAK36T3IE7YuQiApLjODz3yh4nNeW8uuQi&rct=XS%25RANDOM4%25wDnNeW8yycT&sa=t&esrc=nNeW8F%25RANDOM3%25A0xys8Em2FL&source=&cd=tS6T8%25RANDOM3%25Tiw9XH&cad=XpPkDfJX%25RANDOM4%25VS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%6E%65%77%68%6F%6D%65%73%76%6E%2E%63%6F%6D%2F%63%67%69%2F/3we/Y29saW4uZ3JhbnRAZmlyc3RvbnRhcmlvLmNvbQ==Get hashmaliciousUnknownBrowse
                          • 13.107.246.42
                          Order 1108739138.vbsGet hashmaliciousUnknownBrowse
                          • 13.107.246.42
                          s-part-0017.t-0009.t-msedge.netPayment Advice.xlsGet hashmaliciousUnknownBrowse
                          • 13.107.246.45
                          Delivery_Notification_00116030.doc.jsGet hashmaliciousUnknownBrowse
                          • 13.107.246.45
                          file.exeGet hashmaliciousLummaCBrowse
                          • 13.107.246.45
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                          • 13.107.246.45
                          file.exeGet hashmaliciousLummaCBrowse
                          • 13.107.246.45
                          https://www.google.co.ao/url?Obdy=ObM8wNGVUva21gnTm3qS&cgsr=7knoOQwChvIkzgfn0TSm&sa=t&wofc=nQYL5DF797O1da77PTBQ&url=amp%2Fprimer-distrito-amvt.org%2F.r%2FiO8EME-SUREDANNaW50ZXJtb2RhbC5qYXhAc2VhYm9hcmRtYXJpbmUuY29tGet hashmaliciousUnknownBrowse
                          • 13.107.246.45
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                          • 13.107.246.45
                          file.exeGet hashmaliciousLummaCBrowse
                          • 13.107.246.45
                          https://estudioit.cl/starl/#ZGVicmEuY2FydGVyQGNhc2EuZ292LmF1Get hashmaliciousUnknownBrowse
                          • 13.107.246.45
                          http://www.dvdcollections.co.uk/search/redirect.php?deeplink=https://lp-engenharia.com/zerooo/?email=mwright@burbankca.govGet hashmaliciousHTMLPhisherBrowse
                          • 13.107.246.45
                          link.uebie.dePO-000041492.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                          • 5.45.108.48
                          #U3010TW-S PO#U3011PO#3311-20241118003.xlsGet hashmaliciousHTMLPhisher, SmokeLoaderBrowse
                          • 5.45.108.48
                          Payment Advice.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                          • 5.45.108.48
                          Payment Advice.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                          • 5.45.108.48
                          Order_Summary.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                          • 5.45.108.48
                          Signert kontrakt og faktura.xlsGet hashmaliciousUnknownBrowse
                          • 5.45.108.48
                          New order.xlsGet hashmaliciousUnknownBrowse
                          • 5.45.108.48
                          Purchase order (1).xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                          • 5.45.108.48
                          Purchase order (2).xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                          • 5.45.108.48

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          MICROSOFT-CORP-MSN-AS-BLOCKUSPayment Advice.xlsGet hashmaliciousUnknownBrowse
                          • 13.107.246.45
                          file.exeGet hashmaliciousLummaCBrowse
                          • 13.107.246.60
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                          • 13.107.246.45
                          arm7.nn-20241120-0508.elfGet hashmaliciousMirai, OkiruBrowse
                          • 21.45.10.209
                          arm.nn-20241120-0508.elfGet hashmaliciousMirai, OkiruBrowse
                          • 20.124.214.104
                          meow.arm7.elfGet hashmaliciousUnknownBrowse
                          • 21.107.60.201
                          file.exeGet hashmaliciousLummaCBrowse
                          • 13.107.246.45
                          x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                          • 20.229.229.121
                          https://www.google.co.ao/url?Obdy=ObM8wNGVUva21gnTm3qS&cgsr=7knoOQwChvIkzgfn0TSm&sa=t&wofc=nQYL5DF797O1da77PTBQ&url=amp%2Fprimer-distrito-amvt.org%2F.r%2FiO8EME-SUREDANNaW50ZXJtb2RhbC5qYXhAc2VhYm9hcmRtYXJpbmUuY29tGet hashmaliciousUnknownBrowse
                          • 13.107.246.44
                          mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                          • 21.155.76.73
                          NETCUP-ASnetcupGmbHDEPO-000041492.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                          • 5.45.108.48
                          #U3010TW-S PO#U3011PO#3311-20241118003.xlsGet hashmaliciousHTMLPhisher, SmokeLoaderBrowse
                          • 5.45.108.48
                          Payment Advice.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                          • 5.45.108.48
                          Payment Advice.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                          • 5.45.108.48
                          Order_Summary.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                          • 5.45.108.48
                          ickTGSF56D.exeGet hashmaliciousUnknownBrowse
                          • 37.120.186.122
                          63w24wNW0d.exeGet hashmaliciousUnknownBrowse
                          • 152.89.107.62
                          XzCRLowRXn.exeGet hashmaliciousUnknownBrowse
                          • 46.232.250.51
                          Signert kontrakt og faktura.xlsGet hashmaliciousUnknownBrowse
                          • 5.45.108.48

                          JA3 Fingerprints

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          6271f898ce5be7dd52b0fc260d0662b3nested-phish_alert_sp2_2.0.0.0.emlGet hashmaliciousUnknownBrowse
                          • 5.45.108.48
                          https://www.google.ie/url?q=queryy8px(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3Dquery(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3Dquery(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3Dquery(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3D&sa=t&url=amp%2ftranscabrera.com%2fyaya%2f37w6telbuncxaji5ywvxeooxd1ok88ou67nhi/bWFyay5tY2tlbnppZUBtYWdlbGxhbmxwLmNvbQ==$?Get hashmaliciousHTMLPhisherBrowse
                          • 5.45.108.48
                          https://brand.site/896562718995127961820892Get hashmaliciousHTMLPhisherBrowse
                          • 5.45.108.48
                          EIR5pTRn9R.exeGet hashmaliciousDragonForceBrowse
                          • 5.45.108.48
                          NoteID [4962398] _Secure_Document_Mrettinger-46568.docxGet hashmaliciousHTMLPhisherBrowse
                          • 5.45.108.48
                          phish_alert_sp1_1.0.0.0(1).emlGet hashmaliciousKnowBe4Browse
                          • 5.45.108.48
                          REMITTANCE_Confrimationsslip54342Bqlaw.htmlGet hashmaliciousUnknownBrowse
                          • 5.45.108.48
                          Signert kontrakt og faktura.xlsGet hashmaliciousUnknownBrowse
                          • 5.45.108.48
                          New order.xlsGet hashmaliciousUnknownBrowse
                          • 5.45.108.48
                          purchase order (2).xlsGet hashmaliciousUnknownBrowse
                          • 5.45.108.48
                          a0e9f5d64349fb13191bc781f81f42e1Payment Advice.xlsGet hashmaliciousUnknownBrowse
                          • 13.107.246.45
                          file.exeGet hashmaliciousLummaCBrowse
                          • 13.107.246.45
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                          • 13.107.246.45
                          file.exeGet hashmaliciousLummaCBrowse
                          • 13.107.246.45
                          file.exeGet hashmaliciousLummaCBrowse
                          • 13.107.246.45
                          file.exeGet hashmaliciousLummaCBrowse
                          • 13.107.246.45
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                          • 13.107.246.45
                          file.exeGet hashmaliciousLummaCBrowse
                          • 13.107.246.45
                          file.exeGet hashmaliciousLummaCBrowse
                          • 13.107.246.45
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                          • 13.107.246.45

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):118
                          Entropy (8bit):3.5700810731231707
                          Encrypted:false
                          SSDEEP:3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
                          MD5:573220372DA4ED487441611079B623CD
                          SHA1:8F9D967AC6EF34640F1F0845214FBC6994C0CB80
                          SHA-256:BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
                          SHA-512:F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
                          Malicious:false
                          Reputation:moderate, very likely benign file
                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat

                          Download File
                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):227002
                          Entropy (8bit):3.392780893644728
                          Encrypted:false
                          SSDEEP:1536:WKPC4iyzDtrh1cK3XEivK7VK/3AYvYwgF/rRoL+sn:DPCaJ/3AYvYwglFoL+sn
                          MD5:87EDBEE38F56C20298F25D5D3D4D1B5C
                          SHA1:7F904E9615AC3186A87472EF366DD8202855B0B7
                          SHA-256:A46B56D3ABCC137D1872DDF20EED4BCD7D04518282282ADB32DDCCF70D7FFBA6
                          SHA-512:BBEBC1FCD5BC9AE042DD5782425BA8C47BF3EAC283B2487FC4E3FF6BF8101306DAB081E5135594165D4DC1AC120FF125AADBC5B3FFE7C646183C04DF77865E0D
                          Malicious:false
                          Reputation:moderate, very likely benign file
                          Preview:Adobe Acrobat Reader (64-bit) 23.6.20320....?A12_AV2_Search_18px.............................................................................................................KKK KKK.KKK.KKK.KKK.KKK.KKK@........................................KKK`KKK.KKK.KKK.KKK.KKK.KKK.KKK.KKK.KKK.............................KKKPKKK.KKK.KKK.KKK.........KKKPKKK.KKK.KKK.........................KKK.KKK.KKK.KKK0....................KKK.KKK.KKK.KKK`....................KKK`KKK.KKK.............................KKK@KKK.KKK.....................KKK.KKK.KKK0................................KKK.KKK.....................KKK.KKK.....................................KKK.KKK.....................KKK.KKK.KKK0................................KKK.KKK.....................KKK`KKK.KKK.............................KKK@KKK.KKK.....................KKK.KKK.KKK.KKK@....................KKK.KKK.KKK.KKK`........................KKKPKKK.KKK.KKK.KKK.........KKKPKKK.KKK.KKK.KKK.............................KKK`KKK.KKK.KKK.KKK.KKK.KKK.KKK.KKK.KKK

                          C:\Users\user\AppData\Local\Microsoft\Office\Features\1-7FeatureCache.txt (copy)

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):784
                          Entropy (8bit):2.7137690747287806
                          Encrypted:false
                          SSDEEP:24:YIrNvpKAzLRwcfHGF8AJp9WtAZRJ5poIHWI:YmbfzLmc88AJtfJ52IHV
                          MD5:09F73B3902CD3D88E04312787956B654
                          SHA1:A6C275F1A65DB02D8A752C614C27E88326447C41
                          SHA-256:72971990E5DC57AC8F4F27701158F6DC16E235814EA17DECA95E59CF5F60BC26
                          SHA-512:6A68530BA4D4413B587E340CF871162036B6AC60AC0F969C07C70967C3102ADDE3C895BA6F1E2590D9D0C98C253ADFA33CA84E65106C3B56F506FE0E06F0ADA9
                          Malicious:false
                          Reputation:moderate, very likely benign file
                          Preview:3.7.4.6.3.7.6.,.1.1.9.6.3.7.8.,.1.7.8.8.6.5.8.,.2.5.5.0.5.0.8.8.,.1.2.5.,.1.1.9.,.3.0.0.4.9.2.6.8.,.;.3.2.9.4.5.8.7.9.9.,.3.7.4.6.3.7.8.,.6.3.6.4.3.3.4.,.3.0.1.5.3.7.2.1.,.2.3.7.1.6.5.1.,.6.5.4.0.2.1.5.,.2.4.6.0.9.2.5.8.,.4.0.6.9.3.5.8.2.,.1.0.4.9.5.2.3.4.,.6.3.6.4.3.1.8.,.3.0.1.2.3.4.6.6.,.2.7.1.5.3.4.9.7.,.6.3.7.1.6.9.4.,.5.9.2.2.3.4.2.3.,.5.7.9.9.9.6.6.1.,.1.5.6.1.9.5.8.,.6.3.0.6.3.0.9.9.,.2.7.3.6.0.0.9.5.,.5.8.4.2.5.8.6.0.,.6.3.6.4.3.3.7.,.6.1.7.0.7.3.0.7.,.6.3.6.4.3.3.0.,.6.3.6.4.3.3.1.,.6.7.4.8.3.9.6.1.4.,.3.3.7.9.1.6.2.,.4.7.3.8.2.9.4.8.,.1.6.5.7.4.5.3.,.1.0.6.9.5.5.2.,.1.6.5.7.4.5.2.,.5.2.9.1.0.0.0.0.,.1.3.5.2.5.8.6.,.1.3.5.2.5.8.7.,.1.7.7.1.6.5.7.,.1.0.2.3.8.6.4.,.1.0.2.3.6.3.8.,.6.3.7.1.6.9.5.,.4.8.1.9.5.5.3.8.,.1.4.6.1.9.5.3.,.6.3.6.4.3.3.2.,.3.2.0.5.9.2.7.6.7.,.

                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\262A43C8.emf

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                          File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                          Category:dropped
                          Size (bytes):1505804
                          Entropy (8bit):1.0131675255893926
                          Encrypted:false
                          SSDEEP:3072:Jt1AvxBPd9Dd13m5WKJF4PUGN5HQD8X9Y5Iw:5AvxBPd9Dd13m5WKJF4PUGNtmq9Oz
                          MD5:DE969B3826C32C1FEB0E9B2713AF6F9E
                          SHA1:D8ECED9D53CDC048722216ECDD951A8FCD629734
                          SHA-256:E301D2C1DBD180A938D8B3EC444F19782A06329340C668D364DA3108CCDA8019
                          SHA-512:80B99C088F566D0F4A57240BFE41468CBDE3C3B026AAA3E39A840A2281372A97FBA34FE86BF8F0640190059C2CBFC4565B3D93F2BE7A50EB741FA7FF1B04F1A0
                          Malicious:false
                          Preview:....l...........R...I............)...;.. EMF................................8...X....................?...........................................)...;..........S...J...Q...P...........R...I...................S...J...P...(...x........... ....)...;..(...S...J.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2E1C0516.emf

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                          File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                          Category:dropped
                          Size (bytes):2201052
                          Entropy (8bit):2.6497735159189073
                          Encrypted:false
                          SSDEEP:6144:5HVsE/HKI403/V6rLFS6LccaJ+Wh2uQs/s6fzJ8sYQVlVs2w3QotI7XjRWKKS09U:5VsE/KSPV6VS6dakWN/lkK9
                          MD5:14B4C816CEA17444CD4BB794B27F2921
                          SHA1:10E1410FBD4DD49EE9B73F8D5AAB3B0DA5DD9580
                          SHA-256:A304F47E765B3A73F395DAC556A7FE4DD7CC8E9A1061BECDD60BAA149ACA4792
                          SHA-512:A22823893547532F99D0C88A2616C0A9192BF72EBDF87A8549E8A399055DBF1414F1A0D639604706DD1445DBB0A3F708FF7A6ABAC00A039A49B02CB3C80B40A2
                          Malicious:false
                          Preview:....l...........................O$..8T.. EMF.....!.............................S....................*..U"..F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........!......."...........!......."...........................!.......%.......................................................................%...........%...........K..............."...........!.......................................................K..............."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...................................L...d...................................!..............?...........?................................R...p.................................. A.r.i.a.l...............

                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\424EE8BC.png

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                          File Type:PNG image data, 42 x 51, 8-bit/color RGBA, non-interlaced
                          Category:dropped
                          Size (bytes):822
                          Entropy (8bit):7.616419704330421
                          Encrypted:false
                          SSDEEP:12:6v/7LWb/EYintm3eiVOOrbyUv5uNEXoNGJ/qiIXrqOoNUHGcvlf3vKyo1AIJc8Ni:eeinouisOPAYGK/qhLoNUHL9f3iZPpNi
                          MD5:35C4E9D7C83D8F4A6792B18A15937836
                          SHA1:FD15558DDC4DB88D3BB5491F2064B3C2AFBC85DF
                          SHA-256:A8C99F80AB0A94ED469AE026947C14FF6C41F7EB816933EB7A54FCB937FB82B6
                          SHA-512:1906EFA3A254C7E955D786C15C4E1A870B5BD9BFC815704E7BE507FEF383E5F602783C55EC33D0CB38710FC44728E97F36FE25E67B6C4934C221DB525B25D67C
                          Malicious:false
                          Preview:.PNG........IHDR...*...3.............sRGB.........gAMA......a.....pHYs..........o.d....IDAThC.=.)Q....i...B.P.D..mU+..P..Y.Q..Pjh..H.$.."..n..H.t..w......\o._r....d..{g.1..........E..p...h4.....>..L&..V..........m_,..///x.^..jEG]FWQ.L$..B.....v..g.YM..B..|>.G.QM....J..g?.t...I.n....5........O....K..wE.u{Z........2.N..b.....Zt..A2...`@[...n...P.....,..0..P$._#e..W&..S%..~zz..8..-......1v..`...c...T...'e...m.....$..v...-.l6).D"......i?....f.....L&.....e.`.N.S.....2y...!.....%..l(..,.r.L..`..C.a.>??S&..<.D...).,.K.....Z......)..K.f.Q&..j..%.t:..(.....LX...c......-..x(..>...[..r.M...^.G..E...JQ%.Q..V.....4..L.*c.J...J%...*Q...C6..J... ........*.....mj....d.d.5.....g.."({zb5./.....V?J..a.4J..TQd4..>...tQ.\.8.ZRZq3Q.;.N.bo.+.b.G[|m..f.X,....V.x<~.k.....E.....I..........IEND.B`.

                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\54595FE7.emf

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                          File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                          Category:dropped
                          Size (bytes):1505804
                          Entropy (8bit):1.0131675255893926
                          Encrypted:false
                          SSDEEP:3072:Jt1AvxBPd9Dd13m5WKJF4PUGN5HQD8X9Y5Iw:5AvxBPd9Dd13m5WKJF4PUGNtmq9Oz
                          MD5:DE969B3826C32C1FEB0E9B2713AF6F9E
                          SHA1:D8ECED9D53CDC048722216ECDD951A8FCD629734
                          SHA-256:E301D2C1DBD180A938D8B3EC444F19782A06329340C668D364DA3108CCDA8019
                          SHA-512:80B99C088F566D0F4A57240BFE41468CBDE3C3B026AAA3E39A840A2281372A97FBA34FE86BF8F0640190059C2CBFC4565B3D93F2BE7A50EB741FA7FF1B04F1A0
                          Malicious:false
                          Preview:....l...........R...I............)...;.. EMF................................8...X....................?...........................................)...;..........S...J...Q...P...........R...I...................S...J...P...(...x........... ....)...;..(...S...J.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\65AF2129.emf

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                          File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                          Category:dropped
                          Size (bytes):1505804
                          Entropy (8bit):0.9850242873287793
                          Encrypted:false
                          SSDEEP:1536:rJn05XMVrZJMgeLTbAKhvgZkDzuYDIzlmJHNaTOShb1iMWlP6AV6raEkvwZys1EE:CM1mIwuYDIzYwWh61nyJjov
                          MD5:F0CDA32685A28901414E67D9F89FE92C
                          SHA1:51453F337E4E9F48D0E075D41494B184B1BCE624
                          SHA-256:1259A6035F401C752A6065948E40457F8122C6DCBEE55957AD26248B47B33C17
                          SHA-512:F9A21CE2E72E79D264D13E65D7109A91E95EB42F56CB30E545761D0DE7F8DD3EC0ECAEA9E8855E90E8DB7D7E133CC0C724C6B63F85C9150C968E160689EA7A46
                          Malicious:false
                          Preview:....l...........R...I............)...;.. EMF................................8...X....................?...........................................)...;..........S...J...Q...P...........R...I...................S...J...P...(...x........... ....)...;..(...S...J.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\83199485.emf

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                          File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                          Category:dropped
                          Size (bytes):2201052
                          Entropy (8bit):2.6497735159189073
                          Encrypted:false
                          SSDEEP:6144:5HVsE/HKI403/V6rLFS6LccaJ+Wh2uQs/s6fzJ8sYQVlVs2w3QotI7XjRWKKS09U:5VsE/KSPV6VS6dakWN/lkK9
                          MD5:14B4C816CEA17444CD4BB794B27F2921
                          SHA1:10E1410FBD4DD49EE9B73F8D5AAB3B0DA5DD9580
                          SHA-256:A304F47E765B3A73F395DAC556A7FE4DD7CC8E9A1061BECDD60BAA149ACA4792
                          SHA-512:A22823893547532F99D0C88A2616C0A9192BF72EBDF87A8549E8A399055DBF1414F1A0D639604706DD1445DBB0A3F708FF7A6ABAC00A039A49B02CB3C80B40A2
                          Malicious:false
                          Preview:....l...........................O$..8T.. EMF.....!.............................S....................*..U"..F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........!......."...........!......."...........................!.......%.......................................................................%...........%...........K..............."...........!.......................................................K..............."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...................................L...d...................................!..............?...........?................................R...p.................................. A.r.i.a.l...............

                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8918B98D.png

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                          File Type:PNG image data, 55 x 39, 8-bit colormap, interlaced
                          Category:dropped
                          Size (bytes):1136
                          Entropy (8bit):7.14782184831536
                          Encrypted:false
                          SSDEEP:24:ct4piFqtc+YQKOQw45DymHbFUN9F2zFg91p:Poqtc+fJX+Xarrp
                          MD5:49A2F544E34D8473E29F8C4D9CB10D78
                          SHA1:8B30666DE8F119B1C2E800C2B2437C09C4F6CEC9
                          SHA-256:52417106494ECBBDD3A3D56DE565996562A1C0B0C29C4F43ED99E5FCB4805E07
                          SHA-512:091D234ED76AFDEFC4AB3D1687FEE14DDFCFE0149F01106716ED383EB6FC8913803B26A32C69E15ECC85F6781DF09BD1C712193D8A234042E844730C56864128
                          Malicious:false
                          Preview:.PNG........IHDR...7...'........y....sRGB.........gAMA......a.....PLTE..............===SSS........."""...---......uuu....................'''.........|||~~~..............$$$...555..........YYY......@@@.........ddd...___.....................,,,......DDD.....000.............u...}}}......???......&&&.........UUU......HHH.........jjj777.........qqq...III......yyy......XXX..........;;;...444.....[[[.........sssppp...BBB...+++...>>>!!!mmm...AAA...###zzz%%%...TTT...xxx......JJJ....bbb...FFFNNN {{{.........VVV.................tRNS..........................................................................................................................................................^p.....pHYs..........+......IDAT8O.M.. .....+...*.`.b..{.H\.s..._H..b..|....>...x...o.<.D-..d..&+..'L....2..g<0...1.s.E_..c)..EY..4d..DCJP/....d&.......p4........Y..$.>^..\.Y8.:.wjg.+.~.j.".v....!<.......j...+.i.R.7....Fi.yRA.2+.tK....F3..f4..m...L..z>.X.....,..hv..y..j.G.....s..`..e..<....

                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\993CA994.emf

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                          File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                          Category:dropped
                          Size (bytes):2201052
                          Entropy (8bit):2.6493928921555234
                          Encrypted:false
                          SSDEEP:6144:2aVsE/HKI40a/VTrLFS6LccaJ+6h2uQs/s6/zJ8sYQVlVs2w3QotI7XjRWKKS09I:TVsE/KSGVTVS6dak6N/lEKJ
                          MD5:97D637CF80CC3A54AEE63046FD5296DB
                          SHA1:2106978AAB6EA9CE7A837ED50609389F16A08A96
                          SHA-256:573852D9102B5F032C983884598850F51C429B2EACCABA8176B04C08236157CA
                          SHA-512:FA563975EA797DD71817237B61220AECF539FFE1B768C768AE15BE61CE961DA051D0395839737723DCDF8BE67A96408E6C5B02F1CC96EE687BE7ACA2BED0684C
                          Malicious:false
                          Preview:....l...........................O$..8T.. EMF.....!.............................S....................*..U"..F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........!......."...........!......."...........................!.......%.......................................................................%...........%...........K..............."...........!.......................................................K..............."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...................................L...d...................................!..............?...........?................................R...p.................................. A.r.i.a.l...............

                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\A5F29023.emf

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                          File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                          Category:dropped
                          Size (bytes):2201052
                          Entropy (8bit):2.65058125573034
                          Encrypted:false
                          SSDEEP:6144:QMVsE/HKI403/V+rLFS6LccaJ+Kh2uQs/s6ezJ8sYQVlVs2w3QotI7XjRWKKS09G:zVsE/KSPV+VS6dakKN/lHKD
                          MD5:A8DB25F76B64AE179BF480FBE559DF26
                          SHA1:DE145A97C1F83EA00ECB33E6D1B346819F3D7709
                          SHA-256:B72DDCA2DA2A0308B725482A3B5F98ECEE41013B1A14C17750346FEB813E7DB1
                          SHA-512:A872E40EE592649B3F0B937843AC6FCD97271BA29CF2A4EB2B6EA82253827046C1825DA8C62A1CA6D7B1DF03DB7A6392644A64A66958705CB5E3824D0220C667
                          Malicious:false
                          Preview:....l...........................O$..8T.. EMF.....!.............................S....................*..U"..F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........!......."...........!......."...........................!.......%.......................................................................%...........%...........K..............."...........!.......................................................K..............."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...................................L...d...................................!..............?...........?................................R...p.................................. A.r.i.a.l...............

                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BEFDDBFE.emf

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                          File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                          Category:dropped
                          Size (bytes):1505804
                          Entropy (8bit):0.9850242873287793
                          Encrypted:false
                          SSDEEP:1536:rJn05XMVrZJMgeLTbAKhvgZkDzuYDIzlmJHNaTOShb1iMWlP6AV6raEkvwZys1EE:CM1mIwuYDIzYwWh61nyJjov
                          MD5:F0CDA32685A28901414E67D9F89FE92C
                          SHA1:51453F337E4E9F48D0E075D41494B184B1BCE624
                          SHA-256:1259A6035F401C752A6065948E40457F8122C6DCBEE55957AD26248B47B33C17
                          SHA-512:F9A21CE2E72E79D264D13E65D7109A91E95EB42F56CB30E545761D0DE7F8DD3EC0ECAEA9E8855E90E8DB7D7E133CC0C724C6B63F85C9150C968E160689EA7A46
                          Malicious:false
                          Preview:....l...........R...I............)...;.. EMF................................8...X....................?...........................................)...;..........S...J...Q...P...........R...I...................S...J...P...(...x........... ....)...;..(...S...J.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\C05941B1.emf

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                          File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                          Category:dropped
                          Size (bytes):6073848
                          Entropy (8bit):1.1024538879317303
                          Encrypted:false
                          SSDEEP:6144:sDrvwnxQz/DxIrnWAvVBP9pPdN3mVWKJ14PUGRFym9OxAvxBPd9Dd13m5WKJF4Pk:VmFKpgQcJ
                          MD5:363EA551247AD3C5359A3C99DFC06EAC
                          SHA1:C4CBE6E5C2F91392138A1DFCD9FF5794946DEBE1
                          SHA-256:E42736F3A2CEC4BEDD8263576E0A397B68D599ABC88311E298D16BB7EDB1E287
                          SHA-512:AE3679D118F55D8867FB4FBD692C6A42D8790FDD96056AF2E4257B19903974A5EFB42D2E85DAA3F5AC8A6CE04B5E57D84363D92E1332B04FB5BB3F9DF48C0F81
                          Malicious:false
                          Preview:....l...............f................ .. EMF......\.........................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................L...d...........................m...-...!..............?...........?................................R...p.................................. A.r.i.a.l...............................................

                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EEF49A2A.emf

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                          File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                          Category:dropped
                          Size (bytes):2200740
                          Entropy (8bit):2.6498959640704953
                          Encrypted:false
                          SSDEEP:6144:w3VsE/HKI403/VurLFS6LccaJ+qh2uQs/s63DzJ8sYQVlVs2w3QotI7XjRWKKS08:cVsE/KSPVuVS6dakqN/l3YKn
                          MD5:66194B1ED2BCBB5358DA105876F6D42E
                          SHA1:A1980B4E5C4C04BDB158589A9576351F96751031
                          SHA-256:40809253F826B328E36D16D5F2B5ACCB730AE5BFAB6B3DC543CB4CAAF9B3B110
                          SHA-512:6406CD517BFBC0CF6193A24728CD39CBBFC9C21EA4913C2C0415B07B4E1F5F85D3A4CD094A15AD9148AA9B54516629400586C38B3EF6D0D5603252E7F8867095
                          Malicious:false
                          Preview:....l...........................O$..8T.. EMF......!.............................S....................*..U"..F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........!......."...........!......."...........................!.......%.......................................................................%...........%...........K..............."...........!.......................................................K..............."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...................................L...d...................................!..............?...........?................................R...p.................................. A.r.i.a.l...............

                          C:\Users\user\AppData\Local\Temp\DE91C8BF.tmp

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):784
                          Entropy (8bit):2.7137690747287806
                          Encrypted:false
                          SSDEEP:24:YIrNvpKAzLRwcfHGF8AJp9WtAZRJ5poIHWI:YmbfzLmc88AJtfJ52IHV
                          MD5:09F73B3902CD3D88E04312787956B654
                          SHA1:A6C275F1A65DB02D8A752C614C27E88326447C41
                          SHA-256:72971990E5DC57AC8F4F27701158F6DC16E235814EA17DECA95E59CF5F60BC26
                          SHA-512:6A68530BA4D4413B587E340CF871162036B6AC60AC0F969C07C70967C3102ADDE3C895BA6F1E2590D9D0C98C253ADFA33CA84E65106C3B56F506FE0E06F0ADA9
                          Malicious:false
                          Preview:3.7.4.6.3.7.6.,.1.1.9.6.3.7.8.,.1.7.8.8.6.5.8.,.2.5.5.0.5.0.8.8.,.1.2.5.,.1.1.9.,.3.0.0.4.9.2.6.8.,.;.3.2.9.4.5.8.7.9.9.,.3.7.4.6.3.7.8.,.6.3.6.4.3.3.4.,.3.0.1.5.3.7.2.1.,.2.3.7.1.6.5.1.,.6.5.4.0.2.1.5.,.2.4.6.0.9.2.5.8.,.4.0.6.9.3.5.8.2.,.1.0.4.9.5.2.3.4.,.6.3.6.4.3.1.8.,.3.0.1.2.3.4.6.6.,.2.7.1.5.3.4.9.7.,.6.3.7.1.6.9.4.,.5.9.2.2.3.4.2.3.,.5.7.9.9.9.6.6.1.,.1.5.6.1.9.5.8.,.6.3.0.6.3.0.9.9.,.2.7.3.6.0.0.9.5.,.5.8.4.2.5.8.6.0.,.6.3.6.4.3.3.7.,.6.1.7.0.7.3.0.7.,.6.3.6.4.3.3.0.,.6.3.6.4.3.3.1.,.6.7.4.8.3.9.6.1.4.,.3.3.7.9.1.6.2.,.4.7.3.8.2.9.4.8.,.1.6.5.7.4.5.3.,.1.0.6.9.5.5.2.,.1.6.5.7.4.5.2.,.5.2.9.1.0.0.0.0.,.1.3.5.2.5.8.6.,.1.3.5.2.5.8.7.,.1.7.7.1.6.5.7.,.1.0.2.3.8.6.4.,.1.0.2.3.6.3.8.,.6.3.7.1.6.9.5.,.4.8.1.9.5.5.3.8.,.1.4.6.1.9.5.3.,.6.3.6.4.3.3.2.,.3.2.0.5.9.2.7.6.7.,.

                          C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-11-20 02-06-57-866.log

                          Download File
                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                          File Type:ASCII text, with very long lines (393)
                          Category:dropped
                          Size (bytes):16525
                          Entropy (8bit):5.376360055978702
                          Encrypted:false
                          SSDEEP:384:6b1sdmfenwop+WP21h2RPjRNg7JjO2on6oU6CyuJw1oaNIIu9EMuJuF6MKK9g9JQ:vIn
                          MD5:1336667A75083BF81E2632FABAA88B67
                          SHA1:46E40800B27D95DAED0DBB830E0D0BA85C031D40
                          SHA-256:F81B7C83E0B979F04D3763B4F88CD05BC8FBB2F441EBFAB75826793B869F75D1
                          SHA-512:D039D8650CF7B149799D42C7415CBF94D4A0A4BF389B615EF7D1B427BC51727D3441AA37D8C178E7E7E89D69C95666EB14C31B56CDFBD3937E4581A31A69081A
                          Malicious:false
                          Preview:SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:961+0200 ThreadID=6596 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_NglAppLib Description="SetConfig:

                          C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

                          Download File
                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                          File Type:ASCII text, with very long lines (393), with CRLF line terminators
                          Category:dropped
                          Size (bytes):16605
                          Entropy (8bit):5.3586213544260275
                          Encrypted:false
                          SSDEEP:384:xH1OdTYffw1njUIY66Kuj2kbGO9ULvOSZE/3Ldx9ZzErDmD2D8D5/3wHs1q1sdTD:pKcp
                          MD5:0BA7175A8AFF011A284F9F549D19EAA2
                          SHA1:640DBBA3E437CB6EA766D57A96A3B7B248657389
                          SHA-256:C79634D052591B615696AF6A1CCE53EB0708F159757483D814414221F8347F89
                          SHA-512:F65FC15E53773A3D6E3A17038FFDD6583C3C21C5D98E68C054057184C24131E803AA6A81DCEF06047E158970FD21D3A91801B31C079C8BA96EF6B12E1CA4E440
                          Malicious:false
                          Preview:SessionID=06eb6200-8f1c-4199-a707-f3d441fd8b65.1732086417891 Timestamp=2024-11-20T02:06:57:891-0500 ThreadID=7940 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=06eb6200-8f1c-4199-a707-f3d441fd8b65.1732086417891 Timestamp=2024-11-20T02:06:57:892-0500 ThreadID=7940 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=06eb6200-8f1c-4199-a707-f3d441fd8b65.1732086417891 Timestamp=2024-11-20T02:06:57:892-0500 ThreadID=7940 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=06eb6200-8f1c-4199-a707-f3d441fd8b65.1732086417891 Timestamp=2024-11-20T02:06:57:892-0500 ThreadID=7940 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=06eb6200-8f1c-4199-a707-f3d441fd8b65.1732086417891 Timestamp=2024-11-20T02:06:57:892-0500 ThreadID=7940 Component=ngl-lib_NglAppLib Description="SetConf

                          C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                          Download File
                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):29845
                          Entropy (8bit):5.397156552287695
                          Encrypted:false
                          SSDEEP:768:GLxxlyVUFcAzWL8VWL1ANSFld5YjMWLvJ8Uy++NSXl3WLd5WLrbhhVClkVMwDGbf:r
                          MD5:514421756392DC8AB97DD34BFFD91566
                          SHA1:9265E45FCD6BECD824BADFAFB1AECC36CE3CFF30
                          SHA-256:0DAA1B08D8FEBCE6C8311534952C6FCF71454EDED452C6BA24A7265A552D0965
                          SHA-512:931C54BABBDE80AF8F7F4913DBB5F1DA00EAD90ED9877EAABD215E122A984EE4E85B09E777BF564F3C8868549DDAAFAFD9E287D487C67226A2F2F73846CCCEA8
                          Malicious:false
                          Preview:04-10-2023 02:39:31:.---2---..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : ***************************************..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : ***************************************..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : Starting NGL..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..04-10-2023 02:39:31:.Closing File..04-10-

                          C:\Users\user\AppData\Local\Temp\~DF4F780B7C59EC92E0.TMP

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):790528
                          Entropy (8bit):7.944117450247484
                          Encrypted:false
                          SSDEEP:12288:D+H8uGC1r20RbsM1JceULrN/jBRNYl1+7k55r7Z3AUuNDhVgrIpC4DF:CHbGAr20A48XN/jB4gkDr75BBrIpjD
                          MD5:0BDECE9FC9A53A7510F1F7D6CB7473FD
                          SHA1:283F7C76450EBA3C3630256156E3AE42BA278088
                          SHA-256:99352155FBBE48DC7EA55FEC9BD551F0FAF9749C8D8416DCB9723DD82DC2E9E3
                          SHA-512:869B851C3F29B0FE8D0AE0F7B81216695BD06FF5FCA14CD61365701BAAC142D3A370C6D327047CB86264BE76369EB4C0F186AAB3C8E0B801C104FB30E881467C
                          Malicious:false
                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\~DF8BBA7C5E9019B0D0.TMP

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):512
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3::
                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                          Malicious:false
                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\~DFF4B7119A51C723A1.TMP

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                          File Type:Composite Document File V2 Document, Cannot read section info
                          Category:dropped
                          Size (bytes):788480
                          Entropy (8bit):7.973269733807838
                          Encrypted:false
                          SSDEEP:12288:C+H8uGC1r20RbsM1JceULrN/jBRNYl1+7k55r7Z3AUuNDhVgrIpC4DF:vHbGAr20A48XN/jB4gkDr75BBrIpjD
                          MD5:2CC706B16170F30FEB47F51B96635FBA
                          SHA1:43C3B5C512D0B5A518C77C7B43BB6C824905E7D2
                          SHA-256:90D86E816B9729AEAEF81506710EC229DCAAB9666EE46B465C2DD459E5294127
                          SHA-512:FFE90C94D2B105C3A6816FD47B9EFD72F7B5829E1408C31114140C113D04AC52E628093976B567831C316DD090BAD79B6B4951D67ED6BDFDE2036700D54F2F63
                          Malicious:false
                          Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                          C:\Users\user\Desktop\A4A40000

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed Nov 20 07:07:01 2024, Security: 1
                          Category:dropped
                          Size (bytes):1091584
                          Entropy (8bit):7.987175269327724
                          Encrypted:false
                          SSDEEP:24576:jHbGAr20A48XN/jB4gkDr75BBrIpjDbS7rXGj9XSiPQRH:7KAr2C8dW9DP5BRlrXE9CeQR
                          MD5:348F44A50A23D0347C032D95A17E95FC
                          SHA1:833C3259AED48ADFF109CD4DE16EBAF64681EEAF
                          SHA-256:F59C7A5C11E3548E0CD44F4D121E35B765EC09421D853CA1E11B31A3A0FB8E45
                          SHA-512:3BD0392D058000D20EB0B1882328A460CDAF5082BFCBDB6BF9346560015154BEFB2A7A8051BC7A67FA08E4B1E8CC3DE60A8E9B9FB1EE56107ED3AE4B618A717B
                          Malicious:false
                          Preview:......................>.......................................................................................................w.......y...............................................................................................................................................................................................................................................................................................................................................................................................Q................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                          C:\Users\user\Desktop\A4A40000:Zone.Identifier

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                          File Type:ASCII text, with CRLF line terminators
                          Category:modified
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:false
                          Preview:[ZoneTransfer]....ZoneId=0

                          C:\Users\user\Desktop\Credit_DetailsCBS24312017915.xla.xls (copy)

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed Nov 20 07:07:01 2024, Security: 1
                          Category:dropped
                          Size (bytes):1091584
                          Entropy (8bit):7.987175269327724
                          Encrypted:false
                          SSDEEP:24576:jHbGAr20A48XN/jB4gkDr75BBrIpjDbS7rXGj9XSiPQRH:7KAr2C8dW9DP5BRlrXE9CeQR
                          MD5:348F44A50A23D0347C032D95A17E95FC
                          SHA1:833C3259AED48ADFF109CD4DE16EBAF64681EEAF
                          SHA-256:F59C7A5C11E3548E0CD44F4D121E35B765EC09421D853CA1E11B31A3A0FB8E45
                          SHA-512:3BD0392D058000D20EB0B1882328A460CDAF5082BFCBDB6BF9346560015154BEFB2A7A8051BC7A67FA08E4B1E8CC3DE60A8E9B9FB1EE56107ED3AE4B618A717B
                          Malicious:false
                          Preview:......................>.......................................................................................................w.......y...............................................................................................................................................................................................................................................................................................................................................................................................Q................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                          C:\Users\user\Desktop\~$Credit_DetailsCBS24312017915.xla.xlsx

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):165
                          Entropy (8bit):1.5231029153786204
                          Encrypted:false
                          SSDEEP:3:sYp5lFltt:sYp5Nv
                          MD5:B77267835A6BEAC785C351BDE8E1A61C
                          SHA1:FABD93A92989535D43233E3DB9C6579D8174740E
                          SHA-256:3B222E766EADC8BC9A8A90AC32FA591F313545B7E8C5D481D378AE307FA798C3
                          SHA-512:FFFCBA958E9BD56F284DA19592F124C48B013FCDA2FBE65B3EB38BB644C2B0C978E6DAE99EF213B054813C7212E119B09236A6FFF342D32E52C84DD26DE1E033
                          Malicious:true
                          Preview:.user ..a.l.f.o.n.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                          Static File Info

                          General

                          File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Tue Nov 19 02:23:43 2024, Security: 1
                          Entropy (8bit):7.982138954802739
                          TrID:
                          • Microsoft Excel sheet (30009/1) 47.99%
                          • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                          • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                          File name:Credit_DetailsCBS24312017915.xla.xlsx
                          File size:1'209'344 bytes
                          MD5:eef29d1f4da931d2dedc293ceb773a81
                          SHA1:b99ca17da434e7b3a5879c2e8b44adeedccb81e5
                          SHA256:704bec281fefdbd486f5fc253e6c011a045b632e022dfba7b8e1e0782dc53075
                          SHA512:997d05ca98c1a9eea684945f5b1d7ea3792759ba2225ad3dac1e473716aa200102b5c482cff62ff88fd2c602f2f9593ee73867e7c04acb074ac7acda4788de88
                          SSDEEP:24576:Oj+zrFr61Vw6XlGIR0nnGX0GU/aaXnYSTUZ6MNu3fQMykyZ09aaX67+:Oj+zg1BXYIRgnG4aGFTUZ6MNutKcaax
                          TLSH:AB452342B990AEA7C1A619778CE7D50AC00C7D60F521D49FB6883B2D3D743B58DEB12E
                          File Content Preview:........................>...................................D...................................................................g.......i.......k..............................................................................................................

                          File Icon

                          Icon Hash:35e58a8c0c8a85b9

                          Static OLE Info

                          General

                          Document Type:OLE
                          Number of OLE Files:1

                          OLE File "Credit_DetailsCBS24312017915.xla.xlsx"

                          Indicators
                          Has Summary Info:
                          Application Name:Microsoft Excel
                          Encrypted Document:True
                          Contains Word Document Stream:False
                          Contains Workbook/Book Stream:True
                          Contains PowerPoint Document Stream:False
                          Contains Visio Document Stream:False
                          Contains ObjectPool Stream:False
                          Flash Objects Count:0
                          Contains VBA Macros:True
                          Summary
                          Code Page:1252
                          Author:
                          Last Saved By:
                          Create Time:2006-09-16 00:00:00
                          Last Saved Time:2024-11-19 02:23:43
                          Creating Application:Microsoft Excel
                          Security:1
                          Document Summary
                          Document Code Page:1252
                          Thumbnail Scaling Desired:False
                          Contains Dirty Links:False
                          Shared Document:False
                          Changed Hyperlinks:False
                          Application Version:786432

                          Streams with VBA

                          VBA File Name: Sheet1.cls, Stream Size: 977
                          General
                          Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
                          VBA File Name:Sheet1.cls
                          Stream Size:977
                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . G . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0
                          Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 98 47 f5 f7 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          VBA Code
                          Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                          VBA File Name: Sheet2.cls, Stream Size: 977
                          General
                          Stream Path:_VBA_PROJECT_CUR/VBA/Sheet2
                          VBA File Name:Sheet2.cls
                          Stream Size:977
                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . G . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0
                          Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 98 47 d5 fa 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          VBA Code
                          Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                          VBA File Name: Sheet3.cls, Stream Size: 977
                          General
                          Stream Path:_VBA_PROJECT_CUR/VBA/Sheet3
                          VBA File Name:Sheet3.cls
                          Stream Size:977
                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . G . n . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
                          Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 98 47 02 6e 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          VBA Code
                          Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                          VBA File Name: ThisWorkbook.cls, Stream Size: 985
                          General
                          Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
                          VBA File Name:ThisWorkbook.cls
                          Stream Size:985
                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . G . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - . 0
                          Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 98 47 be 94 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          VBA Code
                          Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                          Streams

                          Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                          General
                          Stream Path:\x1CompObj
                          CLSID:
                          File Type:data
                          Stream Size:114
                          Entropy:4.25248375192737
                          Base64 Encoded:True
                          Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                          Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                          Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
                          General
                          Stream Path:\x5DocumentSummaryInformation
                          CLSID:
                          File Type:data
                          Stream Size:244
                          Entropy:2.889430592781307
                          Base64 Encoded:False
                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
                          Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00
                          Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200
                          General
                          Stream Path:\x5SummaryInformation
                          CLSID:
                          File Type:data
                          Stream Size:200
                          Entropy:3.2882936681910495
                          Base64 Encoded:False
                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . | . # . @ . . . a . * : . . . . . . . . .
                          Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
                          Stream Path: MBD001F0D5E/\x1CompObj, File Type: data, Stream Size: 99
                          General
                          Stream Path:MBD001F0D5E/\x1CompObj
                          CLSID:
                          File Type:data
                          Stream Size:99
                          Entropy:3.631242196770981
                          Base64 Encoded:False
                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
                          Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                          Stream Path: MBD001F0D5E/Package, File Type: Microsoft Excel 2007+, Stream Size: 813379
                          General
                          Stream Path:MBD001F0D5E/Package
                          CLSID:
                          File Type:Microsoft Excel 2007+
                          Stream Size:813379
                          Entropy:7.996605567776931
                          Base64 Encoded:True
                          Data ASCII:P K . . . . . . . . . . ! . H . . . . k . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                          Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 48 8b 1f e6 d7 01 00 00 6b 07 00 00 13 00 d6 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 d2 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          Stream Path: MBD001F0D5F/\x1Ole, File Type: data, Stream Size: 572
                          General
                          Stream Path:MBD001F0D5F/\x1Ole
                          CLSID:
                          File Type:data
                          Stream Size:572
                          Entropy:4.590094481166577
                          Base64 Encoded:False
                          Data ASCII:. . . . . N @ ) . . . . . . . . . . . . . . . . y . . . K . . . . . h . t . t . p . s . : . / . / . l . i . n . k . . . u . e . b . i . e . . . d . e . / . c . H . Z . m . K . c . ? . & . m . o . t . o . r . c . a . r . = . j . u . d . i . c . i . o . u . s . & . k . e . y . b . o . a . r . d . i . n . g . = . h . i . l . a . r . i . o . u . s . & . r . a . n . d . o . m . i . s . a . t . i . o . n . = . o . b . e . i . s . a . n . t . & . s . h . o . p . = . w . i . l . d . & . c . o . m . p . u . t . e .
                          Data Raw:01 00 00 02 0f 95 a7 4e 40 8f 8e 29 00 00 00 00 00 00 00 00 00 00 00 00 12 01 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b 0e 01 00 00 68 00 74 00 74 00 70 00 73 00 3a 00 2f 00 2f 00 6c 00 69 00 6e 00 6b 00 2e 00 75 00 65 00 62 00 69 00 65 00 2e 00 64 00 65 00 2f 00 63 00 48 00 5a 00 6d 00 4b 00 63 00 3f 00 26 00 6d 00 6f 00 74 00 6f 00 72 00 63 00 61 00 72 00 3d 00 6a 00
                          Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 372150
                          General
                          Stream Path:Workbook
                          CLSID:
                          File Type:Applesoft BASIC program data, first line number 16
                          Stream Size:372150
                          Entropy:7.998901331428487
                          Base64 Encoded:True
                          Data ASCII:. . . . . . . . . . . . . . . . . / . 6 . . . . . . . . . * z _ A . 0 . _ ^ ? x . . y . ~ . . . " ( 3 - v j . . . . . . . . . . . 8 . . . \\ . p . _ . I , [ . . F 5 . a . . / y . . C q ( E V * z / N . ` * . 3 0 h [ a . . o % . . y h M . o z . d . 4 t _ ! a . F H ; = B . . . [ 1 a . . . F . . . = . . . . ( . . . . g A k ~ . . . F . . . . . . . . . = . . . . U . . . . ! H . . . . k = . . . - d ] O b . [ . a P $ @ . . . . . . . " . . . . . . . . | ) . . . . . . 1 . . . t u . [ . 6 @ Z E . * x . 1 . . . ( | . .
                          Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 0f 11 2a 7a 5f b8 41 84 e2 1f 30 0d 85 e8 5f ba f5 c8 cc 5e 3f a0 cf 78 e9 e6 8c b9 c4 9d b2 79 18 7e 01 1e c1 12 22 ec c9 28 ae 33 2d 76 6a df 87 00 00 00 e1 00 02 00 b0 04 c1 00 02 00 38 cf e2 00 00 00 5c 00 70 00 5f 09 49 ae 2c 5b 8b fb 1b 9b de ee bc 01 46 35 0c 61 01 89 b4 04 2f 8c 79 09
                          Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 525
                          General
                          Stream Path:_VBA_PROJECT_CUR/PROJECT
                          CLSID:
                          File Type:ASCII text, with CRLF line terminators
                          Stream Size:525
                          Entropy:5.292386095644116
                          Base64 Encoded:True
                          Data ASCII:I D = " { 9 1 7 D 4 E 7 D - 3 4 D 7 - 4 A F 8 - 8 2 7 D - 6 B D B 5 A 6 6 9 7 C 5 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 2 1 2 3 2 6 2 E 2 A 2 E 2 A 2 E 2
                          Data Raw:49 44 3d 22 7b 39 31 37 44 34 45 37 44 2d 33 34 44 37 2d 34 41 46 38 2d 38 32 37 44 2d 36 42 44 42 35 41 36 36 39 37 43 35 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
                          Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104
                          General
                          Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                          CLSID:
                          File Type:data
                          Stream Size:104
                          Entropy:3.0488640812019017
                          Base64 Encoded:False
                          Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
                          Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00
                          Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2644
                          General
                          Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                          CLSID:
                          File Type:data
                          Stream Size:2644
                          Entropy:3.991048168753779
                          Base64 Encoded:False
                          Data ASCII:a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
                          Data Raw:cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
                          Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 553
                          General
                          Stream Path:_VBA_PROJECT_CUR/VBA/dir
                          CLSID:
                          File Type:data
                          Stream Size:553
                          Entropy:6.35992426419417
                          Base64 Encoded:True
                          Data ASCII:. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . > N i . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2
                          Data Raw:01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 d4 3e 4e 69 08 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                          Network Behavior

                          Suricata IDS Alerts

                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                          2024-11-20T08:06:53.089665+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.55000213.107.246.45443TCP
                          2024-11-20T08:07:00.281065+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.55000313.107.246.45443TCP

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Nov 20, 2024 08:06:38.100514889 CET50000443192.168.2.55.45.108.48
                          Nov 20, 2024 08:06:38.100563049 CET443500005.45.108.48192.168.2.5
                          Nov 20, 2024 08:06:38.100661993 CET50000443192.168.2.55.45.108.48
                          Nov 20, 2024 08:06:38.101054907 CET50000443192.168.2.55.45.108.48
                          Nov 20, 2024 08:06:38.101064920 CET443500005.45.108.48192.168.2.5
                          Nov 20, 2024 08:06:38.752837896 CET443500005.45.108.48192.168.2.5
                          Nov 20, 2024 08:06:38.752991915 CET50000443192.168.2.55.45.108.48
                          Nov 20, 2024 08:06:38.989579916 CET50000443192.168.2.55.45.108.48
                          Nov 20, 2024 08:06:38.989618063 CET443500005.45.108.48192.168.2.5
                          Nov 20, 2024 08:06:38.989958048 CET443500005.45.108.48192.168.2.5
                          Nov 20, 2024 08:06:38.990026951 CET50000443192.168.2.55.45.108.48
                          Nov 20, 2024 08:06:38.992976904 CET50000443192.168.2.55.45.108.48
                          Nov 20, 2024 08:06:39.039335012 CET443500005.45.108.48192.168.2.5
                          Nov 20, 2024 08:06:39.259207010 CET443500005.45.108.48192.168.2.5
                          Nov 20, 2024 08:06:39.259355068 CET50000443192.168.2.55.45.108.48
                          Nov 20, 2024 08:06:39.259385109 CET443500005.45.108.48192.168.2.5
                          Nov 20, 2024 08:06:39.259428978 CET443500005.45.108.48192.168.2.5
                          Nov 20, 2024 08:06:39.259433031 CET50000443192.168.2.55.45.108.48
                          Nov 20, 2024 08:06:39.259486914 CET50000443192.168.2.55.45.108.48
                          Nov 20, 2024 08:06:39.259876013 CET50000443192.168.2.55.45.108.48
                          Nov 20, 2024 08:06:39.259901047 CET443500005.45.108.48192.168.2.5
                          Nov 20, 2024 08:06:39.259913921 CET50000443192.168.2.55.45.108.48
                          Nov 20, 2024 08:06:39.259947062 CET50000443192.168.2.55.45.108.48
                          Nov 20, 2024 08:06:52.453150034 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:52.453187943 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:52.453277111 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:52.454252005 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:52.454272032 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.089509964 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.089664936 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.092586040 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.092592955 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.092869043 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.103282928 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.147325039 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.209280014 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.209306955 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.209338903 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.209434032 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.209434032 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.209451914 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.209537983 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.312700987 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.312725067 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.312792063 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.312808037 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.312918901 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.312918901 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.314234018 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.314241886 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.314332008 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.314332008 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.314341068 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.314450026 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.399089098 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.399122000 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.399223089 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.399223089 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.399236917 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.399426937 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.399796963 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.399828911 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.399894953 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.399899006 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.399909973 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.400044918 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.400677919 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.400698900 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.400753975 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.400759935 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.400798082 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.400851011 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.401518106 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.401539087 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.401592016 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.401597977 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.401633024 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.401652098 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.485933065 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.485959053 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.486232996 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.486239910 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.486392021 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.486555099 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.486577034 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.486635923 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.486643076 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.486687899 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.486983061 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.487426996 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.487448931 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.487534046 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.487534046 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.487540007 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.487819910 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.488358021 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.488378048 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.488473892 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.488481045 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.488578081 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.491486073 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.491507053 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.491596937 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.491597891 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.491605043 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.492104053 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.492130041 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.492182016 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.492182016 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.492188931 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.492743969 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.492762089 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.492836952 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.492836952 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.492845058 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.494540930 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.572480917 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.572508097 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.572591066 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.572622061 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.572638988 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.572679043 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.573371887 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.573395014 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.573451042 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.573457956 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.573472023 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.573607922 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.574098110 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.574119091 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.574176073 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.574182034 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.574203014 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.574295044 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.574856043 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.574875116 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.574947119 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.574953079 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.574971914 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.575057030 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.575706005 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.575733900 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.575808048 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.575814009 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.575917959 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.576473951 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.576494932 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.576548100 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.576559067 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.576673031 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.577416897 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.577492952 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.577593088 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.577599049 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.577657938 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.577668905 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.578191996 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.578212023 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.578253984 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.578258991 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.578305006 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.578305006 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.659497023 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.659522057 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.659607887 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.659621954 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.659686089 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.659686089 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.660231113 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.660255909 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.660283089 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.660294056 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.660346031 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.660413980 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.661082983 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.661108971 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.661218882 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.661226034 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.661319971 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.661570072 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.661590099 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.661623955 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.661628962 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.661669970 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.661873102 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.662252903 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.662272930 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.662348986 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.662348986 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.662353992 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.662409067 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.662841082 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.662870884 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.662904978 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.662909985 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.662946939 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.662985086 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.663382053 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.663402081 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.663439989 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.663448095 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.663480043 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.663492918 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.706882000 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.706898928 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.706986904 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.707005024 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.707032919 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.707093954 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.746663094 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.746691942 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.746773958 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.746789932 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.747005939 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.747453928 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.747478008 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.747570992 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.747570992 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.747577906 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.747720957 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.748064995 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.748085022 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.748143911 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.748158932 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.748205900 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.748207092 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.748752117 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.748779058 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.748929977 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.748936892 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.749042034 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.749690056 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.749711037 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.749768019 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.749773026 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.749780893 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.750044107 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.750602961 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.750622988 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.750689983 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.750694990 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.750829935 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.750880957 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.751497984 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.751522064 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.751576900 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.751583099 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.751635075 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.751635075 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.793864965 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.793889999 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.793950081 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.793966055 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.793999910 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.794383049 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.833365917 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.833389997 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.833492041 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.833503962 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.833519936 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.833600998 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.834182978 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.834207058 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.834281921 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.834287882 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.834319115 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.834364891 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.834989071 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.835009098 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.835107088 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.835107088 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.835114956 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.835944891 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.836009026 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.836081982 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.836081982 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.836087942 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.836313009 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.836332083 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.836366892 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.836366892 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.836374044 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.836416006 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.836424112 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.837166071 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.837186098 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.837253094 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.837260008 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.837296009 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.838011980 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.838033915 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.838073969 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.838078976 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.838145018 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.838145018 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.880739927 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.880764961 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.880853891 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.880853891 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.880866051 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.881076097 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.920393944 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.920423985 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.920470953 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.920488119 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.920511007 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.920557976 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.921377897 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.921399117 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.921451092 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.921458006 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.921473980 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.921638012 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.922096968 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.922128916 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.922180891 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.922184944 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.922252893 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.922333002 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.922861099 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.922880888 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.923207998 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.923214912 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.923285961 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.923696041 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.923716068 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.923759937 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.923765898 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.923780918 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.923814058 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.924438953 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.924458981 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.924601078 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.924607992 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.924825907 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.925189972 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.925213099 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.925309896 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.925309896 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.925316095 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.925471067 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.967621088 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.967647076 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.967742920 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.967742920 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:53.967761040 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:53.967838049 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:54.007517099 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.007545948 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.007608891 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:54.007628918 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.007664919 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:54.007726908 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:54.007993937 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.008016109 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.008069038 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:54.008075953 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.008112907 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:54.008193016 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:54.008593082 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.008615017 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.008735895 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:54.008744001 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.008836985 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:54.009341002 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.009361029 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.009500027 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:54.009507895 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.009532928 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:54.009627104 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:54.009728909 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.009747982 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.009787083 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:54.009793043 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.009818077 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:54.009985924 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:54.010405064 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.010423899 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.010523081 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:54.010524035 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:54.010530949 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.011058092 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:54.011254072 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.011272907 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.011341095 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:54.011349916 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.011354923 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:54.011454105 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:54.054680109 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.054702044 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.054768085 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:54.054795980 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.054855108 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:54.054997921 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:54.094769001 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.094791889 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.094939947 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:54.094954014 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.095038891 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:54.095422983 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.095444918 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.095504999 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:54.095510960 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.095616102 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:54.096209049 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.096225023 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.096291065 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:54.096299887 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.096405029 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:54.096903086 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.096918106 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.096976042 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:54.096983910 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.097079039 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:54.097656012 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.097671032 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.097762108 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:54.097769022 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.097853899 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:54.098440886 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.098500013 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.098510027 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:54.098515987 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.098583937 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:54.098726034 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:54.098726034 CET50002443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:54.098742962 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:54.098752975 CET4435000213.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:59.159235001 CET50003443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:59.159277916 CET4435000313.107.246.45192.168.2.5
                          Nov 20, 2024 08:06:59.159359932 CET50003443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:59.159668922 CET50003443192.168.2.513.107.246.45
                          Nov 20, 2024 08:06:59.159694910 CET4435000313.107.246.45192.168.2.5
                          Nov 20, 2024 08:07:00.280191898 CET4435000313.107.246.45192.168.2.5
                          Nov 20, 2024 08:07:00.281064987 CET50003443192.168.2.513.107.246.45
                          Nov 20, 2024 08:07:00.281125069 CET4435000313.107.246.45192.168.2.5
                          Nov 20, 2024 08:07:00.282227039 CET50003443192.168.2.513.107.246.45
                          Nov 20, 2024 08:07:00.282233000 CET4435000313.107.246.45192.168.2.5
                          Nov 20, 2024 08:07:00.382781029 CET4435000313.107.246.45192.168.2.5
                          Nov 20, 2024 08:07:00.382855892 CET4435000313.107.246.45192.168.2.5
                          Nov 20, 2024 08:07:00.383073092 CET4435000313.107.246.45192.168.2.5
                          Nov 20, 2024 08:07:00.383095980 CET50003443192.168.2.513.107.246.45
                          Nov 20, 2024 08:07:00.383131981 CET50003443192.168.2.513.107.246.45
                          Nov 20, 2024 08:07:00.383332968 CET50003443192.168.2.513.107.246.45
                          Nov 20, 2024 08:07:00.383352041 CET4435000313.107.246.45192.168.2.5
                          Nov 20, 2024 08:07:00.383367062 CET50003443192.168.2.513.107.246.45
                          Nov 20, 2024 08:07:00.383373022 CET4435000313.107.246.45192.168.2.5

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Nov 20, 2024 08:06:38.066293001 CET5215553192.168.2.51.1.1.1
                          Nov 20, 2024 08:06:38.099200964 CET53521551.1.1.1192.168.2.5

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Nov 20, 2024 08:06:38.066293001 CET192.168.2.51.1.1.10xeaedStandard query (0)link.uebie.deA (IP address)IN (0x0001)false

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Nov 20, 2024 08:05:33.545510054 CET1.1.1.1192.168.2.50x94afNo error (0)shed.dual-low.s-part-0014.t-0009.t-msedge.nets-part-0014.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                          Nov 20, 2024 08:05:33.545510054 CET1.1.1.1192.168.2.50x94afNo error (0)s-part-0014.t-0009.t-msedge.net13.107.246.42A (IP address)IN (0x0001)false
                          Nov 20, 2024 08:06:38.099200964 CET1.1.1.1192.168.2.50xeaedNo error (0)link.uebie.de5.45.108.48A (IP address)IN (0x0001)false
                          Nov 20, 2024 08:06:52.451817036 CET1.1.1.1192.168.2.50x2bdbNo error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                          Nov 20, 2024 08:06:52.451817036 CET1.1.1.1192.168.2.50x2bdbNo error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false

                          HTTP Request Dependency Graph

                          • link.uebie.de
                          • otelrules.azureedge.net

                          HTTPS Proxied Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.5500005.45.108.484431492C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                          TimestampBytes transferredDirectionData
                          2024-11-20 07:06:38 UTC280OUTGET /cHZmKc?&motorcar=judicious&keyboarding=hilarious&randomisation=obeisant&shop=wild&compute HTTP/1.1
                          Accept: */*
                          Accept-Encoding: gzip, deflate
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                          Host: link.uebie.de
                          Connection: Keep-Alive
                          2024-11-20 07:06:39 UTC221INHTTP/1.1 502 Bad Gateway
                          Server: openresty
                          Date: Wed, 20 Nov 2024 07:06:39 GMT
                          Content-Type: text/html
                          Content-Length: 154
                          Connection: close
                          Strict-Transport-Security: max-age=63072000;includeSubDomains; preload
                          2024-11-20 07:06:39 UTC154INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center>openresty</center></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          1192.168.2.55000213.107.246.454431492C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                          TimestampBytes transferredDirectionData
                          2024-11-20 07:06:53 UTC219OUTGET /rules/excel.exe-Production-v19.bundle HTTP/1.1
                          Connection: Keep-Alive
                          Accept-Encoding: gzip
                          User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
                          Host: otelrules.azureedge.net
                          2024-11-20 07:06:53 UTC493INHTTP/1.1 200 OK
                          Date: Wed, 20 Nov 2024 07:06:53 GMT
                          Content-Type: text/plain
                          Content-Length: 1112622
                          Connection: close
                          Vary: Accept-Encoding
                          Cache-Control: public
                          Last-Modified: Tue, 19 Nov 2024 16:37:24 GMT
                          ETag: "0x8DD08B87292E458"
                          x-ms-request-id: ddf1f4c1-c01e-0034-0b19-3b2af6000000
                          x-ms-version: 2018-03-28
                          x-azure-ref: 20241120T070653Z-185f5d8b95c4hl5whC1NYCeex000000009sg00000000dhca
                          x-fd-int-roxy-purgeid: 0
                          X-Cache: TCP_HIT
                          X-Cache-Info: L1_T2
                          Accept-Ranges: bytes
                          2024-11-20 07:06:53 UTC15891INData Raw: 31 30 30 30 34 32 76 32 2b 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 30 30 30 34 32 22 20 56 3d 22 32 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 55 58 2e 44 65 73 6b 74 6f 70 2e 4f 66 66 69 63 65 54 68 65 6d 65 2e 41 70 70 2e 49 6e 69 74 22 20 41 54 54 3d 22 63 34 33 38 38 63 39 37 37 32 39 37 34 31 33 62 62 30 35 34 62 61 64 31 61 63 66 30 61 64 65 31 2d 63 63 35 38 65 35 33 65 2d 66 35 61 34 2d 34 66 33 37 2d 62 30 64 32 2d 39 61 38 30 37 39 65 33 34 34 32 30 2d 36 38 37 39 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 63 6d 39 79 35
                          Data Ascii: 100042v2+<?xml version="1.0" encoding="utf-8"?><R Id="100042" V="2" DC="SM" EN="Office.UX.Desktop.OfficeTheme.App.Init" ATT="c4388c977297413bb054bad1acf0ade1-cc58e53e-f5a4-4f37-b0d2-9a8079e34420-6879" DCa="PSU" xmlns=""> <S> <UTS T="1" Id="cm9y5
                          2024-11-20 07:06:53 UTC16384INData Raw: 20 2f 3e 0d 0a 20 20 3c 2f 54 3e 0d 0a 3c 2f 52 3e 0d 0a 3c 24 21 23 3e 31 30 30 31 31 37 76 30 2b 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 30 30 31 31 37 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 38 79 6c 6c 66 22 20 2f 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d 22 66 61 6c 73 65 22 3e 0d 0a 20 20 20 20 3c 56 20 56 3d 22 43 6c 69 63 6b 22 20 54 3d 22 57 22 20 2f 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32
                          Data Ascii: /> </T></R><$!#>100117v0+<?xml version="1.0" encoding="utf-8"?><R Id="100117" V="0" DC="SM" T="Subrule" DCa="PSU" xmlns=""> <S> <UTS T="1" Id="8yllf" /> </S> <C T="W" I="0" O="false"> <V V="Click" T="W" /> </C> <C T="U32
                          2024-11-20 07:06:53 UTC16384INData Raw: 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 54 3e 0d 0a 20 20 20 20 3c 53 20 54 3d 22 32 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 20 54 3d 22 33 22 20 2f 3e 0d 0a 20 20 3c 2f 54 3e 0d 0a 3c 2f 52 3e 0d 0a 3c 24 21 23 3e 31 30 37 38 31 76 31 2b 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 30 37 38 31 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 62 67 6f 34 74 22 20 2f 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 32 22 20 49 64 3d 22 62 68 6c 76 79 22 20 2f 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 49 33 32
                          Data Ascii: </C> <T> <S T="2" /> <S T="3" /> </T></R><$!#>10781v1+<?xml version="1.0" encoding="utf-8"?><R Id="10781" V="1" DC="SM" T="Subrule" xmlns=""> <S> <UTS T="1" Id="bgo4t" /> <UTS T="2" Id="bhlvy" /> </S> <C T="I32
                          2024-11-20 07:06:53 UTC16384INData Raw: 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 4f 20 54 3d 22 47 54 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 31 30 30 30 22 20 54 3d 22 55 33 32 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 4f 20 54 3d 22 4c 45 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c
                          Data Ascii: <L> <O T="GT"> <L> <S T="1" F="0" /> </L> <R> <V V="1000" T="U32" /> </R> </O> </L> <R> <O T="LE"> <
                          2024-11-20 07:06:53 UTC16384INData Raw: 20 49 3d 22 32 32 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 46 6c 79 6f 75 74 56 69 64 65 6f 43 61 6c 6c 56 69 64 65 6f 22 3e 0d 0a 20 20 20 20 3c 43 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 32 36 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 43 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 32 33 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 46 6c 79 6f 75 74 53 61 53 22 3e 0d 0a 20 20 20 20 3c 43 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 32 37 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 43 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 32 34 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 46 6c 79 6f 75 74 4f 76 65 72 66 6c 6f 77 22 3e 0d 0a 20 20 20 20 3c 43 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54
                          Data Ascii: I="22" O="false" N="FlyoutVideoCallVideo"> <C> <S T="26" /> </C> </C> <C T="U32" I="23" O="false" N="FlyoutSaS"> <C> <S T="27" /> </C> </C> <C T="U32" I="24" O="false" N="FlyoutOverflow"> <C> <S T
                          2024-11-20 07:06:53 UTC16384INData Raw: 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 30 39 30 37 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 4f 75 74 6c 6f 6f 6b 2e 44 65 73 6b 74 6f 70 2e 4e 44 42 2e 55 6e 6b 6e 6f 77 6e 2e 43 6f 72 72 75 70 74 69 6f 6e 22 20 41 54 54 3d 22 64 38 30 37 36 30 39 32 37 36 37 34 34 32 34 35 62 61 66 38 31 62 66 37 62 63 38 30 33 33 66 36 2d 32 32 36 38 65 33 37 34 2d 37 37 36 36 2d 34 39 37 36 2d 62 65 34 34 2d 62 36 61 64 35 62 64 64 63 35 62 36 2d 37 38 31 33 22 20 53 3d 22 31 30 30 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 45 74 77 20 54 3d 22 31 22 20 45 3d 22 33 39 35 22 20 47 3d 22 7b 32 61 64 66 38 65 32 33 2d 30 61 66 39 2d
                          Data Ascii: coding="utf-8"?><R Id="10907" V="0" DC="SM" EN="Office.Outlook.Desktop.NDB.Unknown.Corruption" ATT="d807609276744245baf81bf7bc8033f6-2268e374-7766-4976-be44-b6ad5bddc5b6-7813" S="100" DCa="PSU" xmlns=""> <S> <Etw T="1" E="395" G="{2adf8e23-0af9-
                          2024-11-20 07:06:53 UTC16384INData Raw: 22 54 65 6c 65 6d 65 74 72 79 53 68 75 74 64 6f 77 6e 22 20 2f 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 33 22 20 49 64 3d 22 62 70 66 79 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 34 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 47 54 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 33 22 20 46 3d 22 50 68 6f 74 6f 53 69 7a 65 49 6e 42 79 74 65 73 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 30 22 20 54 3d 22 55 36 34 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 3c 2f 46 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 55
                          Data Ascii: "TelemetryShutdown" /> <UTS T="3" Id="bpfy1" /> <F T="4"> <O T="GT"> <L> <S T="3" F="PhotoSizeInBytes" /> </L> <R> <V V="0" T="U64" /> </R> </O> </F> </S> <C T="U
                          2024-11-20 07:06:53 UTC16384INData Raw: 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 34 22 20 46 3d 22 65 76 65 6e 74 49 64 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 31 33 35 22 20 54 3d 22 49 33 32 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 3c 2f 46 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 37 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 35 22 20 46 3d 22 74 63 69 64 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 56 20
                          Data Ascii: <L> <S T="4" F="eventId" /> </L> <R> <V V="135" T="I32" /> </R> </O> </F> <F T="7"> <O T="EQ"> <L> <S T="5" F="tcid" /> </L> <R> <V
                          2024-11-20 07:06:53 UTC16384INData Raw: 0d 0a 20 20 20 20 3c 46 20 54 3d 22 31 30 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 33 22 20 46 3d 22 46 69 6c 65 50 72 6f 74 65 63 74 69 6f 6e 53 74 61 74 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 35 22 20 54 3d 22 55 33 32 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 3c 2f 46 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 30 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 43 6f 75 6e 74 4f 66 54 68 72 6f 77 6e 45 78 63 65 70 74 69 6f 6e 22 3e 0d
                          Data Ascii: <F T="10"> <O T="EQ"> <L> <S T="3" F="FileProtectionState" /> </L> <R> <V V="5" T="U32" /> </R> </O> </F> </S> <C T="U32" I="0" O="false" N="CountOfThrownException">
                          2024-11-20 07:06:53 UTC16384INData Raw: 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 35 22 20 46 3d 22 72 65 73 75 6c 74 73 5f 49 73 4e 75 6c 6c 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 66 61 6c 73 65 22 20 54 3d 22 42 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20
                          Data Ascii: <S T="5" F="results_IsNull" /> </L> <R> <V V="false" T="B" /> </R> </O> </L> <R> <O T="EQ"> <L>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          2192.168.2.55000313.107.246.454431492C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                          TimestampBytes transferredDirectionData
                          2024-11-20 07:07:00 UTC207OUTGET /rules/rule120603v8s19.xml HTTP/1.1
                          Connection: Keep-Alive
                          Accept-Encoding: gzip
                          User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
                          Host: otelrules.azureedge.net
                          2024-11-20 07:07:00 UTC515INHTTP/1.1 200 OK
                          Date: Wed, 20 Nov 2024 07:07:00 GMT
                          Content-Type: text/xml
                          Content-Length: 2128
                          Connection: close
                          Vary: Accept-Encoding
                          Cache-Control: public, max-age=604800, immutable
                          Last-Modified: Tue, 09 Apr 2024 00:26:04 GMT
                          ETag: "0x8DC582BA41F3C62"
                          x-ms-request-id: 82230a5b-801e-008f-728c-3a2c5d000000
                          x-ms-version: 2018-03-28
                          x-azure-ref: 20241120T070700Z-1777c6cb7549j9hhhC1TEBzmcc000000091g00000000nymm
                          x-fd-int-roxy-purgeid: 0
                          X-Cache: TCP_HIT
                          X-Cache-Info: L1_T2
                          Accept-Ranges: bytes
                          2024-11-20 07:07:00 UTC2128INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 30 33 22 20 56 3d 22 38 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 53 79 73 74 65 6d 2e 53 79 73 74 65 6d 48 65 61 6c 74 68 4d 65 74 61 64 61 74 61 41 70 70 6c 69 63 61 74 69 6f 6e 41 64 64 69 74 69 6f 6e 61 6c 22 20 41 54 54 3d 22 63 64 38 33 36 36 32 36 36 31 31 63 34 63 61 61 61 38 66 63 35 62 32 65 37 32 38 65 65 38 31 64 2d 33 62 36 64 36 63 34 35 2d 36 33 37 37 2d 34 62 66 35 2d 39 37 39 32 2d 64 62 66 38 65 31 38 38 31 30 38 38 2d 37 35 32 31 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 45 3d 22 66 61 6c 73 65 22 20 44 4c 3d
                          Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120603" V="8" DC="SM" EN="Office.System.SystemHealthMetadataApplicationAdditional" ATT="cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521" SP="CriticalBusinessImpact" E="false" DL=


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:1
                          Start time:02:05:41
                          Start date:20/11/2024
                          Path:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                          Wow64 process (32bit):true
                          Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
                          Imagebase:0x600000
                          File size:53'161'064 bytes
                          MD5 hash:4A871771235598812032C822E6F68F19
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:false

                          General

                          Target ID:6
                          Start time:02:06:46
                          Start date:20/11/2024
                          Path:C:\Windows\splwow64.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\splwow64.exe 12288
                          Imagebase:0x7ff74f060000
                          File size:163'840 bytes
                          MD5 hash:77DE7761B037061C7C112FD3C5B91E73
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:false

                          General

                          Target ID:8
                          Start time:02:06:56
                          Start date:20/11/2024
                          Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" -Embedding
                          Imagebase:0x7ff686a00000
                          File size:5'641'176 bytes
                          MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:10
                          Start time:02:07:02
                          Start date:20/11/2024
                          Path:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                          Wow64 process (32bit):true
                          Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\Credit_DetailsCBS24312017915.xla.xlsx"
                          Imagebase:0x600000
                          File size:53'161'064 bytes
                          MD5 hash:4A871771235598812032C822E6F68F19
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Disassembly

                          Code Analysis

                          Call Graph

                          • Entrypoint
                          • Decryption Function
                          • Executed
                          • Not Executed
                          • Show Help
                          callgraph 1 Error: Graph is empty

                          Module: Sheet1

                          Declaration
                          LineContent
                          1

                          Attribute VB_Name = "Sheet1"

                          2

                          Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                          3

                          Attribute VB_GlobalNameSpace = False

                          4

                          Attribute VB_Creatable = False

                          5

                          Attribute VB_PredeclaredId = True

                          6

                          Attribute VB_Exposed = True

                          7

                          Attribute VB_TemplateDerived = False

                          8

                          Attribute VB_Customizable = True

                          Module: Sheet2

                          Declaration
                          LineContent
                          1

                          Attribute VB_Name = "Sheet2"

                          2

                          Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                          3

                          Attribute VB_GlobalNameSpace = False

                          4

                          Attribute VB_Creatable = False

                          5

                          Attribute VB_PredeclaredId = True

                          6

                          Attribute VB_Exposed = True

                          7

                          Attribute VB_TemplateDerived = False

                          8

                          Attribute VB_Customizable = True

                          Module: Sheet3

                          Declaration
                          LineContent
                          1

                          Attribute VB_Name = "Sheet3"

                          2

                          Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                          3

                          Attribute VB_GlobalNameSpace = False

                          4

                          Attribute VB_Creatable = False

                          5

                          Attribute VB_PredeclaredId = True

                          6

                          Attribute VB_Exposed = True

                          7

                          Attribute VB_TemplateDerived = False

                          8

                          Attribute VB_Customizable = True

                          Module: ThisWorkbook

                          Declaration
                          LineContent
                          1

                          Attribute VB_Name = "ThisWorkbook"

                          2

                          Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

                          3

                          Attribute VB_GlobalNameSpace = False

                          4

                          Attribute VB_Creatable = False

                          5

                          Attribute VB_PredeclaredId = True

                          6

                          Attribute VB_Exposed = True

                          7

                          Attribute VB_TemplateDerived = False

                          8

                          Attribute VB_Customizable = True

                          Reset < >